site-to-site vpn does not work

- B
- Benson
  
  Contact options for registered users
posted
17 years ago

Thu, Apr 21, 2005 3:01 AM

Hi,

I have a PIX506E and a PIX515E, and set up a site-to-site VPN between them. But unfortunately for me, they do not work ( users behind the FWs can not ping and communicate with each other ), although the site-to-site VPN is established.

The config 506E:

: Saved : Written by enable_15 at 10:31:22.099 UTC Wed Apr 20 2005 PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password SCW1WJROwNp3ab2m encrypted passwd Q1E9DDEwLwU88ag6 encrypted hostname ChangPing-FW fixup protocol dns maximum-length 1500 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 204.130.80.19 HK_OFFICE access-list TrafficToTunnel permit ip 172.27.29.0 255.255.255.0

172.27.1.0 255.255.255.0 access-list VPNTraffic permit ip any 172.27.1.0 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 202.7.168.100 255.255.255.240 ip address inside 172.27.29.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list VPNTraffic nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 202.7.168.101 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map HKOffice 1000 ipsec-isakmp crypto map HKOffice 1000 match address VPNTraffic crypto map HKOffice 1000 set peer HK_OFFICE crypto map HKOffice 1000 set transform-set strong ESP-3DES-MD5 crypto map HKOffice interface outside isakmp enable outside isakmp key CPOffice@jil2005 address HK_OFFICE netmask 255.255.255.255 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 ..... console timeout 0 dhcpd address 172.27.29.51-172.27.29.200 inside dhcpd dns 168.95.15.10 202.70.10.3 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside terminal width 80 Cryptochecksum:5aff920457495caca386cd3dcc9f9b10 : end

The Pix515E config:

: Saved : Written by enable_15 at 10:14:25.005 HKST Thu Apr 21 2005 PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 enable password njx.VbJvYkGuA2lv encrypted passwd y1UEuuRv/ffwHeKj encrypted hostname JIL-Fw01 domain-name jil.com.hk clock timezone HKST 8 fixup ...... .... fixup protocol tftp 69 names ............ name 204.130.80.19 JIL_FW object-group network Allow_Proxy_GRP network-object Internal_Network 255.255.248.0 object-group service ALLOW_TCP_GRP tcp description Allow internet tcp services for users port-object eq pop3 port-object eq domain port-object eq www port-object eq https port-object eq smtp port-object eq lpd port-object eq 9100 port-object eq 5001 object-group service ALLOW_UDP_GRP udp description Allow internet udp services for users port-object eq echo port-object eq ntp port-object eq domain object-group network INTERNAL_NET_GRP description Internal network groups network-object Internal_Network 255.255.248.0 object-group network LogNet_FTP_GRP description Allow ftp to Log Net Group network-object VLAN1_Net 255.255.255.0 object-group service ALLOW_TCP_Blossom tcp description Allow outside to connect Blossom TCP port-object eq pop3 port-object eq https port-object eq www object-group network AS400_Printer network-object HP2300-17-1 255.255.255.255 network-object HP4300-22-1 255.255.255.255 network-object HP4300-17-1 255.255.255.255 ........... ........... port-object eq www access-list acl_in permit tcp object-group Allow_IT_GRP any object-group ALLOW_IT_TCP access-list acl_in deny tcp any host MSN_Server eq www access-list acl_in permit tcp host Forte any eq 3101 access-list acl_in permit tcp object-group INTERNAL_NET_GRP object-group Ftp_Update_GRP eq ftp access-list acl_in permit tcp object-group INTERNAL_NET_GRP any object-group ALLOW_TCP_GRP access-list acl_in permit udp object-group INTERNAL_NET_GRP any object-group ALLOW_UDP_GRP access-list acl_in permit tcp object-group Allow_Proxy_GRP host MailRelay eq 3128 access-list acl_in permit tcp host BLOSSOM2 any eq 3101 access-list acl_in permit tcp any host JIL_VC access-list acl_in permit udp host Alpha eq domain any access-list acl_in permit ip host Benson_PC any access-list acl_in permit tcp VLAN2_Net 255.255.255.0 host MailRelay eq ssh access-list acl_in permit ip host mscserver any access-list acl_in permit ip host John_PC any access-list acl_in permit ip host mscserver host Log-Net-Ftp access-list acl_in deny tcp any any eq 1214 access-list acl_in deny udp any any eq 1214 access-list acl_in permit ip Internal_Network 255.255.0.0 CPOffice_LAN

255.255.255.0 access-list outside_access_in permit tcp any host 204.130.80.18 object-group ALLOW_TCP_Blossom access-list outside_access_in permit tcp any host 204.130.80.17 eq smtp access-list outside_access_in permit tcp any host 204.130.80.17 eq https access-list outside_access_in permit ip any object-group AS400_Printer_ref access-list outside_access_in permit tcp any host 204.130.80.165 eq www access-list outside_access_in permit ip 172.16.16.0 255.255.255.0 any access-list outside_access_in permit tcp any host 204.130.80.17 eq ssh access-list outside_access_in permit ip 172.172.29.0 255.255.255.0 Internal_Network 255.255.0.0 access-list dmz_access_in permit tcp host TrendMicro any eq smtp access-list dmz_access_in permit ip host MailRelay any access-list dmz_access_in permit tcp host TrendMicro host blossom eq smtp access-list dmz_access_in permit tcp host TrendMicro any eq www access-list dmz_access_in permit tcp host TrendMicro any eq https access-list dmz_access_in permit udp host TrendMicro host NEW_TT_DNS2 eq domain access-list dmz_access_in permit udp host TrendMicro host PCC_DNS1 eq domain access-list dmz_access_in permit udp host MailRelay any eq domain access-list dmz_access_in permit udp host MailRelay any eq ntp access-list dmz_access_in permit udp DMZ_NW-DG 255.255.255.0 any eq domain access-list dmz_access_in permit tcp DMZ_NW-DG 255.255.255.0 any eq www access-list dmz_access_in permit tcp DMZ_NW-DG 255.255.255.0 any eq https access-list dmz_access_in permit icmp DMZ_NW-DG 255.255.255.0 any access-list dmz_access_in permit tcp host MailRelay any eq smtp access-list dmz_access_in permit udp host TrendMicro host NEW_TT_DNS1 eq domain access-list outside_acl_in permit udp any any eq isakmp access-list inside_outbound_nat0_acl permit ip object-group INTERNAL_NET_GRP host MailRelay access-list inside_outbound_nat0_acl permit ip object-group Allow_Proxy_GRP host MailRelay access-list inside_outbound_nat0_acl permit ip any 172.27.1.128 255.255.255.128 access-list inside_outbound_nat0_acl permit ip VLAN1_Net 255.255.255.0 host Log-Net-Ftp access-list inside_outbound_nat0_acl permit ip object-group LogNet_FTP_GRP host Log-Net-Ftp access-list inside_outbound_nat0_acl permit ip any CPOffice_LAN 255.255.255.0 access-list inside_outbound_nat0_acl permit ip Internal_Network 255.255.0.0 172.172.29.0 255.255.255.0 access-list log_Traf_ToTunnel permit ip VLAN1_Net 255.255.255.0 host Log-Net-Ftp access-list Traffic_To_CPOffice permit ip any CPOffice_LAN 255.255.255.0 access-list acl_inside deny tcp any any eq aol access-list acl_inside deny udp any any eq 5190 access-list acl_inside deny tcp any any eq 1863 access-list acl_inside deny udp any any eq 1863 access-list acl_inside deny udp any any eq 5050 access-list acl_inside deny tcp any any eq 5050 access-list acl_inside deny tcp any any eq 6969 access-list acl_inside deny udp any any eq 6969 access-list acl_inside deny tcp any any eq 5100 access-list acl_inside deny udp any any eq 5100 access-list acl_inside deny udp any any eq 2000 access-list acl_inside deny tcp any any eq 2000 access-list acl_inside deny tcp any any eq 2001 access-list acl_inside deny udp any any eq 2001 access-list acl_inside deny udp any any eq 5000 access-list acl_inside deny tcp any any eq 5001 pager lines 24 logging on logging timestamp logging standby logging trap notifications logging facility 23 logging host inside 172.27.2.202 icmp deny any echo-reply outside icmp permit any unreachable outside mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside JIL_FW 255.255.255.224 ip address inside 172.27.1.1 255.255.255.0 ip address dmz 10.101.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool RemoteAccessVPN 172.27.1.180-172.27.1.199 pdm location NEW_TT_DNS1 255.255.255.255 outside ............. ............. pdm history enable arp timeout 14400 global (outside) 10 interface global (outside) 3 204.130.80.18 nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 10 Internal_Network 255.255.224.0 0 0 nat (dmz) 10 DMZ_Network 255.255.255.0 0 0 nat (dmz) 10 DMZ_NW-DG 255.255.255.0 0 0 static (dmz,outside) 204.130.80.19 MailRelay netmask 255.255.255.255 50 50 static (inside,outside) 204.130.80.15 Network_CAM_17F netmask 255.255.255.255 ................ access-group outside_access_in in interface outside access-group acl_in in interface inside access-group dmz_access_in in interface dmz route outside 0.0.0.0 0.0.0.0 204.130.80.16 1 route inside Internal_Network 255.255.248.0 172.27.1.254 1 route dmz DMZ_NW-DG 255.255.255.0 10.101.1.201 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local ............... snmp-server location HK no snmp-server contact snmp-server community public snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp service resetinbound crypto ipsec transform-set strong esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map CPOffice 1000 ipsec-isakmp crypto map CPOffice 1000 match address Traffic_To_CPOffice crypto map CPOffice 1000 set peer CP_OFFICE_VPN crypto map CPOffice 1000 set transform-set strong crypto map LogNet 1001 ipsec-isakmp crypto map LogNet 1001 match address log_Traf_ToTunnel crypto map LogNet 1001 set peer Log_Net_VPN crypto map LogNet 1001 set transform-set ESP-3DES-MD5 crypto map LogNet interface outside isakmp enable outside isakmp key CPOffice@jil2005 address CP_OFFICE_VPN netmask 255.255.255.255 isakmp key @f1vst0Ou! address Log_Net_VPN netmask 255.255.255.255 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 .............. .............. console timeout 0 vpdn group vpdn enable outside terminal width 80 Cryptochecksum:13336cdb1776ffcf6288c1bdbad293c9 : end

Thank you Benson

- W
- Walter Roberson
  
  Contact options for registered users
posted
17 years ago

Thu, Apr 21, 2005 3:26 AM

In article , Benson wrote: :The config 506E:

:access-list VPNTraffic permit ip any 172.27.1.0 255.255.255.0

:nat (inside) 0 access-list VPNTraffic

:crypto map HKOffice 1000 match address VPNTraffic

You should avoid using the same access list name for nat 0 and crypto map. In theory it should not cause any problems, but in practice it does (especially if the same ACL is applied to an interface via an access-group)

:The Pix515E config:

:crypto map CPOffice 1000 ipsec-isakmp :crypto map CPOffice 1000 match address Traffic_To_CPOffice :crypto map CPOffice 1000 set peer CP_OFFICE_VPN :crypto map CPOffice 1000 set transform-set strong

You haven't applied that to any interface, so it is just sitting inactive.

One active crypto map per interface. Distinguish the parts by using different sequence numbers within it.

- B
- Benson
  
  Contact options for registered users
posted
17 years ago

Fri, Apr 22, 2005 2:42 AM

Hi, Roberson,

I did do the correction as you mentioned, but the vpn still does not work, what else suggestion ?

Thank you for your help Benson

- D
- Darren Green
  
  Contact options for registered users
posted
17 years ago

Sat, Apr 23, 2005 5:08 PM

Hi Benson,

In your earlier post before Walter pointed out the above, you indicated that your VPN was established.

Are you actually getting hits on the crypto access-lists ?

'show access-list' (check the hits and see if the crypto access-list increments)

'show crypto ipsec sa'

do you see the SPI's confirming that a VPN session is there ? Check the information in the fields to see if the counters for encypted traffic / decrypted traffic are moving. 'debug cry ipsec' can also produce some interesting feedback.

Regards

Darren