05-25-2006 05:42 AM
I have a 3030 on 4.7.2 software with a VPN configured to a PIX506e on 6.3.5 software.
Isakmp/IPSEC Phase 1 and Phase 2 come up when traffic is started from Concentrator end, but the Concentrator will not send traffic to the remote end in the IPSEC tunnel, until traffic is seen incoming from the PIX.
Once traffic is seen from the PIX, then all traffic can be sent between the permitted subnets.
Should the timeouts clear the connection, then it's back to Square One and the Concentrator will not send traffic through the tunnel, even though Phase 2 is complete - any ideas why this is?
05-25-2006 10:46 PM
How many tunnels do you have in the concentrator.
Looks like an address overlap in the concentrator.
Can you post PIX configuration?
Vikas
05-26-2006 12:23 AM
Vikas, There is only a single tunnel on the Concentrator Pix config is shown below: -
logging buffered debugging
icmp permit 10.108.1.0 255.255.255.0 inside
mtu outside 1500
mtu inside 1500
ip address outside 81.137.x.x 255.255.255.248
ip address inside 10.108.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 81.137.x.x 1
route outside 10.1.0.0 255.255.0.0 81.137.x.x 1
route outside 194.221.x.x 255.255.255.255 81.137.x.x 1
timeout xlate 3:00:00
timeout conn 4:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 0:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.108.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set bb esp-3des esp-md5-hmac
crypto map Publicvpn 10 ipsec-isakmp
crypto map Publicvpn 10 match address 101
crypto map Publicvpn 10 set peer 194.221.x.x
crypto map Publicvpn 10 set transform-set bb
crypto map Publicvpn interface outside
isakmp enable outside
isakmp key ******** address 194.221.x.x netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 10.108.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Concentrator is attached to a DMZ inside another PIX (a 525 running v7.1(1)), but is NOT NATTED - it uses a routed RIPE address.
ESP and ISAKMP is allowed out from Concentrator to PIX peer, and ESP/ISAKMP is allowed in from peer PIX.
05-26-2006 01:00 AM
Hello,
You forgot to paste the acl nonat and 101. Please paste them too.
Can the tunnel be initialized from either side?
-Vikas
05-26-2006 01:11 AM
Apologies Vikas...!
See full config below: -
!
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXX
passwd XXXXX
hostname BBtestVPN
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nonat permit ip 10.108.1.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 101 permit ip 10.108.1.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list Internet-inbound permit esp host 194.221.x.x host 81.137.x.x
access-list Internet-inbound permit udp host 194.221.x.x host 81.137.x.x eq isakmp
pager lines 24
logging on
logging buffered debugging
icmp permit 10.108.1.0 255.255.255.0 inside
mtu outside 1500
mtu inside 1500
ip address outside 81.137.x.x 255.255.255.248
ip address inside 10.108.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 81.137.x.x 1
route outside 10.1.0.0 255.255.0.0 81.137.x.x 1
route outside 194.221.x.x 255.255.255.255 81.137.x.x 1
timeout xlate 3:00:00
timeout conn 4:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 0:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.108.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set bb esp-3des esp-md5-hmac
crypto map Publicvpn 10 ipsec-isakmp
crypto map Publicvpn 10 match address 101
crypto map Publicvpn 10 set peer 194.221.x.x
crypto map Publicvpn 10 set transform-set bb
crypto map Publicvpn interface outside
isakmp enable outside
isakmp key ******** address 194.221.x.x netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 10.108.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
The connection can be initialized from the PIX side (from a device on the 10.108.1.0/24 network to a 10.1.0.0/16 address) without any problems, then the connection works both ways.
However, if the connection is initialized from the concentrator end (from a device on the 10.1.0.0/16 network to a 10.108.1.0/24 address) Phase 1 and Phase 2 complete OK, but still no connection is made.
Doing a "debug packet" on the outside interface of the PIX above shows that the IPSEC packets containg a ping (for example) do not reach it.
05-26-2006 01:33 AM
Please paste the network list from the concentrator.
Is there a filter rule applied on the configuration of the concentrator with 'established' keyword init?
If the filters are there can they be disabled?
Vikas
05-26-2006 01:47 AM
Vikas,
Local network: -
10.1.0.0/0.0.255.255
Remote network: -
10.108.1.0/0.0.0.255
I have no filter applied to the tunnel under configuration||Tunneling & Security|IPSEC|LAN to LAN
Mark.
05-26-2006 02:42 AM
access-list nonat permit ip 10.108.1.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list 101 permit ip 10.108.1.0 255.255.255.0 10.1.0.0 255.255.0.0
nat (inside) 0 access-list nonat
sysopt connection permit-ipsec
crypto ipsec transform-set bb esp-3des esp-md5-hmac
crypto map Publicvpn 10 ipsec-isakmp
crypto map Publicvpn 10 match address 101
crypto map Publicvpn 10 set peer 194.221.x.x
crypto map Publicvpn 10 set transform-set bb
crypto map Publicvpn interface outside
Concentrator
Local network: -
10.1.0.0/0.0.255.255
Remote network: -
10.108.1.0/0.0.0.255
No filters on the tunnel.
Some more info required:
1. break the tunnel.
2. run debug cry ipsec and debugs on concentrator for isa and ipsec
3. from the pc behind the PIX, ping some address (note that address) behind the concentrator.
4. capture the debug and paste it.
5. paste the output of sh cry ipsec sa
6. break the tunnel
7. run deb cry ipsec
8. enable debugs in concentrator for isa and ipsec
9. From the PC behind the concentrator bring up the tunnel by pinging something beind the pix (pref. the address which you used in step 3).
10. capture both debugs and paste.
11. paste the output of sh cry ipsec sa
12. routing table from the concentrator.
you can also enable 'management interface inside' on the pix. To use the inside interface ip address in the ping cmd you will use 'ping inside
This will eliminate all the problems in the inside lan if there are any like routing and proxy arp.
It will be easier for you to use only the inside interfaces of both the devices to bring up the tunnel.
The debugs from both side are required because there is a concept of initiator and responder in IPSEC (i am sure you are aware of this). Initiator can propose and the resopnder will accept/reject. So, there could be a case that we will be looking at two different debugs in both the cases which should be same.
Vikas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide