Dynamic to Static PIX to PIX VPN|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||
|
Posted by amattina@layer8group.com on September 19, 2006, 10:34 am
Please log in for more thread options
a PIX that has a static address so I setup the following 'minilab' at my desk to test'er out. I think I'm almost there but am having one snag that someone more attuned to this might be able to catch. Both PIXs are connected to a network: 192.168.168.0/24. There is a DHCP server on this network. One PIX pulls a DHCP address and the other is statically set. Therefore: Static-PIX: 192.168.168.200 DHCP-PIX: 192.168.168.30 The private sides of the devices are: Static-PIX: 172.16.1.0/24 DHCP-PIX: 172.16.2.0/24 When I try to start a ping from the DHCP-Pix LAN to the Static-PIX LAN (Which is the way this is going to need to work out in the real world), I get the following from 'debug crypto isakmp' --- ISAKMP (0): beginning Main Mode exchange ISAKMP (0): retransmitting phase 1 (0)... ISAKMP (0): retransmitting phase 1 (1)... ISAKMP (0): retransmitting phase 1 (2)... ISAKMP (0): retransmitting phase 1 (3)... ISAKMP (0): retransmitting phase 1 (4)... ISAKMP (0): deleting SA: src 192.168.168.30, dst 192.168.168.200 ISAKMP (0): beginning Main Mode exchange ISADB: reaper checking SA 0xb000cc, conn_id = 0 DELETE IT! VPN Peer:ISAKMP: Peer Info for 192.168.168.200/500 not found - peers:0 ISADB: reaper checking SA 0xaef64c, conn_id = 0 ISAKMP (0): retransmitting phase 1 (0)... (etc) --- Here are the configs: DHCP-Pix ---------------------- Result of firewall command: "show run" : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password yoyoma encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname dhcp-pix domain-name layer8testing fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.168.0 Layer8LAN name 172.16.1.0 static-side_LAN name 172.16.2.0 DHCP-site_LAN access-list inside_nat0_outbound permit ip DHCP-site_LAN 255.255.255.0 static-side_LAN 255.255.255.0 access-list outside_cryptomap_100 permit ip DHCP-site_LAN 255.255.255.0 static-side_LAN 255.255.255.0 access-list outside_access_in permit icmp any any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 172.16.2.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.168.19 255.255.255.255 inside pdm location Layer8LAN 255.255.255.0 outside pdm location DHCP-site_LAN 255.255.255.0 inside pdm location static-side_LAN 255.255.255.0 outside pdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 10 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 0.0.0.0 0.0.0.0 outside http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto map outside_map 100 ipsec-isakmp crypto map outside_map 100 match address outside_cryptomap_100 crypto map outside_map 100 set peer 192.168.168.200 crypto map outside_map 100 set transform-set ESP-DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 192.168.168.200 netmask 255.255.255.255 no-xauth no-config-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:926e76e7fd1d60c80e98b75c81b983cb : end -------------------- And here is the Static-PIX -------------------- Result of firewall command: "show run" : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password yoyoma encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname static domain-name pix fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 172.16.2.0 dhcp-side_LAN access-list inside_nat0_outbound permit ip any dhcp-side_LAN 255.255.255.0 access-list outside_cryptomap_dyn_20 permit ip any dhcp-side_LAN 255.255.255.0 access-list outside_access_in permit icmp any any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 192.168.168.200 255.255.255.0 ip address inside 172.16.1.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location dhcp-side_LAN 255.255.255.0 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 192.168.168.30 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:33739528f502bf1b09b277a3b25ad2bb : end ------------------------------ Here is the Cisco documentation of what I want to do: http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml#client If someone could point me in the right direction on what I am doing wrong I would appreciate it. Thanks! - Adam | ||||||||||||||||
|
Posted by Walter Roberson on September 19, 2006, 10:51 am
Please log in for more thread options >VPN Peer:ISAKMP: Peer Info for 192.168.168.200/500 not found - peers:0
>DHCP-Pix
>ip address outside dhcp setroute
Check to be sure that the default route really was set. Use the 'capture' command or an ethernet sniffer in order to check to see how far the packets are getting. | ||||||||||||||||
|
Posted by amattina@layer8group.com on September 19, 2006, 10:57 am
Please log in for more thread options
Walter Roberson wrote: > >So this continues...I found that I can configure a DHCP public PIX with
> >a PIX that has a static address so I setup the following 'minilab' at > >my desk to test'er out. I think I'm almost there but am having one snag > >that someone more attuned to this might be able to catch. >
> > >VPN Peer:ISAKMP: Peer Info for 192.168.168.200/500 not found - peers:0
>
> >DHCP-Pix
>
> >ip address outside dhcp setroute
>
> Check to be sure that the default route really was set. > > Use the 'capture' command or an ethernet sniffer in order to check > to see how far the packets are getting. The two PIXs are on the same switch. I did test to see if they could talk to each other... dhcp-pix# ping 192.168.168.200 192.168.168.200 response received -- 0ms 192.168.168.200 response received -- 0ms 192.168.168.200 response received -- 0ms And the other way... 192.168.168.30 response received -- 0ms 192.168.168.30 response received -- 0ms 192.168.168.30 response received -- 0ms | ||||||||||||||||
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |
>a PIX that has a static address so I setup the following 'minilab' at
>my desk to test'er out. I think I'm almost there but am having one snag
>that someone more attuned to this might be able to catch.