VPN tunnels between 1PIX and 2routers 2610

aperez · ‎02-03-2003

I´ve got a problem with a configuration in a firewall PIX 515 for implementing two VPN tunnels with two routers Cisco 2610;

The problem is i configure the firewall and one router and the tunnel is right; before, i configure the second tunnel an only works the first tunnel; but, if i change the order of the secuency in the crypto map entries, the first tunnel (before the second) works right and the second doesn´t star to work well.

What is happening?

I send you my configurations:

PIX

------------------

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security10

hostname pixfirewall

domain-name xxx.local

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list pingok permit icmp any any

access-list nonat permit ip 10.66.10.0 255.255.255.0 10.64.16.0 255.255.255.0

access-list nonat permit ip 195.53.224.0 255.255.255.0 10.64.16.0 255.255.255.0

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside publicIP 255.255.255.128

ip address inside 10.66.10.1 255.255.255.0

ip address dmz 195.53.224.200 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address dmz 0.0.0.0

pdm history enable

arp timeout 14400

global (outside) 1 publicIPforPAT netmask 255.255.255.128

global (dmz) 1 195.53.224.201 netmask 255.255.255.0

nat (dmz) 0 access-list nonat

nat (dmz) 1 195.53.224.0 255.255.255.0 0 0

access-group pingok in interface outside

access-group pingok in interface inside

access-group pingok in interface dmz

route outside 0.0.0.0 0.0.0.0 publicIPgateway

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set grupoidea esp-3des esp-md5-hmac

crypto map cripto 1 ipsec-isakmp

crypto map cripto 1 match address nonat

crypto map cripto 1 set peer 213.172.58.34

crypto map cripto 1 set transform-set grupoidea

crypto map cripto 2 ipsec-isakmp

crypto map cripto 2 match address nonat

crypto map cripto 2 set peer 213.172.58.42

crypto map cripto 2 set transform-set grupoidea

crypto map cripto interface outside

isakmp enable outside

isakmp key ******** address publicIPremoteA netmask 255.255.255.255

isakmp key ******** address publicIPremoteB netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

telnet 10.64.0.9 255.255.255.255 inside

telnet 10.66.10.3 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

terminal width 80

ROUTER

-------------------------------------------------

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

hostname resulta

logging rate-limit console 10 except errors

ip subnet-zero

no ip finger

ip audit notify log

ip audit po max-events 100

no ip dhcp-client network-discovery

no mgcp timer receive-rtcp

crypto isakmp policy 11

encr 3des

hash md5

authentication pre-share

lifetime 1000

crypto isakmp key xxxxxxxxx address publicIP_PIX

crypto ipsec transform-set grupoidea esp-3des esp-md5-hmac

crypto map vpnidea 11 ipsec-isakmp

set peer publicIP_PIX

set transform-set grupoidea

match address 120

call rsvp-sync

!interface Ethernet0/0

ip address 10.64.32.1 255.255.255.0

ip nat inside

half-duplex

interface Ethernet1/0

ip address publicIPremoteAorB 255.255.255.128

ip nat outside

half-duplex

crypto map vpnidea

ip nat pool rangopat publicIPforPAT publicIPforPAT netmask 255.255.255.128

ip nat inside source route-map nonat pool rangopat overload

ip classless

ip route 0.0.0.0 0.0.0.0 publicIPgateway

ip http server

access-list 120 permit ip 10.64.32.0 0.0.0.255 10.66.10.0 0.0.0.255

access-list 130 deny ip 10.64.32.0 0.0.0.255 10.66.10.0 0.0.0.255

access-list 130 permit ip 10.64.32.0 0.0.0.255 any

route-map nonat permit 10

match ip address 130

dial-peer cor custom

line con 0

transport input none

line aux 0

line vty 0 4

login

end

pdentico · ‎02-03-2003

It looks to me that you're having a porblem with your access-list on your pix. You should use one access-list for each crypto map peer. Right now you have both peers trying to use the same crypto map.

Create 2 different access-lists and apply one each to the crypto map peers and see what happens.

In your case I would have one access-list for "remoteA" and one for "remoteB". Then one called "nonat" that is basically the addition of both "remoteA" and "remoteB" to be applied to the "nat 0" command.

aperez · ‎02-04-2003

OK, thank you.

You are right!

Yesterday i tried this solution beacuse i viewed a similar configuration and i viewed this difference.

Thank you very much.