VPN PIX 501 <-> 836

Carsten Radke · ‎06-09-2008

Hi, my problem is to get running the attached config between a cisco pix 501 and a cisco 836, both over adsl and static IP from the ISP.

Please help.

Farrukh Haroon · ‎06-09-2008

Can you be more specific as to exactly what is not working?

If possible provide the following from both:

show crypto isakmp sa

show crypto ipsec sa

Also debug outputs:

debug crypto isakmp

debug crypto ipsec

Regards

Farrukh

Carsten Radke · ‎06-09-2008

Hi Farrukh,

here are the outputs:

router#sh crypto isa sa

dst src state conn-id slot status

router#sh crypto ipsec sa

interface: Dialer0

Crypto map tag: vpnmap, local addr 9.23.111.155

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.7.10/255.255.255.255/0/0)

current_peer 8.24.131.96 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 9.23.111.155, remote crypto endpt.: 8.24.131.96

path mtu 1452, ip mtu 1452

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

interface: Virtual-Access1

Crypto map tag: vpnmap, local addr 9.23.111.155

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.7.10/255.255.255.255/0/0)

current_peer 8.24.131.96 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 9.23.111.155, remote crypto endpt.: 8.24.131.96

path mtu 1452, ip mtu 1452

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

____________________________________________

Firewall# sh crypto ipsec trans

Transform set myset: { esp-3des esp-md5-hmac }

will negotiate = { Tunnel, },

Firewall# sh crypto isakmp

isakmp enable outside

isakmp key ******** address 9.23.111.155 netmask 255.255.255.255

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

Firewall# sh crypto isakmp sa

Total : 0

Embryonic : 0

dst src state pending created

Firewall#

Carsten

singhsaju · ‎06-09-2008

In the router config as following :

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

lifetime 1000

what is the group value ? It should be 1 matching to the pix isakmp policy.

Carsten Radke · ‎06-09-2008

The group is 1:

836 router#sh crypto isakmp pol

Global IKE policy

Protection suite of priority 10

encryption algorithm: Three key triple DES

hash algorithm: Message Digest 5

authentication method: Pre-Shared Key

Diffie-Hellman group: #1 (768 bit)

lifetime: 1000 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

Farrukh Haroon · ‎06-09-2008

Hello

Thank you for providing the show output. But assuming you captured these commands after generating interesting traffic, it seems nothing is happening. Please check your crypto ACLs and then generate some interesting traffic for VPN. Then attach the debug output requested earlier.

debug outputs:

debug crypto isakmp

debug crypto ipsec

debug crypto engine

Thanks

Farrukh

Carsten Radke · ‎06-09-2008

here is an output from the pix:

IPSEC(sa_initiate): ACL = deny; no sa created

Carsten

Farrukh Haroon · ‎06-09-2008

Firstly, on the router, you have this ACL:

access-list 102 deny ip 192.168.8.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 102 permit ip 192.168.8.0 0.0.0.255 any

access-list 102 deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255

change this to:

access-list 102 deny ip 192.168.8.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 102 deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 102 permit ip 192.168.8.0 0.0.0.255 any

Else the VPN traffic will never match line three (it will always match the second line) and therefore will not be exempted from NAT.

Secondly, what are you using to 'Generate' Interesting traffic for the VPN? From your ACL applied to the inside interface on the Firewall, it seems only UDP and TCP traffic is allowed. I hope you are not testing using ICMP?

Regards

Farrukh

Farrukh Haroon · ‎06-10-2008

Hello, did you manage to get this working?