Re: VPN from PIX506 to Cisco 2800

godzilla0 · ‎07-22-2008

Hi, we are setting up an VPN from a PIX router to a Cisco 2800 router. I am following this configuration guide: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008064a06f.shtml

But I'm not sure if I have to this step:

!--- Defines the IP addresses that should not be NATed.

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list outside extended permit icmp any any

Do I have to no-nat the local net ? They are already being nated outside to reach the internet.

Thanks.

JORGE RODRIGUEZ · ‎07-22-2008

Xavier,

Use this link as example for your scenario.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805e8c80.shtml

The no nat access-list simply tells the pix that there should be not NATing performed between the two LANs through that tunnel.

Do I have to no-nat the local net ? They are already being nated outside to reach the internet.

This only pertains to the Ipsec Tunnel, it has nothing to do with inside hosts being NATed to outside for other traffic, the PIX recognizes what source is meant to nonat when you bring up the IPsec tunnel through the nat (inside) 0 access-list nonat and nonat access-list.

There are instances where you have to NAT in LAN to LAN VPNs using public IPs, or Policy NATing for overlaping nets but the simple L2L is straight forward when none of this conditions applies.

Rgds

Jorge

Jorge Rodriguez

godzilla0 · ‎07-22-2008

Hi, I get the following output on the pix when doing a ping from the VPN concentrator:

pixfirewall#

crypto_isakmp_process_block:src:213.192.208.242, dest:213.27.252.202 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 1

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 65535 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 1

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): no offers accepted!

ISAKMP (0): SA not acceptable!

return status is IKMP_ERR_TRANS

pixfirewall#

ISAKMP (0): deleting SA: src 213.192.208.242, dst 213.27.252.202

ISADB: reaper checking SA 0xf0ccf4, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 213.192.208.242/500 not found - peers:0

Any comments ? Thanks !

JORGE RODRIGUEZ · ‎07-22-2008

Have you tried bringing up the tunnel from a source inside LAN ( not from the firewall or concentrator) run the same debug when you do that, post output result.

Jorge Rodriguez

godzilla0 · ‎07-22-2008

Hi, this is what happens when I ping from a LAN server, the ping does not time out cause the PIX is trying to connect, and the debug is this repeatedly message:

pixfirewall# IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 213.27.252.202, remote= 213.192.208.242,

local_proxy= 192.169.7.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4)

ISAKMP: No cert, and no keys (public or pre-shared) with remote peer 213.192.208.242

VPN Peer:ISAKMP: Peer Info for 213.192.208.242/500 not found - peers:0

IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 213.27.252.202, remote= 213.192.208.242,

local_proxy= 192.169.7.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4)

ISAKMP: No cert, and no keys (public or pre-shared) with remote peer 213.192.208.242

VPN Peer:ISAKMP: Peer Info for 213.192.208.242/500 not found - peers:0

IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 213.27.252.202, remote= 213.192.208.242,

local_proxy= 192.169.7.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4)

ISAKMP: No cert, and no keys (public or pre-shared) with remote peer 213.192.208.242

VPN Peer:ISAKMP: Peer Info for 213.192.208.242/500 not found - peers:0

IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 213.27.252.202, remote= 213.192.208.242,

local_proxy= 192.169.7.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4)

ISAKMP: No cert, and no keys (public or pre-shared) with remote peer 213.192.208.242

VPN Peer:ISAKMP: Peer Info for 213.192.208.242/500 not found - peers:0

We are not using pre-shared keys . . .

Any comments on that ?

JORGE RODRIGUEZ · ‎07-22-2008

As far as I know you need to use pre-share key at each end in order to authenticate the tunnel.

Jorge Rodriguez

godzilla0 · ‎07-22-2008

Yes, sure you can. You can do tunnels limited only by their IP. This is the case. You can do with pre-shared keys or you can do it by IP.

ggilbert · ‎07-22-2008

You would need to use pre-shared keys or certificates. I do not know if you have CA server setup for certificates but to bring the tunnel up you can test with pre-shared keys.

Gilbert

godzilla0 · ‎07-22-2008

It's a on-production VPN concentrator and we are already using 4 tunnels without pre-shared keys. Thanks anyways.