Pix vpn Site to Site problem

hi, am trying to set up a pix 506 and 501 to make a site to site vpn, i am currently receiving this output on the syslog server:

a.a.a.a -outside address of pix 506e b.b.b.b - outside address of pix 501

%PIX-7-702303: sa_request, (key eng. msg.) src= b.b.b.b, dest= a.a.a.a, src_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), dest_proxy= crayford/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 28800s and 4608000kb, spi=

0x0(0), conn_id= 0, keysize= 0, flags= 0x4004 %PIX-7-702208: ISAKMP Phase 1 exchange started (local b.b.b.b (initiator), remote a.a.a.a)

-702204: ISAKMP Phase 1 retransmission (local b.b.b.b (initiator), remote a.a.a.a) %PIX-7-702204: ISAKMP Phase 1 retransmission (local b.b.b.b (initiator), remote a.a.a.a) %PIX-7-702204: ISAKMP Phase 1 retransmission (local b.b.b.b (initiator), remote a.a.a.a) %PIX-6-602203: ISAKMP session disconnected (local b.b.b.b (initiator), remote a.a.a.a)

I think these debug messages point to a problem with the shared key but ive already checked this and ive also check the ip addresses are right.

here are the sho runs on both pix's

506e

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password iXGnkrGXSVRGTY encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list outside_access_in permit tcp any eq www any eq www access-list outside_access_in permit tcp any eq smtp any eq smtp access-list outside_access_in permit icmp any any access-list inside_outbound_nat0_acl permit ip 10.35.104.0

255.255.255.0 192.168.1.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 10.35.104.0 255.255.255.0 192.168.1.0 255.255.255.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside a.a.a.a 255.255.255.240 ip address inside 10.35.104.100 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.1.0 255.255.255.0 outside pdm location 10.35.104.162 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.35.104.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer b.b.b.b crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address b.b.b.b netmask 255.255.255.255 no-xauth no-co nfig-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 10.35.104.170-10.35.104.185 inside dhcpd dns 10.35.104.106 194.72.6.57 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:d4b5e05e6762f1aaefe62a0a041bc015 : end pixfirewall#

501

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password iXGfgfgrGXSVdmq6xI encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 10.35.104.0 crayford access-list outside_access_in permit icmp any any access-list outside_access_in permit tcp any eq www any eq www access-list inside_outbound_nat0_acl permit ip 192.168.1.0

255.255.255.0 crayfor d 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 any access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 crayford 25 5.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 any pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside b.b.b.b 255.255.255.248 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location crayford 255.255.255.0 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 y.y.y.y 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer a.a.a.a crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address a.a.a.a netmask 255.255.255.255 no-xauth no-c onfig-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.129 inside dhcpd dns 194.72.0.98 194.72.9.38 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:b435c2f314a9ac08104da24fab6bd882 : end

thanks

Alex

Reply to
Alex
Loading thread data ...

your config looks good, but try add ISAKMP NAT-T command, as you might be hitting a NAT problem in the perimeter routers. The log output you posts indicates that the peer doesnt respond at all, hence the retransmit.

HTH Martin

Reply to
Martin Bilgrav

isakmp identity address

Reply to
nakhmanson

Hi, I ran a debug crypto isakmp on the pix 501 and got the following output:

Eltham# debug crypto isakmp ISAKMP (0:0): sending NAT-T vendor ID - rev 2 &

3 ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:a.a.a.a, dest:b.b.b.b spt:500 dpt:

5 00 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0:0): Setting UDP ENC peer struct 0xa2f2c4 sa=

0xa2e694 ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy ISAKMP: encryption 3DES-CBC ISAKMP: ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

ISAKMP (0:0): constructed HIS NAT-D ISAKMP (0:0): constructed MINE NAT- D ISAKMP (0:0): Detected port floating return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:a.a.a.a, dest:b.b.b.b spt:500 dpt:

5 00 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID =

0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendo

ISAKMP (0): speaking to another IOS box!

ISAKMP (0:0): Detected NAT-D payload ISAKMP (0:0): NAT does not match MINE hash hash received: b6 e7 d3 d1 2f d9 2c 5f e7 70 e6 2 59 91 4

4b my nat hash : 72 3b d0 c2 53 4a 16 70 9f 56 94 7f e0 58 ee 98 ISAKMP (0:0): Detected NAT-D payload ISAKMP (0:0): NAT match HIS hash ISAKMP: Created a peer struct for a.a.a.a, peer port 37905 ISAKMP: Locking UDP_ENC struct 0xa2f2c4 from crypto_ikmp_udp_enc_ike_init, count 1 ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 0 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR ISAKMP (0): retransmitting phase 1 (0)... ISAKMP (0): retransmitting phase 1 (1)... ISAKMP (0): retransmitting phase 1 (2)... ISAKMP (0): retransmitting phase 1 (3)... ISAKMP (0): retransmitting phase 1 (4)... ISAKMP (0): deleting SA: src b.b.b.b, dst a.a.a.a ISADB: reaper checking SA 0xa2e694, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for a.a.a.a/4500 not found - peers:

0

ISAKMP: Unlocking UDP ENC struct 0xa2f2c4 from isadb_free_isakmp_sa, count

0 ISAKMP: Deleting peer node for a.a.a.a ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3 ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:a.a.a.a, dest:b.b.b.b spt:500 dpt:

5 00 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0:0): Setting UDP ENC peer struct 0xa2fef4 sa=

0xa2f2c4 ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T ISAKMP (0): SA is doing pre-shared key authenticat

ISAKMP (0:0): constructed HIS NAT-D ISAKMP (0:0): constructed MINE NAT- D ISAKMP (0:0): Detected port floating return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:a.a.a.a, dest:b.b.b.b spt:500 dpt:

5 00 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID =

0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detect

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0:0): Detected NAT-D payload ISAKMP (0:0): NAT does not match MINE hash hash received: b8 41 ca 7c 92 29 3e 92 56 47 e3 af 2 99 61

3f my nat hash : 1c 60 88 5b 24 8 5e f3 b9 f2 3a cc ac ba 1d 89 ISAKMP (0:0): Detected NAT-D payload ISAKMP (0:0): NAT match HIS hash ISAKMP: Created a peer struct for a.a.a.a, peer port 37905 ISAKMP: Locking UDP_ENC struct 0xa2fef4 from crypto_ikmp_udp_enc_ike_init, count 1 ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 0 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR ISAKMP (0): retransmitting phase 1 (0)... ISAKMP (0): retransmitting phase 1 (1)... ISAKMP (0): retransmitting phase 1 (2)... ISAKMP (0): retransmitting phase 1 (3)... ISAKMP (0): retransmitting phase 1 (4)... ISAKMP (0): deleting SA: src b.b.b.b, dst a.a.a.a ISADB: reaper checking SA 0xa2f2c4, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for a.a.a.a/4500 not found - peers:0

ISAKMP: Unlocking UDP ENC struct 0xa2fef4 from isadb_free_isakmp_sa, count 0

Hope this help and I will be posting both show run's

Thanks

Alex

Reply to
Alex

Here are the latest show runs ive added a few lines on the acl's and on the crypto list.

506e

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password iXGnkrGXSVdmq6xI encrypted passwd 2KFQnbNIdI.rtERt5YOU encrypted hostname crayford domain-name dh2 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list outside_access_in permit tcp any eq www any eq www access-list outside_access_in permit tcp any eq smtp any eq smtp access-list outside_access_in permit icmp any any access-list outside_access_in permit udp host b.b.b.b host a.a.a.a eq isakmp access-list inside_outbound_nat0_acl permit ip 10.35.104.0

255.255.255.0 192.168 .1.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 10.35.104.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 10.35.104.0 255.255.255.0 access-list outside_cryptomap_20 permit icmp 10.35.104.0 255.255.255.0 192.168.1 .0 255.255.255.0 pager lines 24 logging on logging timestamp logging trap debugging logging host inside 10.35.104.162 mtu outside 1500 mtu inside 1500 ip address outside a.a.a.a 255.255.255.240 ip address inside 10.35.104.100 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.1.0 255.255.255.0 outside pdm location 10.35.104.162 255.255.255.255 inside pdm location 10.35.104.0 255.255.255.0 outside pdm location b.b.b.b 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 a.a.a.a 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.35.104.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer b.b.b.b crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address b.b.b.b netmask 255.255.255.255 no-xauth no-co nfig-mode isakmp identity address isakmp nat-traversal 3600 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 10.35.104.170-10.35.104.185 inside dhcpd dns 10.35.104.106 194.72.6.57 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80

501

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password iXGnkrYTXSVdmq6xI encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname Eltham domain-name DH2.co.uk fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 10.35.104.0 crayford access-list outside_access_in permit icmp any any access-list outside_access_in permit tcp any eq www any eq www access-list outside_access_in permit udp host a.a.a.a host b.b.b.b eq isakmp access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 crayford 25

5=2E255.255.0 access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 crayford 25 5=2E255.255.0 access-list outside_cryptomap_20 permit ip crayford 255.255.255.0 192.168.1.0 25 5=2E255.255.0 access-list outside_cryptomap_20 permit tcp 192.168.1.0 255.255.255.0 crayford 2 55.255.255.0 access-list outside_cryptomap_20 permit icmp 192.168.1.0 255.255.255.0 crayford 255.255.255.0 access-list outside_cryptomap_20 permit udp 192.168.1.0 255.255.255.0 crayford 2 55.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside b.b.b.b 255.255.255.248 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location crayford 255.255.255.0 outside pdm location 192.168.1.0 255.255.255.0 outside pdm location 0.0.0.0 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 b.b.b.b 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer a.a.a.a crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address a.a.a.a netmask 255.255.255.255 no-xauth no-c onfig-mode isakmp identity address isakmp nat-traversal 3600 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.129 inside dhcpd dns 194.72.0.98 194.72.9.38 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside username alex password 4OrcOA4ugWKUTbUv encrypted privilege 15 terminal width 80

thanks Alex

Reply to
Alex

hi, Here are the latest show runs ive added a few lines on the acl's and on the crypto list.

506e

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password iXGnkrGXSVdmq6xI encrypted passwd 2KFQnbNIdI.rtERt5YOU encrypted hostname crayford domain-name dh2 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list outside_access_in permit tcp any eq www any eq www access-list outside_access_in permit tcp any eq smtp any eq smtp access-list outside_access_in permit icmp any any access-list outside_access_in permit udp host b.b.b.b host a.a.a.a eq isakmp access-list inside_outbound_nat0_acl permit ip 10.35.104.0

255.255.255.0 192.168 .1.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 10.35.104.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 10.35.104.0 255.255.255.0 access-list outside_cryptomap_20 permit icmp 10.35.104.0 255.255.255.0 192.168.1 .0 255.255.255.0 pager lines 24 logging on logging timestamp logging trap debugging logging host inside 10.35.104.162 mtu outside 1500 mtu inside 1500 ip address outside a.a.a.a 255.255.255.240 ip address inside 10.35.104.100 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.1.0 255.255.255.0 outside pdm location 10.35.104.162 255.255.255.255 inside pdm location 10.35.104.0 255.255.255.0 outside pdm location b.b.b.b 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 a.a.a.a 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.35.104.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer b.b.b.b crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address b.b.b.b netmask 255.255.255.255 no-xauth no-co nfig-mode isakmp identity address isakmp nat-traversal 3600 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 10.35.104.170-10.35.104.185 inside dhcpd dns 10.35.104.106 194.72.6.57 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80

501

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password iXGnkrYTXSVdmq6xI encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname Eltham domain-name DH2.co.uk fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 10.35.104.0 crayford access-list outside_access_in permit icmp any any access-list outside_access_in permit tcp any eq www any eq www access-list outside_access_in permit udp host a.a.a.a host b.b.b.b eq isakmp access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 crayford 25

5.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 crayford 25 5.255.255.0 access-list outside_cryptomap_20 permit ip crayford 255.255.255.0 192.168.1.0 25 5.255.255.0 access-list outside_cryptomap_20 permit tcp 192.168.1.0 255.255.255.0 crayford 2 55.255.255.0 access-list outside_cryptomap_20 permit icmp 192.168.1.0 255.255.255.0 crayford 255.255.255.0 access-list outside_cryptomap_20 permit udp 192.168.1.0 255.255.255.0 crayford 2 55.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside b.b.b.b 255.255.255.248 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location crayford 255.255.255.0 outside pdm location 192.168.1.0 255.255.255.0 outside pdm location 0.0.0.0 255.255.255.255 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 b.b.b.b 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer a.a.a.a crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address a.a.a.a netmask 255.255.255.255 no-xauth no-c onfig-mode isakmp identity address isakmp nat-traversal 3600 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.129 inside dhcpd dns 194.72.0.98 194.72.9.38 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside username alex password 4OrcOA4ugWKUTbUv encrypted privilege 15 terminal width 80

thanks Alex

Reply to
Alex

try this on both pixes

no isakmp nat-traversal isakmp key ******** address X.X.X.X netmask 255.255.255.255 ( without no-xauth no-config-mode ) clear ips sa clear isa sa

Roman Nakhmanson

Reply to
nakhmanson

This is bogus ! He needs NAT Traversal, and even if the device are not behind NAT the NAT Traversal will not engage. Clearing SA's will not do a thing as there are no SA's created ... X-auth is correct for L2L tunnels, and same goes for config-mode.

Look in the perimeter routers for route problems and/or nat problems. Also verify that you do not have speed/duplex problems in your setup (PIX vs router/switch, Show interface etc)

HTH Martin

Reply to
Martin Bilgrav

Have your tried reloading the PIX ? (both of them ?)

HTH Martin

Reply to
Martin Bilgrav

hi all,

I setup a small lab environment to test both pix's and i managed to ping through the tunnel to both host networks from ether side confirming i think that the config's works. So this leaves the border isp routers which shouldnt be blocking anything because there owned by BT, has anyone got any ideas how to troubleshoot this ?

regards

Alex

Reply to
Alex

are you sure the other end is able to receive your traffic ?

do a traceroute and check for the ports ESP, UDP/500 & UDP/4500 for nat-traversal to be opened between 2 peers.

Its more likely sound to be a port block or routing issue for me.

Reply to
ciscosec

both sites can ping each other and access the internet and i think in the past there has been connections running between the two sites so this would rule out a routing problem. so that leaves a port being blocked ??

Alex

Reply to
Alex

As I told you previously - your config is fine; Verify that you do not have speed & duplex problems. Verify that you ISP routers do not have any NAT issues or any route issues.

To aid you in throubleshooting, you may wish to checkout the capture command in the PIX, and check the Sniff's in wireshark.

HTH Martin

Reply to
Martin Bilgrav

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.