TheStressFactor
IS-IT--Management
Hello All,
I am creating a pix to pix vpn tunnel and am having some problems.
If I do a sh isakmp sa it seems that the tunnel has been created. The pix 501 is assigning dhcp addresses. However I cannot surf the web behind the 501 nor can I access any rescources behind the 515. Can anyone take a look at my config and tell me what I am missing? Below is the 515 (main office) 501 (remote-west chester office-192.168.17.0)
This is the first cable modem/pix combo I ave done. I am used to doing it with a dsl but I figure it should be more or less the same. Right now the way i have it is a network cable going to the wan port of the pix to one the lan ports on the cable modem.
PIX 515
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password encrypted
passwd encrypted
hostname x.
domain-name x.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service Allow_OUT tcp
description Inside Permitted Traffic
port-object eq domain
port-object eq echo
port-object eq imap4
port-object eq smtp
port-object eq www
port-object eq ident
port-object eq ftp
port-object eq whois
port-object eq telnet
port-object eq ldap
port-object eq pop3
port-object eq ssh
port-object eq nntp
port-object eq h323
port-object eq ldaps
port-object eq aol
port-object eq ftp-data
port-object eq pptp
port-object eq https
port-object eq 5061
access-list inside_outbound_nat0_acl permit ip any 192.168.50.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.101.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.17.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.250.1.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit tcp any any eq 5061
access-list MS permit ip host 146.145.243.226 169.254.200.0 255.255.255.0
access-list split permit ip any 192.168.17.0 255.255.255.0
access-list westchester permit ip any 192.168.17.0 255.255.255.0
pager lines 24
logging on
logging trap warnings
logging history warnings
logging facility 23
logging host outside 169.254.200.3
logging host outside 169.254.200.8
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside x.x.x.x x.x.x.x
ip address inside 192.168.100.2 255.255.255.0
ip address intf2 172.16.100.2 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool PennoniVPN 10.250.1.1-10.250.1.100
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set NORMAL esp-des esp-md5-hmac
crypto ipsec transform-set brownsville esp-des esp-md5-hmac
crypto ipsec transform-set westchester esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address MS
crypto map outside_map 10 set peer x.x.x.75
crypto map outside_map 10 set transform-set NORMAL
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address brownsville
crypto map outside_map 30 set peer x.x.x.208
crypto map outside_map 30 set transform-set brownsville
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address westchester
crypto map outside_map 40 set peer x.x.x.69
crypto map outside_map 40 set transform-set westchester
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.75 netmask 255.255.255.255
isakmp key ******** address x.x.x.208 netmask 255.255.255.0 no-xauth no-config-mode
isakmp key ******** address x.x.x.69 netmask 255.255.255.252 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10 5
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 76400
501
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname x
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.14.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.52.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.53.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.54.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.50.0 255.255.255.0
pager lines 24
mtup address outside x.x.x.69 255.255.255.252
ip address inside 192.168.17.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 10
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 x.x.x.70 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10 outside 1500es
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set phili esp-des esp-md5-hmac
crypto map phili 40 ipsec-isakmp
crypto map phili 40 match address 10
crypto map phili 40 set peer x.x.x.226
crypto map phili 40 set transform-set phili
crypto map phili interface outside
isakmp enable outside
isakmp key ******** address x.x.x..226 netmask x.x.x.224 no-xauth no-
config-mode
isakmp nat-traversal 20
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
console timeout 0
dhcpd address 192.168.17.50-192.168.17.80 inside
dhcpd dns 192.168.51.2 192.168.51.3
dhcpd wins 192.168.51.2 192.168.51.3
dhcpd lease 5000
dhcpd ping_timeout 750
dhcpd domain xi.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
I am creating a pix to pix vpn tunnel and am having some problems.
If I do a sh isakmp sa it seems that the tunnel has been created. The pix 501 is assigning dhcp addresses. However I cannot surf the web behind the 501 nor can I access any rescources behind the 515. Can anyone take a look at my config and tell me what I am missing? Below is the 515 (main office) 501 (remote-west chester office-192.168.17.0)
This is the first cable modem/pix combo I ave done. I am used to doing it with a dsl but I figure it should be more or less the same. Right now the way i have it is a network cable going to the wan port of the pix to one the lan ports on the cable modem.
PIX 515
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password encrypted
passwd encrypted
hostname x.
domain-name x.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service Allow_OUT tcp
description Inside Permitted Traffic
port-object eq domain
port-object eq echo
port-object eq imap4
port-object eq smtp
port-object eq www
port-object eq ident
port-object eq ftp
port-object eq whois
port-object eq telnet
port-object eq ldap
port-object eq pop3
port-object eq ssh
port-object eq nntp
port-object eq h323
port-object eq ldaps
port-object eq aol
port-object eq ftp-data
port-object eq pptp
port-object eq https
port-object eq 5061
access-list inside_outbound_nat0_acl permit ip any 192.168.50.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.101.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.17.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.250.1.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit tcp any any eq 5061
access-list MS permit ip host 146.145.243.226 169.254.200.0 255.255.255.0
access-list split permit ip any 192.168.17.0 255.255.255.0
access-list westchester permit ip any 192.168.17.0 255.255.255.0
pager lines 24
logging on
logging trap warnings
logging history warnings
logging facility 23
logging host outside 169.254.200.3
logging host outside 169.254.200.8
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside x.x.x.x x.x.x.x
ip address inside 192.168.100.2 255.255.255.0
ip address intf2 172.16.100.2 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool PennoniVPN 10.250.1.1-10.250.1.100
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set NORMAL esp-des esp-md5-hmac
crypto ipsec transform-set brownsville esp-des esp-md5-hmac
crypto ipsec transform-set westchester esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address MS
crypto map outside_map 10 set peer x.x.x.75
crypto map outside_map 10 set transform-set NORMAL
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address brownsville
crypto map outside_map 30 set peer x.x.x.208
crypto map outside_map 30 set transform-set brownsville
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address westchester
crypto map outside_map 40 set peer x.x.x.69
crypto map outside_map 40 set transform-set westchester
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.75 netmask 255.255.255.255
isakmp key ******** address x.x.x.208 netmask 255.255.255.0 no-xauth no-config-mode
isakmp key ******** address x.x.x.69 netmask 255.255.255.252 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10 5
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 76400
501
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname x
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
no fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.14.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.52.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.53.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.54.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list 10 permit ip 192.168.17.0 255.255.255.0 192.168.50.0 255.255.255.0
pager lines 24
mtup address outside x.x.x.69 255.255.255.252
ip address inside 192.168.17.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 10
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 x.x.x.70 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10 outside 1500es
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set phili esp-des esp-md5-hmac
crypto map phili 40 ipsec-isakmp
crypto map phili 40 match address 10
crypto map phili 40 set peer x.x.x.226
crypto map phili 40 set transform-set phili
crypto map phili interface outside
isakmp enable outside
isakmp key ******** address x.x.x..226 netmask x.x.x.224 no-xauth no-
config-mode
isakmp nat-traversal 20
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
console timeout 0
dhcpd address 192.168.17.50-192.168.17.80 inside
dhcpd dns 192.168.51.2 192.168.51.3
dhcpd wins 192.168.51.2 192.168.51.3
dhcpd lease 5000
dhcpd ping_timeout 750
dhcpd domain xi.com
dhcpd auto_config outside
dhcpd enable inside
terminal width 80