Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

starting site to site vpn between pix 501's

Hi

Another newbie question. I'm trying to add a site to site vpn between two pix 501's as well as the basic software access vpn to site 1. At present however I can't get the 2nd site to connect. This may be because they both go through separate routers to get to the internet. Although I'm not sure this makes a difference as they map straight through the external routers.

My set-up is like this:

pix 1: internal network 192.168.10.x

between pix and router 192.168.111.x

external ip: 83.166.180.99

to which I can connect software vpn clients no problem.

pix 2: internal ip: 192.168.20.x

between pix and router 192.168.120.x

external ip: 83.166.180.100

I've attached the results from the show crypto map command and the show ipsec command from pix 2.

I've attached the config from pix2 as well, which mirrors the info at pix 1 apart from the ip's being different.

any help would be appreciated

thanks

Suzanne

21 REPLIES
Silver

Re: starting site to site vpn between pix 501's

Suzanne -

Can you post the other firewall's config? Also, can you do a show crypto isakmp sa and sho crypto ipsec sa on both?

Thanks.

Jay

New Member

Re: starting site to site vpn between pix 501's

Hi Jay,

Here is the first pix config and the results of the show commands.

The others were included in the original post.

THanks

Suzanne

New Member

Re: starting site to site vpn between pix 501's

HI Jay,

You may want to ignore the above output from the show commands. I've run the clear commands on both and here is the new output.

I hope this helps.

Thanks

Suzanne

The command has been sent to the firewall

Result of firewall command: "show crypto isakmp sa"

Total : 0

Embryonic : 0

dst src state pending created

Result of firewall command: "show crypto ipsec sa"

interface: outside

Crypto map tag: outside_map, local addr. 192.168.111.2

local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)

current_peer: 83.166.180.101:0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 192.168.111.2, remote crypto endpt.: 83.166.180.101

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Silver

Re: starting site to site vpn between pix 501's

Suzanne -

You need to make the following changes to the vitg config...

access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

no access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.10.0 255.255.255.0

no access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

no access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

I don't know what the 192.168.20.0/24 subnet is for that is why I marked it for deletion. You may want to keep it, though.

***Please rate all useful posts.***

Cheers.

Jay

New Member

Re: starting site to site vpn between pix 501's

Hi Jay,

Thanks for that. You're right I was connecting to the wrong subnet. I am still concerned that I am getting a connection to an unknown ip though..

The results of the show commands on pix 1 show connection to an unknown ip address. When I look it up, it belongs to zen an isp that is not providing the current internet connection. That is the 82.71.70.70 address..

Any ideas? Or should that be another post ?

Thanks very much.

Suzanne

Result of firewall command: "show crypto ipsec sa"

interface: outside

Crypto map tag: outside_map, local addr. 192.168.111.2

local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer: 83.166.180.101:0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 12, #recv errors 0

local crypto endpt.: 192.168.111.2, remote crypto endpt.: 83.166.180.101

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)

current_peer: 83.166.180.101:0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 17, #recv errors 0

local crypto endpt.: 192.168.111.2, remote crypto endpt.: 83.166.180.101

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.10.204/255.255.255.255/0/0)

current_peer: 82.71.70.70:1036

dynamic allocated peer ip: 192.168.10.204

PERMIT, flags={transport_parent,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 192.168.111.2, remote crypto endpt.: 82.71.70.70

path mtu 1500, ipsec overhead 64, media mtu 1500

current outbound spi: 37b526e7

inbound esp sas:

spi: 0xa007cd31(2684865841)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 0, conn id: 7, crypto map: outside_map

sa timing: remaining key lifetime (k/sec): (4608000/27993)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x37b526e7(934618855)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 0, conn id: 8, crypto map: outside_map

sa timing: remaining key lifetime (k/sec): (4608000/27993)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

Result of firewall command: "show crypto isakmp sa"

Total : 1

Embryonic : 0

dst src state pending created

192.168.111.2 82.71.70.70 QM_IDLE 0 1

Silver

Re: starting site to site vpn between pix 501's

Also, you need to set the ip addresses on the outside interfaces of both firewalls like below...

Pix6.35

ip address outside 83.166.180.101 255.255.255.X

vitg

ip address outside 83.166.180.99 255.255.255.X

Jay

New Member

Re: starting site to site vpn between pix 501's

Hi Jay,

If I set my outside ip like that then I lose all connection to the external internet.

Its' currently set as

ip address outside dhcp setroute

as the pix gets it's ip via dhcp from the outer router.

Is there some way round this ?

THanks

Suzanne

Silver

Re: starting site to site vpn between pix 501's

You need to have a static IP address for a site-to-site VPN to work well. The problem is you might end up having to change your config constantly unless you hard set the outside IP. Currently, your VPN settings require that the Pix6.35 have its IP set to .101 and the vitg4 set to .99. I am guessing that you didn't intend for the VPN to use the addresses, so you might have to change the VPN settings to the current outside IPs (if you must use DHCP).

Basically, I would HIGHLY recommend using static IPs if at all possible. You will save yourself lots of trouble later.

Jay

New Member

Re: starting site to site vpn between pix 501's

Hi Jay,

Actually the set up is as follows and this is what I was trying to ask initially.

I have a router with the external ip

.101

it has an internal subnetwork

of x.x.111.x

the pix is then given the ip

x.x.111.2

although everything else in that subnet is allocated by dhcp the pix is automatically allocated the .2 address, so this never changes.

However as soon as I hard set the outside ip in the pix config I lose connection to the external world.

I'm happy to take your advice but I can't get it to work.

Suzanne

Silver

Re: starting site to site vpn between pix 501's

I think your problem is an arp cache issue on the router. Basically, when you are hardsetting the IP on the firewall it is confusing the router. The router's ARP table is wrong, so it cannot resolve your IP to MAC any more. To clear the router's ARP cache, you can reboot the router or clear the arp cache on the router (the command differs based on brand).

*** Please rate all useful posts.***

Cheers.

Jay

New Member

Re: starting site to site vpn between pix 501's

Hi Jay,

You've been wonderfully helpful. Although I'm not sure I'm any further on and will have to call it a day.

OK I've reset the router.

The firewall will still not allow external access if I hardset it.

I no longer appear to be creating ipsec tunnels, alhtough the ike ones register. This was actually the case after i changed the access list not anything to do with the recent router reboot.

Thanks

Suzanne

will try again tomorrow...

New Member

Re: starting site to site vpn between pix 501's

Hi Jay,

If I set my outside ip like that then I lose all connection to the external internet.

Its' currently set as

ip address outside dhcp setroute

as the pix gets it's ip via dhcp from the outer router.

Is there some way round this ?

THanks

Suzanne

New Member

Re: starting site to site vpn between pix 501's

Suzanne,

Yes there is. You'll need to create a dynamic crypto map and associated isakmp configuration. The config is basically identical to a remote access VPN setup, except that you need to tell the PIX not to NAT tunnelled networks. You can do that using a policy NAT 0 access-list.

Hope this helps.

Mark.

New Member

Re: starting site to site vpn between pix 501's

Hi Mark,

I think I've got that sorted.

I now get a

MM_KEY_EXCH

state when i do a show crypto isakmp ...

so i guess its not authenticating properly or the tunnel isn't being set up..

have i missed something ?

do i need to declare access lists specifically for the tunnel for each protocol, as basically I would want all traffic to that ip range to go automatically ?

Thanks

Suzanne

Silver

Re: starting site to site vpn between pix 501's

Have you verified that the pre-shared keys are exactly the same? I would check there first.

Jay

New Member

Re: starting site to site vpn between pix 501's

Hi

Yes Have re-entered both keys to check. Same message. :-)

Suzanne

New Member

Re: starting site to site vpn between pix 501's

Suzanne,

Try adding this line to tie your static crypto map to your dynamic map

crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

Also make sure that your encryption lists are exact mirrors of each other on both ends of the tunnel.

Mark.

New Member

Re: starting site to site vpn between pix 501's

Hi Mark

I had wondered how they tied together!

When I try to add that I get the following error:

Dynamic map entry already in use

ERROR: Unable to initialized crypto map entry

Command failed

the entry I have on each pix is identical except instead of 20 I have a value of 65535.

if i actually remove this entry then i lose connection with my current software vpn.

and the encryption lists appear to be the same.

Any other suggestions ?

New Member

Re: starting site to site vpn between pix 501's

Sorry I didn't see that line, but what's happening now is that your not matching your phase 1 configuration. Save your existing configuration, delete the existing crypto map entries and try this:

crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5

crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map 20 match address 101

crypto map outside_map 20 set peer 83.166.180.99

crypto map outside_map 20 set transform-set vpnset

crypto map outside_map interface outside

The line that's making it not work right now is this:

crypto map outside_map 20 ipsec-isakmp

Should work.

Mark

New Member

Re: starting site to site vpn between pix 501's

Hi Mark,

That makes a lot more sense. I'll let you know how I get on.

Thanks

Suzanne

New Member

Re: starting site to site vpn between pix 501's

Hi Mark,

Have added that. Strangely it doesn't seem to show the

crypto map outside_map 20 match address 101

crypto map outside_map 20 set peer 83.166.180.99

crypto map outside_map 20 set transform-set vpnset

crypto map outside_map interface outside

in the show config file anymore but if i look at a show crypto ipsec sa then it's certainly got the right information.

I no longer get any response when I post

show crypto map isakmp sa though.

it comes up blank.

Any more ideas ?

Thanks for all your helps so far.

Suzanne

221
Views
9
Helpful
21
Replies
CreatePlease to create content