Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

UNABLE TO CREATE VPN TUNNEL BETWEEN PIX 520 to PIX 520 IOS 6.3(4)

We have two cisco PIX 520 16M FLASH IOS 6.3(4) on both and 2 FE interfaces on each firewall. (Identical PIXes)

The first PIX CONFIG is:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

......

access-list 101 permit ip 192.168.XXX.0 255.255.255.0 192.168.AAA.0 255.255.255.0

access-list 102 permit ip 192.168.XXX.0 255.255.255.0 192.168.AAA.0 255.255.255.0

..........

nat (inside) 0 access-list 101

..........

crypto ipsec transform-set SecuritySet esp-des esp-sha-hmac

crypto map rtpmap 1 ipsec-isakmp

crypto map rtpmap 1 match address 102

crypto map rtpmap 1 set peer AAA.AAA.AAA.AAA

crypto map rtpmap 1 set transform-set SecuritySet

crypto map rtpmap 1 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map rtpmap interface outside

isakmp enable outside

isakmp key ******** address AAA.AAA.AAA.AAA netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

And the second PIX Config is:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

......

access-list 101 permit ip 192.168.AAA.0 255.255.255.0 192.168.XXX.0 255.255.255.0

access-list 102 permit ip 192.168.AAA.0 255.255.255.0 192.168.XXX.0 255.255.255.0

..........

nat (inside) 0 access-list 101

..........

crypto ipsec transform-set SecuritySet esp-des esp-sha-hmac

crypto map rtpmap 1 ipsec-isakmp

crypto map rtpmap 1 match address 102

crypto map rtpmap 1 set peer XXX.XXX.XXX.XXX

crypto map rtpmap 1 set transform-set SecuritySet

crypto map rtpmap 1 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map rtpmap interface outside

isakmp enable outside

isakmp key ******** address XXX.XXX.XXX.XXX netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

We have turned logging on and debugging for IPSEC and ISAKMP, but threr seems to be no connection attempts between the two PIXes none of the PIXes is trying to initiate a connection to the other PIX.

Please Help!

4 REPLIES
Gold

Re: UNABLE TO CREATE VPN TUNNEL BETWEEN PIX 520 to PIX 520 IOS 6

Abdul,

Your config looks OK, do you have L3 connectivity between the two peers, i.e. can you ping pix-b's public IP address from pix-a? Also, if you initiate ping from an internal client behind pix-a to an internal client behind pix-b and then issue on either pix: sho isakmp sa - what does the pix show under 'state'??

Can you also issue (in config mode) : clear cry ipsec sa and also clear cry isakmp sa

Now try to ping from internal host to peer internal host again and check pix with: sho isakmp sa - what does the 'state' show?

For your reference here is a document on L2L IPSec VPN setup:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

Let me know how you get on.

Jay

New Member

Re: UNABLE TO CREATE VPN TUNNEL BETWEEN PIX 520 to PIX 520 IOS 6

L3 Connectivity is ok, both PIX firewalls can ping the outside world including each other's public address successfully.

When I try to ping a client behind pix-a from a client behind pix-b I get no reply 1000ms.

I have cleared the ipsec and crypto on both firewalls. (No difference)

show isakmp sa returns:

Total : 0

Embryonic : 0

dst src state pending created

Empty set ???

Everything seems to be ok with the configs but none of the pixes is even attempting to create a tunnel to the other one ?????

No ISAKMP or IPSEC error or even connection attempts in the log of both firewalls with debugging for ISAKMP and IPSEC turned on.

Gold

Re: UNABLE TO CREATE VPN TUNNEL BETWEEN PIX 520 to PIX 520 IOS 6

Abdul,

Just thinking, can you verify that your ISP or even your internet facing router is not filtering out the following:

ISAKMP TCP/UDP port 500

ESP protocol 50

AH protocol 51

Thanks -

New Member

Re: UNABLE TO CREATE VPN TUNNEL BETWEEN PIX 520 to PIX 520 IOS 6

Abdul,

Can you turn on "debug icmp trace" on the firewall with the client behind it that you are initiating the ping from? Please remember to issue a "term mon" if you are telneted into the box. In my experience, if you initiate the ping and don't see any debugs on the firewall that you initiated the ping from behind you either have a routing issue or nat 0 statement is missing. The "debug icmp trace" will at least let you validate that the icmp packet is gettting from the host to the inside of the pix to the pix itself. I believe in your version of PIX code it will also show you if it is getting nated. For example,

1.1.1.1 > 4.4.4.4 > 198.133.219.25

Internal Nat Destination

Also, keep in mind anytime you turn on a debug that you have the potential to lock up a box. You may want to do this after hours if the boxes are in production.

132
Views
0
Helpful
4
Replies
CreatePlease to create content