Announcement

Collapse
No announcement yet.

Pix 501 Site-2-Site won't come up *different guy - same problem *

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Pix 501 Site-2-Site won't come up *different guy - same problem *

    Hi there,

    I am reaching the point of complete frustration since even after more than 4 hours I cannot get my 501 to simply try to establish a tunnel.
    Apparently I am doing something wrong only that I have no clue what that might be.
    Anyone (PRETTY) please have any idea why the pix is not even trying to contact the vpn peer?

    Best regards,

    Tillman

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname pix
    domain-name mydomain.net
    names
    access-list 90 permit ip host 64.114.73.85 host 212.187.175.209
    pager lines 24
    logging on
    logging trap debugging
    logging host inside 64.114.73.85
    mtu outside 1500
    mtu inside 1500
    ip address outside 193.124.95.110 255.255.255.0
    ip address inside 64.114.73.85 255.255.255.240
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 64.114.73.85 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 193.124.95.1 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication http console LOCAL
    aaa authentication ssh console LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set strong esp-3des esp-sha-hmac
    crypto map toX400 20 ipsec-isakmp
    crypto map toX400 20 match address 90
    crypto map toX400 20 set peer 212.187.175.211
    crypto map toX400 20 set transform-set strong
    crypto map toX400 interface outside
    isakmp enable outside
    isakmp key ******** address 212.187.175.211 netmask 255.255.255.255
    isakmp keepalive 10 10
    isakmp log 5000
    isakmp policy 9 authentication pre-share
    isakmp policy 9 encryption 3des
    isakmp policy 9 hash sha
    isakmp policy 9 group 1
    isakmp policy 9 lifetime 86400
    telnet timeout 5
    ssh xx.xx.xx.xx 255.255.255.0 outside
    ssh timeout 20
    console timeout 0
    terminal width 80
    Cryptochecksumxxxx
    Last edited by TillmanZ; 10th July 2008, 14:56.

  • #2
    Re: Pix 501 Site-2-Site won't come up *different guy - same problem *

    crypto map toX400 20 set peer 212.184.195.211
    isakmp key ******** address 212.187.175.211 netmask 255.255.255.255

    These don't match for a start.
    There is also no "nat 0" statement?
    Your access-list is showing the PIX Internal IP and should probably show at least a client on the inside of the PIX's inside interface as it is traffic originating from there that the pix will send over the VPN.

    Have you changed some of these details? If so can you change them to they still bear some kind of reference?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Pix 501 Site-2-Site won't come up *different guy - same problem *

      First off: WOW! That was really quick!

      And then I gotta say I am sorry for messing up the post to badly.
      I actually tried to change (/obfuscate) the IPs to a level that they make some sense but apparently I was a little blind.
      So here we go again:

      PIX Version 6.3(5)
      interface ethernet0 auto
      interface ethernet1 100full
      nameif ethernet0 outside security0
      nameif ethernet1 inside security100
      hostname pix
      domain-name mydomain.net
      fixup protocol dns maximum-length 512
      fixup protocol ftp 21
      fixup protocol h323 h225 1720
      fixup protocol h323 ras 1718-1719
      fixup protocol http 80
      fixup protocol rsh 514
      fixup protocol rtsp 554
      fixup protocol sip 5060
      fixup protocol sip udp 5060
      fixup protocol skinny 2000
      fixup protocol smtp 25
      fixup protocol sqlnet 1521
      fixup protocol tftp 69
      names
      name 62.x.93.85 myHost
      access-list 90 permit ip host myHost host 212.x.195.209
      pager lines 24
      logging on
      logging trap debugging
      logging host inside myHost
      mtu outside 1500
      mtu inside 1500
      ip address outside 193.x.135.110 255.255.255.0
      ip address inside 62.x.93.82 255.255.255.240
      ip audit info action alarm
      ip audit attack action alarm
      pdm location myHost 255.255.255.255 inside
      pdm logging informational 100
      pdm history enable
      arp timeout 14400
      global (outside) 1 interface
      nat (inside) 0 access-list 90
      nat (inside) 1 0.0.0.0 0.0.0.0 0 0
      route outside 0.0.0.0 0.0.0.0 193.x.135.1 1
      timeout xlate 0:05:00
      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
      timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
      timeout sip-disconnect 0:02:00 sip-invite 0:03:00
      timeout uauth 0:05:00 absolute
      aaa-server TACACS+ protocol tacacs+
      aaa-server TACACS+ max-failed-attempts 3
      aaa-server TACACS+ deadtime 10
      aaa-server RADIUS protocol radius
      aaa-server RADIUS max-failed-attempts 3
      aaa-server RADIUS deadtime 10
      aaa-server LOCAL protocol local
      aaa authentication http console LOCAL
      aaa authentication ssh console LOCAL
      http server enable
      http 193.x.135.0 255.255.255.0 outside
      http 62.x.93.80 255.255.255.240 inside
      no snmp-server location
      no snmp-server contact
      snmp-server community public
      no snmp-server enable traps
      floodguard enable
      sysopt connection permit-ipsec
      crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
      crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
      crypto ipsec transform-set strong esp-3des esp-sha-hmac
      crypto map toX400 20 ipsec-isakmp
      crypto map toX400 20 match address 90
      crypto map toX400 20 set peer 212.x.195.211
      crypto map toX400 20 set transform-set strong
      crypto map toX400 interface outside
      isakmp enable outside
      isakmp key ******** address 212.x.195.211 netmask 255.255.255.255
      isakmp keepalive 10 10
      isakmp log 5000
      isakmp policy 9 authentication pre-share
      isakmp policy 9 encryption 3des
      isakmp policy 9 hash sha
      isakmp policy 9 group 1
      isakmp policy 9 lifetime 86400

      Comment


      • #4
        Re: Pix 501 Site-2-Site won't come up *different guy - same problem *

        No worries
        Your config looks good bearing in mind the only way to bring up the tunnel would be from the machine known as "myHost" as this is the only "interesting" traffic for the PIX.

        can you add in
        debug crypto isa
        debug crypto ipse
        debug crypto engine

        and see what comes up?
        I assume the remote site is using 3DES, SHA and Group1?
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: Pix 501 Site-2-Site won't come up *different guy - same problem *

          aaaaaarg - I cannot believe that! Seriously, why on earth will the pix only try to establish the tunnel when there is traffic?
          The entire time my main issue was the absence of any intention by the pix to communicate with the remote peer. Obviosuly the reason was that I did not bother to ping from "myHost".

          Thank you SOOOOOOO much for pointing this out to me!

          But then - the tunnel does not work yet but at least I get some rather reasonable debug info.
          Apparently I need to tell the pix not to block the remote traffic host.

          Here is what I get:

          VPN Peer: IPSEC: Peer ip:212.x.195.211/500 Ref cnt incremented to:2 Total VPN Peers:1
          VPN Peer: IPSEC: Peer ip:212.x.195.211/500 Ref cnt incremented to:3 Total VPN Peers:1
          return status is IKMP_NO_ERROR
          ISAKMP (0): sending NOTIFY message 36136 protocol 1
          crypto_isakmp_process_block:src:212.x.195.211, dest:193.x.135.110 spt:500 dpt:500
          ISAKMP (0): processing NOTIFY payload 36137 protocol 1
          spi 0, message ID = 3303251652
          ISAMKP (0): received DPD_R_U_THERE_ACK from peer 212.x.195.211
          return status is IKMP_NO_ERR_NO_TRANS
          ISAKMP (0): sending NOTIFY message 36136 protocol 1
          crypto_isakmp_process_block:src:212.184.195.211, dest:193.x.135.110 spt:500 dpt:500
          ISAKMP (0): processing NOTIFY payload 36137 protocol 1
          spi 0, message ID = 1246389930
          ISAMKP (0): received DPD_R_U_THERE_ACK from peer 212.x.195.211

          Comment


          • #6
            Re: Pix 501 Site-2-Site won't come up *different guy - same problem *

            What does
            Show Crypto isa sa

            show you?

            Have you 100% confirmed they are using the same shared key and details?
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: Pix 501 Site-2-Site won't come up *different guy - same problem *

              Thanks for replying so quickly to my mails. I really appreciate that!

              Here is the isa sa output:

              pix(config)# show crypto isa sa
              Total : 1
              Embryonic : 0
              dst src state pending created
              212.x.195.211 193.x.135.110 QM_IDLE 0 3


              Regarding details and shared-key - well I am 99,999% sure (just to not lose my face when I am wrong... *g )
              *Update* I am now 100% sure since I doubled checked the settings with the old Netgear configuration which worked flawlessly.

              Does the "crypto_isakmp_process_block" say "hey, the credentials are incorrect"?
              I kinda got the impression that this might be some blocking on a lower IP access level aka "I don't like any kind of messages from the IP even though it might be your VPN peer".
              Last edited by TillmanZ; 10th July 2008, 19:41.

              Comment


              • #8
                Re: Pix 501 Site-2-Site won't come up *different guy - same problem *

                Well...as I said, I am a real Cisco noob...
                So eventually it turns out that the tunnel is actually established and the "process_block" is NOT a failure message as I had thought.
                Since I was trying to ping the other side and they decided to turn off their ICMP echo recently (without telling me) I simply didn't realize that the tunnel was already working.

                Thanks again for helping me so quickly since the biggest issue for me was to understand that the Pix will not establish the tunnel all by itself but will always wait for some traffic.

                Best regards,

                Tillman

                Comment


                • #9
                  Re: Pix 501 Site-2-Site won't come up *different guy - same problem *

                  Glad you got it working and thanks for updating us.
                  Sorry I missed your last post. Was on my way home!
                  cheers
                  Andy

                  Please read this before you post:


                  Quis custodiet ipsos custodes?

                  Comment

                  Working...
                  X