1. Home
  2. Cisco Systems
  3. Site to Site VPN problems between PIX 501 and PIX 515

Site to Site VPN problems between PIX 501 and PIX 515

Recently at work I was handed an old Cisco PIX 501 and was told to get a VPN working with our PIX 515 for a remote office location. The 501 had been set up for a VPN 3 years ago with the 515 so I thought that this would be easy, as the config information on both ends has not changed. Obivously, I was mistaken and no matter what I try I cannot get the VPN tunnel to work. Any help would be greatly appreciated. I'm sorry if this is long winded but here are the configs for the 501 and 515:

PIX 501 PIX Version 6.3(3) interface ethernet0 10baset interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password *** encrypted passwd *** encrypted hostname example501 domain-name example.net fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 access-list example permit ip 10.10.20.0 255.255.255.0 10.10.10.0

255.255.255.0 access-list acl_out permit icmp any any pager lines 24 logging on logging timestamp logging buffered warnings mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 10.10.20.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list example nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group acl_out in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server LOCAL protocol local http server enable http 10.10.10.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set exampledyn esp-3des esp-md5-hmac crypto map example 10 ipsec-isakmp crypto map example 10 match address example crypto map example 10 set peer #.#.#.162 crypto map example 10 set transform-set exampledyn crypto map example interface outside isakmp enable outside isakmp key *** address #.#.#.162 netmask 255.255.255.255 no-xauth no-co nfig-mode isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 telnet 10.10.20.0 255.255.255.0 inside telnet 10.10.10.0 255.255.255.0 inside telnet timeout 5 ssh 10.10.10.0 255.255.255.0 inside ssh 10.10.20.0 255.255.255.0 inside ssh timeout 60 console timeout 0 dhcpd address 10.10.20.100-10.10.20.131 inside dhcpd dns 10.10.10.3 10.10.10.6 dhcpd lease 86400 dhcpd ping_timeout 750 dhcpd domain example.net dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:***

-------------------------------------------

PIX 515 PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 enable password *** encrypted passwd *** encrypted hostname example515 domain-name example.net clock timezone EST -5 clock summer-time EDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list vpn permit ip 10.10.10.0 255.255.255.0 10.10.20.0

255.255.255.0 access-list vpn permit ip 10.10.10.0 255.255.255.0 10.10.30.0 255.255.255.0 access-list vpn permit ip 10.10.10.0 255.255.255.0 10.10.40.0 255.255.255.0 access-list acl_out permit icmp any any access-list acl_out permit tcp any host #.#.#.163 eq ftp access-list acl_out permit tcp any host #.#.#.163 eq ftp-data access-list acl_out permit tcp any host #.#.#.163 eq www access-list acl_out permit tcp any host #.#.#.163 eq smtp access-list acl_out permit tcp any host #.#.#.163 eq pop3 access-list acl_out permit tcp any host #.#.#.163 range 5500 5700 pager lines 24 logging on logging timestamp logging buffered debugging mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside #.#.#.162 255.255.255.248 ip address inside 10.10.10.10 255.255.255.0 ip address dmz 10.10.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpnpool 10.10.30.1-10.10.30.254 ip local pool vpnpool1 10.10.40.1-10.10.40.254 pdm location 10.10.10.0 255.255.255.0 inside pdm logging warnings 200 pdm history enable arp timeout 14400 global (outside) 1 #.#.#.164-#.#.#.165 global (outside) 1 #.#.#.166 netmask 255.255.255.248 global (dmz) 1 10.10.1.50-10.10.1.100 netmask 255.255.255.0 nat (inside) 0 access-list vpn nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (dmz) 1 10.10.1.0 255.255.255.0 0 0 static (dmz,outside) #.#.#.163 10.10.1.25 netmask 255.255.255.255 0 0 access-group acl_out in interface outside route outside 0.0.0.0 0.0.0.0 #.#.#.161 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.10.10.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set exampledyn esp-3des esp-md5-hmac crypto dynamic-map cisco 1 set transform-set exampledyn crypto map example 10 ipsec-isakmp dynamic cisco crypto map example interface outside isakmp enable outside isakmp key *** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup examplevpn address-pool vpnpool vpngroup examplevpn dns-server 10.10.10.19 10.10.10.6 vpngroup examplevpn wins-server 10.10.10.19 vpngroup examplevpn default-domain example.net vpngroup examplevpn idle-time 1800 vpngroup examplevpn password *** vpngroup examplenet address-pool vpnpool vpngroup examplenet dns-server 10.10.10.19 10.10.10.6 vpngroup examplenet wins-server 10.10.10.19 vpngroup examplenet default-domain example.net vpngroup examplenet idle-time 1800 vpngroup examplenet password *** telnet 10.10.10.0 255.255.255.0 inside telnet timeout 5 ssh 10.10.10.0 255.255.255.0 inside ssh timeout 60 console timeout 0 terminal width 80 Cryptochecksum:***
Reply to
Jeff
Loading thread data ...

It would be better, for security and stability reasons, to upgrade that to 6.3(5)112 .

What kind of device is the 501 connected to? You may wish to go to auto or 100full instead of 10baset .

I do not recommend permitting -all- icmp in. For example, you do not want intruders sending you icmp redirects to divert user banking sessions to the intruder's systems.

You should not use 3DES with MD5; either use 3DES with SHA, or use DES with MD5.

You should not use the same ACL for 'match address' and 'nat 0 access-list'. Instead use two different ACLs that [in this configuration] happen to have the same content. You can get some subtle bugs when you have ACLs being used for multiple purposes.

You have a mismatch between transforms: for phase 1 you are using DES MD5, but for phase 2 you are using 3DES MD5. In theory using different transforms for the two phases should work, but in practice I have seen it cause problems.

It is usually best to specify multiple transforms for both phases, so that there is some room for "falling back" in case the original negotiation fails. For phase 2, create multiple 'transform-set' lines, and then on the 'set transform-set' clause, list transform set names with your first preference first on the line. For phase 1, create multiple 'isakmp policy' with different policy numbers, and the lowest numbered policy should be the one you prefer.

Both your 501 and 515 have PIX 6.3, and both of them have 3DES, and that combination implies that both of them support AES. AES is more secure and faster than 3DES, so I would suggest you make your first choice AES 128 bit SHA group 5, then second 3DES SHA group 2, then third DES MD5 group 1.

Your 'ip address' commands tell us that 10.10.20 is inside, and your 'example' access-list implies that 10.10.10 is outside (at the PIX 515), so here and for the ssh, it does not make sense to permit access to the PIX for 10.10.10 from the 'inside' interface.

As per above, I recommend upgrading to 6.3(5)112.

See above note about icmp any.

You never need to permit ftp-data by itself. ftp-data will be openned at need by the PIX when it sees a valid ftp session taking place.

See above notes about transform sets.

This indicates that your preference is DES MD5 group 1, second choice

3DES MD5 group 2, but on the other side you only allow for DES MD5 group 1. A mismatch, but not a problem in itself. But see the above notes about preferred transform sets.
Reply to
Walter Roberson

Thanks for the suggestions Walter, I will try the new configs out this weekend when I can get an outside connection going for the 501.

Reply to
Jeff

snip

Walter,

Just out of interest, why should you not use 3DES & MD5.

Regards

Darren

Reply to
Darren Green

Well, after testing it from my cable modem at home and getting a DHCP lease for the outside connection on the Pix 501 I ran into another interesting problem. With the 501 connected to the cable modem, I connected a laptop to one of the additional ports (port 3) on the 501 but still did not have a VPN light turned on. So, just for the heck of it, seeing as how I was theoretically connected to the Internet I opened up IE and instantly the VPN tunnel light came to life on the Pix. What I am wondering is this: Why would it take an Internet session for the VPN to initialize?

Reply to
Jeff

The SA's are built on the "interesting" traffic from the ACL's in the "match" statement - the VPN is not up until the "interesting" traffic is matched

Reply to
none

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.