Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
714
Views
0
Helpful
7
Replies

VPN3030 to PIX506e VPN - 3030 will not pass traffic first

m-housley
Level 1
Level 1

‎05-25-2006 05:42 AM

I have a 3030 on 4.7.2 software with a VPN configured to a PIX506e on 6.3.5 software.

Isakmp/IPSEC Phase 1 and Phase 2 come up when traffic is started from Concentrator end, but the Concentrator will not send traffic to the remote end in the IPSEC tunnel, until traffic is seen incoming from the PIX.

Once traffic is seen from the PIX, then all traffic can be sent between the permitted subnets.

Should the timeouts clear the connection, then it's back to Square One and the Concentrator will not send traffic through the tunnel, even though Phase 2 is complete - any ideas why this is?

Labels:
0 Helpful
7 Replies 7

Vikas Saxena
Cisco Employee
Cisco Employee

‎05-25-2006 10:46 PM

How many tunnels do you have in the concentrator.

Looks like an address overlap in the concentrator.

Can you post PIX configuration?

Vikas

0 Helpful

m-housley
Level 1
Level 1
In response to Vikas Saxena

‎05-26-2006 12:23 AM

Vikas, There is only a single tunnel on the Concentrator Pix config is shown below: -

logging buffered debugging

icmp permit 10.108.1.0 255.255.255.0 inside

mtu outside 1500

mtu inside 1500

ip address outside 81.137.x.x 255.255.255.248

ip address inside 10.108.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 81.137.x.x 1

route outside 10.1.0.0 255.255.0.0 81.137.x.x 1

route outside 194.221.x.x 255.255.255.255 81.137.x.x 1

timeout xlate 3:00:00

timeout conn 4:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 0:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.108.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set bb esp-3des esp-md5-hmac

crypto map Publicvpn 10 ipsec-isakmp

crypto map Publicvpn 10 match address 101

crypto map Publicvpn 10 set peer 194.221.x.x

crypto map Publicvpn 10 set transform-set bb

crypto map Publicvpn interface outside

isakmp enable outside

isakmp key ******** address 194.221.x.x netmask 255.255.255.255

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

telnet 10.108.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Concentrator is attached to a DMZ inside another PIX (a 525 running v7.1(1)), but is NOT NATTED - it uses a routed RIPE address.

ESP and ISAKMP is allowed out from Concentrator to PIX peer, and ESP/ISAKMP is allowed in from peer PIX.

0 Helpful

Vikas Saxena
Cisco Employee
Cisco Employee
In response to m-housley

‎05-26-2006 01:00 AM

Hello,

You forgot to paste the acl nonat and 101. Please paste them too.

Can the tunnel be initialized from either side?

-Vikas

0 Helpful

m-housley
Level 1
Level 1
In response to Vikas Saxena

‎05-26-2006 01:11 AM

Apologies Vikas...!

See full config below: -

!

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXX

passwd XXXXX

hostname BBtestVPN

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list nonat permit ip 10.108.1.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list 101 permit ip 10.108.1.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list Internet-inbound permit esp host 194.221.x.x host 81.137.x.x

access-list Internet-inbound permit udp host 194.221.x.x host 81.137.x.x eq isakmp

pager lines 24

logging on

logging buffered debugging

icmp permit 10.108.1.0 255.255.255.0 inside

mtu outside 1500

mtu inside 1500

ip address outside 81.137.x.x 255.255.255.248

ip address inside 10.108.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 81.137.x.x 1

route outside 10.1.0.0 255.255.0.0 81.137.x.x 1

route outside 194.221.x.x 255.255.255.255 81.137.x.x 1

timeout xlate 3:00:00

timeout conn 4:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 0:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.108.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set bb esp-3des esp-md5-hmac

crypto map Publicvpn 10 ipsec-isakmp

crypto map Publicvpn 10 match address 101

crypto map Publicvpn 10 set peer 194.221.x.x

crypto map Publicvpn 10 set transform-set bb

crypto map Publicvpn interface outside

isakmp enable outside

isakmp key ******** address 194.221.x.x netmask 255.255.255.255

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

telnet 10.108.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

The connection can be initialized from the PIX side (from a device on the 10.108.1.0/24 network to a 10.1.0.0/16 address) without any problems, then the connection works both ways.

However, if the connection is initialized from the concentrator end (from a device on the 10.1.0.0/16 network to a 10.108.1.0/24 address) Phase 1 and Phase 2 complete OK, but still no connection is made.

Doing a "debug packet" on the outside interface of the PIX above shows that the IPSEC packets containg a ping (for example) do not reach it.

0 Helpful

Vikas Saxena
Cisco Employee
Cisco Employee
In response to m-housley

‎05-26-2006 01:33 AM

Please paste the network list from the concentrator.

Is there a filter rule applied on the configuration of the concentrator with 'established' keyword init?

If the filters are there can they be disabled?

Vikas

0 Helpful

m-housley
Level 1
Level 1
In response to Vikas Saxena

‎05-26-2006 01:47 AM

Vikas,

Local network: -

10.1.0.0/0.0.255.255

Remote network: -

10.108.1.0/0.0.0.255

I have no filter applied to the tunnel under configuration||Tunneling & Security|IPSEC|LAN to LAN

Mark.

0 Helpful

Vikas Saxena
Cisco Employee
Cisco Employee
In response to m-housley

‎05-26-2006 02:42 AM

access-list nonat permit ip 10.108.1.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list 101 permit ip 10.108.1.0 255.255.255.0 10.1.0.0 255.255.0.0

nat (inside) 0 access-list nonat

sysopt connection permit-ipsec

crypto ipsec transform-set bb esp-3des esp-md5-hmac

crypto map Publicvpn 10 ipsec-isakmp

crypto map Publicvpn 10 match address 101

crypto map Publicvpn 10 set peer 194.221.x.x

crypto map Publicvpn 10 set transform-set bb

crypto map Publicvpn interface outside

Concentrator

Local network: -

10.1.0.0/0.0.255.255

Remote network: -

10.108.1.0/0.0.0.255

No filters on the tunnel.

Some more info required:

1. break the tunnel.

2. run debug cry ipsec and debugs on concentrator for isa and ipsec

3. from the pc behind the PIX, ping some address (note that address) behind the concentrator.

4. capture the debug and paste it.

5. paste the output of sh cry ipsec sa

6. break the tunnel

7. run deb cry ipsec

8. enable debugs in concentrator for isa and ipsec

9. From the PC behind the concentrator bring up the tunnel by pinging something beind the pix (pref. the address which you used in step 3).

10. capture both debugs and paste.

11. paste the output of sh cry ipsec sa

12. routing table from the concentrator.

you can also enable 'management interface inside' on the pix. To use the inside interface ip address in the ping cmd you will use 'ping inside ' and the source ip will be taken from the inside int which is included in the tunnel. From concentrator you can ping the pix inside int as if you are pinging a PC.

This will eliminate all the problems in the inside lan if there are any like routing and proxy arp.

It will be easier for you to use only the inside interfaces of both the devices to bring up the tunnel.

The debugs from both side are required because there is a concept of initiator and responder in IPSEC (i am sure you are aware of this). Initiator can propose and the resopnder will accept/reject. So, there could be a case that we will be looking at two different debugs in both the cases which should be same.

Vikas

0 Helpful
Customers Also Viewed These Support Documents