Hi,
I've got a site to site VPN created with two Pix 506e firewalls. The remote site has 7 users over a 512k ADSL line. The VPN is used for MS Outlook, occaisional file access and the use of a Terminal emulator connected to a UNIX box at the central site.
Users in the remote site will loose connectivity to the unix box a few times during the day but the VPN appears to be still running as it doesn't kick all users off.
I created the VPN by using PDM and have checked them on the Cisco website, below are the configs, the first one being the central site. I've also copied the entries from the syslog when the users get kicked.
Any help is greatly appreciated
Thanks in advance
Trevor
CENTRAL SITE CONFIG
PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxx encrypted passwd xxx encrypted hostname pixfirewall fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.1.0 flg access-list inside_access_in permit tcp any any access-list inside_access_in permit ip any any access-list inside_outbound_nat0_acl permit ip 192.168.184.0
255.255.255.0 flg 255.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.184.0 255.255.255.0 flg 255.255.255.0 access-list smtp permit tcp any host 1.2.3.35 eq smtp access-list smtp remark TS access-list smtp permit tcp any host 1.2.3.35 eq 3389 access-list smtp remark Security DVR access-list smtp permit tcp any host 1.2.3.50 eq www pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 1.2.3.61 255.255.255.224 ip address inside 192.168.184.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location flg 255.255.255.0 inside pdm location 192.168.184.1 255.255.255.255 inside pdm location 0.0.0.0 255.255.255.255 outside pdm location 0.0.0.0 255.255.255.224 outside pdm location 0.0.0.0 255.255.255.0 outside pdm location 0.0.0.0 255.255.255.224 inside pdm location 192.168.184.0 255.255.255.255 inside pdm location flg 255.255.255.0 outside pdm location 4.5.6.222 255.255.255.255 outside pdm location 192.168.184.3 255.255.255.255 inside pdm location 192.168.184.100 255.255.255.255 inside pdm location 192.168.184.128 255.255.255.128 outside pdm location flg 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) 1.2.3.35 192.168.184.1 netmask 255.255.255.255 0 0 static (inside,outside) 1.2.3.50 192.168.184.3 netmask 255.255.255.255 0 0 access-group smtp in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 1.2.3.33 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server RADIUS (inside) host 192.168.184.1 xxx timeout 5 aaa-server LOCAL protocol local aaa authentication ssh console LOCAL http server enable http 192.168.184.1 255.255.255.255 inside http 192.168.184.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection timewait sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 4.5.6.222 crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map client authentication RADIUS crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 4.5.6.222 netmask 255.255.255.255 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet 192.168.184.0 255.255.255.0 inside telnet timeout 5 console timeout 0 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcprelay server 192.168.184.1 inside username admin password xxx encrypted privilege 15 terminal width 80REMOTE SITE VPN
PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password xxx encrypted passwd xxx encrypted hostname flgfw fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.184.0 NW access-list inside_access_in permit ip any any access-list inside_access_in permit tcp any any access-list inside_outbound_nat0_acl permit ip 192.168.1.0
255.255.255.0 NW 255.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 NW 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 4.5.6.222 255.255.255.224 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location NW 255.255.255.0 outside pdm location NW 255.255.255.0 inside pdm location NW 255.255.255.255 outside pdm location NW 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 4.5.6.209 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 1.2.3.61 crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 1.2.3.61 netmask 255.255.255.255 no-xauth no-config-mode isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 inside dhcpd dns 192.168.184.1 217.169.20.20 dhcpd wins 192.168.184.1 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd domain xxx.local dhcpd auto_config outside dhcpd enable inside username admin password x encrypted privilege 15 terminal width 80**** SYSLOG ****
2005-06-03 15:25:15 Local4.Info 192.168.184.254 Jun 03 2005 15:20:55: %PIX-6-302014: Teardown TCP connection 42314 for outside:192.168.1.5/1354 to inside:192.168.184.2/23 duration 0:00:26 bytes 1415 TCP FINs ^^^^^User gets kicked ^^^^^^The only entry from the same terminal is this one which occurred 14 mins previously
2005-06-03 15:11:30 Local4.Info 192.168.184.254 Jun 03 2005 15:07:10: %PIX-6-302014: Teardown TCP connection 39426 for outside:192.168.1.5/1179 to inside:192.168.184.2/23 duration 3:38:18 bytes 1189161 Conn-timeoutDetails for 192.168.184.0/255.255.255.0/0/0 flg/255.255.255.0/0/0 at Fri Jun 03 15:34:38 BST 2005
local ident (addr/mask/prot/port): (192.168.184.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (flg/255.255.255.0/0/0) current_peer: 4.5.6.222:500 dynamic allocated peer ip: 0.0.0.0 PERMIT, flags={origin_is_acl,} #pkts encaps: 51208, #pkts encrypt: 51208, #pkts digest 51208 #pkts decaps: 51474, #pkts decrypt: 51582, #pkts verify 51582 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #pkts no sa (send) 519, #pkts invalid sa (rcv) 0 #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0 #pkts invalid prot (recv) 0, #pkts verify failed: 0 #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0 ##pkts replay failed (rcv): 0 #pkts internal err (send): 0, #pkts internal err (recv) 0 local crypto endpt.: 1.2.3.61, remote crypto endpt.: 4.5.6.222 path mtu 1500, ipsec overhead 56, media mtu 1500 current outbound spi: b63f0607 inbound esp sas: spi: 0xaf013b09(2936093449) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2, crypto map: outside_map sa timing: remaining key lifetime (k/sec): (4607734/27782) IV size: 8 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xb63f0607(3057583623) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 1, crypto map: outside_map sa timing: remaining key lifetime (k/sec): (4607663/27782) IV size: 8 bytes replay detection support: Y outbound ah sas: outbound pcp sas: