Re: PIX to PIX VPN problem
- From: John Scholvin <john@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 8 Feb 2006 17:01:00 +0000 (UTC)
Thanks for your help, Walter.
In article <0RfGf.583241$ki.280779@pd7tw2no>,
Walter Roberson <roberson@xxxxxxxxxxxx> wrote:
In article <dsbvje$dfm$1@xxxxxxxxxxxxxxxx>,
John Scholvin <john@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
PIX Version 6.3(3)
Should upgrade to 6.3(4) for security fixes, 6.3(5) for bug fixes.
done.
ip address inside 10.1.1.1 255.0.0.0
ip local pool REMOTE 10.1.250.1-10.1.250.254
Never have your vpn address pool as a subset of your inside addresses.
This -will- lead to VPN problems in PIX 6.x.
GAK! Major typo. Should be ip address inside 10.1.1.1 255.255.255.0. This
has been wrong for a long, long time. Now fixed; didn't make too much of a
difference that I can see.
255.255.255.0access-list NONAT permit ip 192.168.0.0 255.255.255.0 10.1.250.0
access-list NONAT permit ip 10.1.0.0 255.255.0.0 10.1.250.0 255.255.255.0
access-list NONAT permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list CHICAGO permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
Why are you using 10.1/16 as your source on those when your
inside address range is 10/8 and 192.168.0/24 ?
Well, see above re: typo of netmask.
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 10.1.0.0 255.255.0.0 0 0
I notice you do not have any translation specified for the rest
of 10/8 ?
Ditto...
isakmp client configuration address-pool local REMOTE outside
vpngroup VPN address-pool REMOTE
Cisco recommends that you do not use both of those commands
together unless you have multiple tunnels.
I took the isakmp statement out.
It is usually a problem to use the same ACL for two purposes;
I redid the access lists. I'll post the whole config (plus the show crypto
output below for context), but here's what I did, and why.
access-list NONAT permit ip 192.168.0.0 255.255.255.0 10.1.250.0 255.255.255.0
access-list NONAT permit ip 10.1.0.0 255.255.0.0 10.1.250.0 255.255.255.0
access-list NONAT permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list NONAT permit ip 192.168.0.0 255.255.255.0 10.2.0.0 255.255.255.0
nat (inside) 0 NONAT
The idea here is that I have 2 lans (10.1/16 and 192.168.0/24) behind the
PIX (Evanston), the remote private lan (Chicago) is 10.2/16, and the VPN
client users who attach to this PIX have the address pool 10.1.250.1 -
10.1.250.254.
My reasoning is that I don't want NAT between my private networks, and I
don't want NAT between Evanston and the VPN clients. Correct? (I'm not
considering NAT between the VPN clients and Chicago right now, though I
suppose I will.)
access-list CHICAGO permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list CHICAGO permit ip 192.168.0.0 255.255.255.0 10.2.0.0 255.255.0.0
crypto map CRYPTO_MAP 5 match address CHICAGO
This is the ACLs that defines the "interesting" Evanston to Chicago traffic
for the tunnel.
access-list VPNSPLIT permit ip 192.168.0.0 255.255.255.0 10.1.250.0 255.255.255.0
access-list VPNSPLIT permit ip 10.1.0.0 255.255.0.0 10.1.250.0 255.255.255.0
access-list VPNSPLIT permit ip 10.2.0.0 255.255.0.0 10.1.250.0 255.255.255.0
vpngroup VPN split-tunnel VPNSPLIT
And this ACL is for the VPN clients' split-tunnel.
Am I completely missing the boat on these???
Here's where I am now: isakmp is established, but I still can't get traffic
between Evanston and Chicago. If I try to traceroute from Evanston to
Chicago, I see a bunch of intermediate hops past my ISP's router, which I am
guessing is wrong. If the tunnel is correct, shouldn't traceroute show it
going from my pix straight to the other pix?
Thanks again for all assistance...full PIX config and crypto output below.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ** encrypted
passwd ** encrypted
hostname pix-evn
domain-name **
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 700
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.200 utility
name ee.ee.ee.ee router01
name cc.cc.cc.cc vpn-chi
name ee.ee.ee.ee vpn-evn
name 10.1.1.254 router02
name 10.1.1.1 pix-evn
object-group icmp-type icmp_traffic
icmp-object echo-reply
icmp-object source-quench
icmp-object unreachable
icmp-object time-exceeded
access-list PERMIT_IN permit icmp any any object-group icmp_traffic
access-list PERMIT_IN permit tcp any host vpn-evn eq ssh
access-list PERMIT_IN permit tcp any host vpn-evn eq www
access-list PERMIT_IN permit tcp any host vpn-evn eq https
access-list PERMIT_IN permit udp host router01 host vpn-evn eq syslog
access-list PERMIT_IN permit udp host router01 any eq snmp
access-list PERMIT_IN permit udp any host vpn-evn eq isakmp
access-list PERMIT_IN permit ah any host vpn-evn
access-list PERMIT_IN permit esp any host vpn-evn
access-list NONAT permit ip 192.168.0.0 255.255.255.0 10.1.250.0 255.255.255.0
access-list NONAT permit ip 10.1.0.0 255.255.0.0 10.1.250.0 255.255.255.0
access-list NONAT permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list NONAT permit ip 192.168.0.0 255.255.255.0 10.2.0.0 255.255.255.0
access-list CHICAGO permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list CHICAGO permit ip 192.168.0.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list VPNSPLIT permit ip 192.168.0.0 255.255.255.0 10.1.250.0 255.255.255.0
access-list VPNSPLIT permit ip 10.1.0.0 255.255.0.0 10.1.250.0 255.255.255.0
access-list VPNSPLIT permit ip 10.2.0.0 255.255.0.0 10.1.250.0 255.255.255.0
no pager
logging on
logging trap notifications
logging host inside utility
no logging message 106023
no logging message 305005
no logging message 304001
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside vpn-evn 255.255.255.248
ip address inside pix-evn 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool REMOTE 10.1.250.1-10.1.250.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 10.1.0.0 255.255.0.0 0 0
static (inside,outside) tcp interface ssh utility ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www utility www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https utility https netmask 255.255.255.255 0 0
static (inside,outside) udp interface syslog utility syslog netmask 255.255.255.255 0 0
access-group PERMIT_IN in interface outside
route outside 0.0.0.0 0.0.0.0 router01 1
route inside 10.1.0.0 255.255.0.0 router02 1
route inside 192.168.0.0 255.255.255.0 router02 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server utility source inside
http server enable
http 192.168.0.0 255.255.255.0 inside
snmp-server host inside utility
snmp-server location headquarters
snmp-server contact scholvin
snmp-server community BASE2
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set REMOTEACCESS esp-3des esp-sha-hmac
crypto ipsec transform-set LINK_TRANSFORM esp-des
crypto dynamic-map DYN_MAP 10 set transform-set REMOTEACCESS
crypto map CRYPTO_MAP 5 ipsec-isakmp
crypto map CRYPTO_MAP 5 match address CHICAGO
crypto map CRYPTO_MAP 5 set peer vpn-chi
crypto map CRYPTO_MAP 5 set transform-set LINK_TRANSFORM
crypto map CRYPTO_MAP 99 ipsec-isakmp dynamic DYN_MAP
crypto map CRYPTO_MAP client configuration address initiate
crypto map CRYPTO_MAP client configuration address respond
crypto map CRYPTO_MAP interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth
isakmp key ******** address vpn-chi netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
vpngroup VPN address-pool REMOTE
vpngroup VPN dns-server utility
vpngroup VPN default-domain **
vpngroup VPN split-tunnel VPNSPLIT
vpngroup VPN idle-time 1800
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 10.1.0.0 255.255.0.0 inside
ssh timeout 60
console timeout 0
dhcpd dns utility
dhcpd lease 36000
dhcpd ping_timeout 750
dhcpd domain **
dhcpd auto_config outside
terminal width 80
Cryptochecksum:b3e43898f90b3c05db21b856a1f836dc
pix-evn# show isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
vpn-chi vpn-evn QM_IDLE 0 1
pix-evn# show ipsec sa
interface: outside
Crypto map tag: CRYPTO_MAP, local addr. vpn-evn
local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
current_peer: vpn-chi:500
dynamic allocated peer ip: 0.0.0.0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: vpn-evn, remote crypto endpt.: vpn-chi
path mtu 1500, ipsec overhead 44, media mtu 1500
current outbound spi: e37f42c8
inbound esp sas:
spi: 0xdbeb684c(3689637964)
transform: esp-des ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: CRYPTO_MAP
sa timing: remaining key lifetime (k/sec): (4608000/28240)
IV size: 8 bytes
replay detection support: N
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xe37f42c8(3816768200)
transform: esp-des ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: CRYPTO_MAP
sa timing: remaining key lifetime (k/sec): (4607999/28240)
IV size: 8 bytes
replay detection support: N
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
current_peer: vpn-chi:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: vpn-evn, remote crypto endpt.: vpn-chi
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
--
John Scholvin -- john@xxxxxxxxxxxx -- an E7b5#9 man in an F major world
.
- Follow-Ups:
- Re: PIX to PIX VPN problem
- From: Walter Roberson
- Re: PIX to PIX VPN problem
- References:
- PIX to PIX VPN problem
- From: John Scholvin
- Re: PIX to PIX VPN problem
- From: John Scholvin
- Re: PIX to PIX VPN problem
- From: Walter Roberson
- PIX to PIX VPN problem
- Prev by Date: Re: IOS for 1401.
- Next by Date: Re: ISA server with cisco PIX
- Previous by thread: Re: PIX to PIX VPN problem
- Next by thread: Re: PIX to PIX VPN problem
- Index(es):
Relevant Pages
|
|
