1. Home
  2. Cisco Systems
  3. PIX VPN

PIX VPN

My VPN is working OK and I can to VPN (user3) from outside, I get ip address

172.30.0.1 / 16 but I cannot PING a PC on the "applan" with address 172.30.1.199 / 23. Is there something wrong with my access-lists? TIA, Ned

VPNFW# show run : Saved : PIX Version 6.3(4)

nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 applan security10 hostname VPNFW domain-name mineown.com names name 172.30.1.199 T21

access-list 102 permit tcp any any eq www access-list 102 permit icmp any any access-list 102 permit icmp any any echo-reply access-list 102 permit ip any any access-list 101 permit ip 10.0.0.0 255.255.255.0 10.1.1.0

255.255.255.0 access-list 101 permit ip 10.0.0.0 255.255.255.0 172.30.0.0 255.255.0.0 access-list 101 permit ip 172.30.0.0 255.255.0.0 10.0.0.0 255.255.255.0 access-list 101 permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 access-list 101 permit ip 172.30.0.0 255.255.0.0 172.30.0.0 255.255.0.0 access-list 101 permit ip 10.1.1.0 255.255.255.0 172.30.0.0 255.255.0.0 pager lines 24

mtu intf5 1500 ip address outside 123.123.123.2 255.255.255.248 ip address inside 10.0.0.254 255.255.255.0 ip address applan 172.30.1.198 255.255.254.0 no ip address intf3 no ip address intf4 no ip address intf5 ip audit info action alarm ip audit attack action alarm ip local pool MYVPN1 10.1.1.1-10.1.1.254 ip local pool MYVPN2 172.30.0.1-172.30.0.100

pdm location 10.0.0.0 255.255.255.0 inside pdm location 172.30.0.0 255.255.254.0 applan pdm location 10.0.0.142 255.255.255.255 inside pdm location 10.1.1.0 255.255.255.0 inside pdm location 172.30.0.0 255.255.0.0 inside pdm location 172.30.0.0 255.255.0.0 applan pdm location T21 255.255.255.255 applan

arp timeout 14400 global (outside) 1 193.120.151.105 nat (inside) 0 access-list 101 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (applan,outside) T21 T21 netmask 255.255.255.255 0 0 access-group 102 in interface outside route outside 0.0.0.0 0.0.0.0 123.123.123.1 1

http server enable http 10.0.0.142 255.255.255.255 inside http T21 255.255.255.255 applan

sysopt connection permit-ipsec crypto ipsec transform-set trns1 esp-3des esp-sha-hmac crypto ipsec transform-set trmset1 esp-3des esp-sha-hmac crypto dynamic-map map2 10 set transform-set trmset1 crypto map map1 10 ipsec-isakmp dynamic map2 crypto map map1 interface outside isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup user1 address-pool MYVPN1 vpngroup user1 idle-time 600 vpngroup user1 password ******** vpngroup user2 address-pool MYVPN1 vpngroup user2 idle-time 1800 vpngroup user2 password ******** vpngroup user3 address-pool MYVPN2 vpngroup user3 idle-time 1800 vpngroup user3 password ******** vpngroup user4 address-pool MYVPN1 vpngroup user4 idle-time 1800 vpngroup user4 password ******** telnet 0.0.0.0 0.0.0.0 inside telnet timeout 15 ssh 0.0.0.0 0.0.0.0 outside ssh timeout 5 console timeout 0 dhcpd address 10.0.0.101-10.0.0.200 inside dhcpd dns 123.111.9.1 123.111.9.48 dhcpd lease 3000 dhcpd ping_timeout 1000 dhcpd enable inside username xxxxxx password KLWAlZDJtG1F7IEH encrypted privilege 2

: end VPNFW#

Reply to
Ned
Loading thread data ...

Having trouble establishing PIX VPN with Juniper firewall; I am configuring the PIX - traffic from 1.1.1.1 should establish the VPN...

Juniper Proposals are ESP 3DES HMAC SHA1 (IKE) =96 Juniper: (192.168.1.254 inside; outside 1.1.1.1) IKE - Phase 1 proposal

exchange: main mode dh group: group 2 encryption: 3des authentication: sha1 lifetime: 28800

IPSEC - Phase 2 proposal protocol: esp encryption: 3des authentication: sha1 lifetime: 28800 ____________________________

Cisco PIX (192.168.100.254 inside; outside 2.2.2.2)

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.100.0

255.255.255.0 access-list 102 permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

ip address outside 2.2.2.2 255.255.255.192 ip address inside 192.168.100.254 255.255.255.0

nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 2.2.2.3 1

sysopt connection permit-ipsec crypto ipsec transform-set mytrans esp-aes-192 esp-sha-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 102 crypto map mymap 10 set pfs group2 crypto map mymap 10 set peer 1.1.1.1 crypto map mymap 10 set transform-set mytrans crypto map mymap interface outside isakmp enable outside isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 28800 ____________________________________

ISAKMP (0): SA not acceptable! ISAKMP (0): sending NOTIFY message 14 protocol 0 ISAKMP (0): deleting SA: src 1.1.1.1, dst 2.2.2.2 return status is IKMP_ERR_NO_RETRANS ISADB: reaper checking SA 0x1182924, conn_id =3D 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:1.1.1.1/500 Ref cnt decremented to:0 Total VPN Peers:1 VPN Peer: ISAKMP: Deleted peer: ip:1.1.1.1/500 Total VPN peers:

0IPSEC(key _engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 1.1.1.1

crypto_isakmp_process_block:src:1.1.1.1, dest:2.2.2.2 spt:500 dpt:500 OAK_AG exchange ISAKMP (0): processing SA payload. message ID =3D 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (basic) of 28800 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing KE payload. message ID =3D 0 ISAKMP (0): processing NONCE payload. message ID =3D 0 ISAKMP (0): processing ID payload. message ID =3D 0 ISAKMP (0): processing vendor id payload ISAKMP (0): processing vendor id payload ISAKMP (0): processing vendor id payload ISAKMP (0): processing vendor id payload ISAKMP (0:0): vendor ID is NAT-T ISAKMP (0): processing vendor id payload ISAKMP (0): processing vendor id payload ISAKMP (0): processing vendor id payload ISAKMP (0): remote peer supports dead peer detection ISAKMP (0): processing vendor id payload ISAKMP (0): received xauth v6 vendor id ISAKMP (0): ID payload next-payload : 10 type : 1 protocol : 17 port : 0 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:1.1.1.1, dest:2.2.2.2 spt:500 dpt:50

0 OAK_AG exchange ISAKMP (0): processing HASH payload. message ID =3D 0 ISAKMP (0): SA has been authenticated return status is IKMP_NO_ERROR ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): sending NOTIFY message 24578 protocol 1 VPN Peer: ISAKMP: Added new peer: ip:1.1.1.1/500 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:1.1.1.1/500 Ref cnt incremented to:1 Total VPN Peers:1 crypto_isakmp_process_block:src:1.1.1.1, dest:2.2.2.2 spt:500 dpt:50 0 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID =3D 566405065

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 28800 ISAKMP: encaps is 1 ISAKMP: authenticator is HMAC-SHAIPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 2) not supported ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): SA not acceptable! ISAKMP (0): sending NOTIFY message 14 protocol 0 return status is IKMP_ERR_NO_RETRANS crypto_isakmp_process_block:src:1.1.1.1, dest:2.2.2.2 spt:500 dpt:500 ISAKMP: phase 2 packet is a duplicate of a previous packet ISAKMP: resending last response ___________________________

PIXFW# show ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x21c2a7c9crypto ipse ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0x21c2a7c9c sa

interface: outside Crypto map tag: mymap, local addr. 2.2.2.2

local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer: 1.1.1.1:0 PERMIT, flags=3D{origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1 path mtu 1500, ipsec overhead 0, media mtu 1500 current outbound spi: 0

inbound esp sas: inbound ah sas:

ISAKMP (0): retransmitting phase 2 (4/0)... mess_id 0x21c2a7c9 ISAKMP (0): retransmitting phase 2 (5/0)... mess_id 0x21c2a7c9 transmitting phase 2 (6/0)... mess_id 0x21c2a7c9 inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas:

local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer: 1.1.1.1:0 PERMIT, flags=3D{origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1 path mtu 1500, ipsec overhead 0, media mtu 1500 current outbound spi: 0

inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: ___________________________________

Reply to
terrydoc

I made a change - (I saw "ISAKMP (0:0): vendor ID is NAT-T" in original debug) isakmp nat-traversal 20

it appears to have made a difference as now I have

PIXFW(config)# show crypto ipsec sa

interface: outside Crypto map tag: mymap, local addr. 2.2.2.2

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0) current_peer: 1.1.1.1:0 PERMIT, flags=3D{origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 e #pkts decaps: 0, #pkts d cIrSyApKtM:P 0(,0 )#:pkts verriefty 0 #pktrs compressed: a0, #npkts decsommiptrtesisendg: p0h a s e 2# p(k5t/s n1o)t. .c.o mpressed: m0e, #spkts comprs. failed:

0, _#ipdkts decom p0rxe2sas1 6feaei5lfed: 0 #send errors 0, #recv errors 0

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1 path mtu 1500, ipsec overhead 0, media mtu 1500 current outbound spi: 0

inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas:

local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer: 1.1.1.1:0 PERMIT, flags=3D{origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1 path mtu 1500, ipsec overhead 0, media mtu 1500 current outbound spi: 0

inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas:

PIXFW(config)# ISAKMP (0): retransmitting phase 2 (6/1)... mess_id 0x2a16ee5f PIXFW(config)# PIXFW(config)# show crypto isakmp sa Total : 1 Embryonic : 0 dst src state pending created 2.2.2.2 1.1.1.1 QM_IDLE 0 0

Reply to
terrydoc

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.