1. Home
  2. Cisco Systems
  3. IOS Debug

IOS Debug

I have been racking my brain for several hours and I just can't figure this out. I am trying to connect from a Cisco 3640 to a Pix 515 with a VPN connection.

I have had no luck. The really strange thing is that when I try the debug commands on the router like debug crypto ipsec, debug crypto isakmp, debug crypto engine. Nothing every displays. Does anyone have any ideas?

Here is my config file.

service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname unam-router-1 ! enable secret 5 removed enable password removed ! username administrator password 0 removed username uname password 0 removed aaa new-model ! ! aaa authentication login line group radius aaa authentication login telnet group radius aaa authentication login userauthen group radius aaa authorization network groupauthor local aaa session-id common no ip subnet-zero ! ! no ip domain lookup ! ip inspect name inspect1 smtp timeout 300 ip inspect name inspect1 udp timeout 600 ip inspect name inspect1 tcp timeout 300 ip inspect name inspect1 cuseeme ip inspect name inspect1 ftp ip inspect name inspect1 h323 ip inspect name inspect1 rcmd ip inspect name inspect1 realaudio ip inspect name inspect1 sqlnet ip inspect name inspect1 streamworks ip inspect name inspect1 tftp ip inspect name inspect1 vdolive ip audit notify log ip audit po max-events 100 no ftp-server write-enable ! ! ! crypto isakmp policy 1 encr 3des hash sha authentication pre-share crypto isakmp key removed address 205.158.removed ! ! ! crypto ipsec transform-set pix-set esp-des esp-md5-hmac ! ! ! crypto map clientmap 20 ipsec-isakmp description vpn tunnel to Colo in Fremont set peer 205.158.removed set transform-set pix-set match address 120 ! ! ! ! ! ! ! ! ! ! no voice hpi capture buffer no voice hpi capture destination ! ! fax interface-type fax-mail ! ! ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.0 ! interface FastEthernet0/0 ip address removed 255.255.255.224 ip access-group 101 in ip nat outside ip inspect inspect1 out no ip mroute-cache no ip route-cache duplex auto speed auto no cdp enable crypto map clientmap ! ! interface FastEthernet2/0 ip address 10.0.1.1 255.255.255.0 ip nat inside ip route-cache no ip mroute-cache ip policy route-map nonat speed auto half-duplex no cdp enable ! ip local pool vpn 10.0.2.1 10.0.2.254 ip local pool ippool 192.168.201.100 192.168.201.200 ip nat pool outside 71.4.63.140 71.4.63.155 netmask 255.255.255.224 ip nat inside source list 102 pool outside ip nat inside source list 102 pool interface fastethernet 0/0 overload ! VOIP Server ip nat inside source static 10.0.1.35 71.4.63.138 ip http server no ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 removed ! ! access-list 1 permit 10.0.1.0 0.0.0.255 access-list 100 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 101 permit udp any host removed eq isakmp access-list 101 permit gre any any access-list 101 permit udp any host removed eq non500-isakmp access-list 101 permit esp any host removed access-list 101 permit ip host 205.158.106.132 any access-list 101 permit ip 192.168.201.0 0.0.0.255 any access-list 101 permit ip 192.168.101.0 0.0.0.255 any access-list 101 permit ip 10.0.0.0 0.0.0.255 any access-list 101 deny ip 10.0.0.0 0.255.255.255 any log-input access-list 101 deny ip 192.168.0.0 0.0.255.255 any log-input access-list 101 deny ip 172.16.0.0 0.15.255.255 any log-input access-list 101 deny ip 127.0.0.0 0.255.255.255 any log-input access-list 101 permit tcp any any established access-list 101 permit udp host 192.43.244.18 eq ntp host removed eq ntp access-list 101 permit udp host 131.107.1.10 eq ntp host removed eq ntp access-list 102 deny ip 10.0.1.0 0.0.0.255 192.168.201.0 0.0.0.255 access-list 102 deny ip host 10.0.1.35 any access-list 102 permit ip 10.0.1.0 0.0.0.255 any access-list 110 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 110 permit ip host 10.0.1.35 192.168.201.0 0.0.0.255 access-list 110 permit ip host 10.0.1.35 192.168.101.0 0.0.0.255 access-list 120 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 no cdp run ! route-map nonat permit 10 match ip address 110 set ip next-hop 1.1.1.2 ! ! ! ! ! dial-peer cor custom ! ! ! ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 password pd2013mnhy68 login authentication local ! ntp clock-period 17180040 ntp server 128.138.140.44 ntp server 192.43.244.18 ntp server 131.107.1.10 ! ! end

Reply to
unameits
Loading thread data ...

try terminal monitor if you are by telnet, plus logging buffered debuging and loging console debug, alternatevely you can check the show log if you do not see any debug response in the session.

unameits wrote:

Reply to
<Anthrax>

try terminal monitor if you are by telnet, plus logging buffered debugging and logging console debug, alternatively you can check the show log if you do not see any debug response in the session.

unameits wrote:

Reply to
<Anthrax>

Whats odd is I receive other debug messages just not any crypto debug but I will try. Thanks for the input.

Reply to
unameits

The Debugging works on the router just not the crypto part. I see messages like this 17:17:51: %SEC-6-IPACCESSLOGP: list 101 denied udp

10.0.0.5(52341) (FastEthernet 0/0 00c0.b76b.1c0c) -> 10.0.0.255(3052), 1 packet

Here is the show debugging command:

Cryptographic Subsystem: Crypto ISAKMP debugging is on Crypto Engine debugging is on Crypto IPSEC debugging is on Crypto secure socket events debugging is on Crypto IPSec Mgmt Entity debugging is on

Here is the show log command:

Syslog logging: enabled (10 messages dropped, 1 messages rate-limited,

0 flushes , 0 overruns, xml disabled) Console logging: level debugging, 1953 messages logged, xml disabled Monitor logging: level debugging, 57 messages logged, xml disabled Logging to: vty130(3) Buffer logging: level debugging, 3 messages logged, xml disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Trap logging: level informational, 1956 message lines logged

Log Buffer (4096 bytes):

Reply to
unameits

In article , unameits wrote: :I have been racking my brain for several hours and I just can't figure :this out. I am trying to connect from a Cisco 3640 to a Pix 515 with a :VPN connection.

:I have had no luck. The really strange thing is that when I try the :debug commands on the router like debug crypto ipsec, debug crypto :isakmp, debug crypto engine. Nothing every displays. Does anyone have :any ideas?

Possibly the tunnel is not being triggered.

:crypto map clientmap 20 ipsec-isakmp : description vpn tunnel to Colo in Fremont : set peer 205.158.removed : set transform-set pix-set : match address 120

:interface Loopback0 : ip address 1.1.1.1 255.255.255.0

:interface FastEthernet0/0 : ip address removed 255.255.255.224 : ip access-group 101 in : ip nat outside

:interface FastEthernet2/0 : ip address 10.0.1.1 255.255.255.0 : ip nat inside : ip policy route-map nonat

:ip local pool vpn 10.0.2.1 10.0.2.254 :ip local pool ippool 192.168.201.100 192.168.201.200 :ip nat pool outside 71.4.63.140 71.4.63.155 netmask 255.255.255.224 :ip nat inside source list 102 pool outside :ip nat inside source list 102 pool interface fastethernet 0/0 overload

:ip nat inside source static 10.0.1.35 71.4.63.138

:access-list 101 permit udp any host removed eq isakmp :access-list 101 permit gre any any :access-list 101 permit udp any host removed eq non500-isakmp :access-list 101 permit esp any host removed

Those lines don't hurt, and they were necessary in older IOS releases. If my memory serves me properly, late last year IOS was changed to not require permitting the IPSec protocols via the outside interface. I could well be wrong about that, though: I haven't configured IPSec on IOS myself.

I'm not sure which port non500-isakmp is -- 10000 perhaps? Cisco used that for a bit; now that NAT Traversal has been standardized, the secondary port moved to 4500.

:access-list 102 deny ip 10.0.1.0 0.0.0.255 192.168.201.0 0.0.0.255 :access-list 102 deny ip host 10.0.1.35 any :access-list 102 permit ip 10.0.1.0 0.0.0.255 any

:access-list 110 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 :access-list 110 permit ip host 10.0.1.35 192.168.201.0 0.0.0.255 :access-list 110 permit ip host 10.0.1.35 192.168.101.0 0.0.0.255

:access-list 120 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255

:route-map nonat permit 10 : match ip address 110 : set ip next-hop 1.1.1.2

Seems like a strange way of turning off NAT -- forwarding to a loopback interface that doesn't have nat turned on. Looks like it would work, though.

:! :end

Your map to turn off NAT applies only to host 10.0.1.35, and even that will be NAT'd if the destination is 10.0.0/24.

Therefore, what gets tunneled with *not* be 10.0.1/24 to 10.0.0/24 but will instead have as its source the outside nat pool addresses

71.4.63.140-71.4.63.155 together with the IP of FE0/0.

IOS has recently changed which IP needs to be named in a crypto map match address. Unfortunately I don't recall which arrangement it changed -from- and which it changed -to-, but since one of them isn't working now, you could try the other one.

In some IOS versions, the crypto map match address should contain the NAT'd IPs. In other IOS versions, the crypto map match address should contain the un-NAT'd IPs.

As a [possibly useless] point of comparison, the Cisco PIX firewall line needs the NAT'd IPs in the crypto map match address ACL.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.