Help: PIX to PIX

[Oh]

Hi.
I plan to connect our branch vai VPN by 2 PIX515E. I do it following the Cisco's guide "Configuring PIX-to-PIX-toPIX IPSec(Hub and Spoke). Before I sent the PIX to our branch, I do a test in my office using 2 PIXs which connected the outside port derictly. and in each pix the route is setting to the other one. But after I configured all and ping from one to another,no response. and checked by "sh crypto ipsec sa", the tunnel has been built but the packages only traffic by oneway, that is, one pix only shows "#pkts encaps:9, #pkts encrypt:9,#pkts digest 9"
"#pkts decaps:0, #pkts decryot:0,#pkts verify 0"
another "#pkts encaps:0, #pkts encrypt:0,#pkts digest 0"
"#pkts decaps:9, #pkts decryot:9,#pkts verify 9"

I think is caused by route setting.because in the doc the 2 PIXs are connected to a hub and in each pix setting the route to an other router.Does soembody here can help me to make it out? thanks.

 

[yizhar]

HI.

You can post here your lab config, to get specific response.

If the pix boxes are version 6.21 with PDM 2.x, you can use PDM to configure VPN.

You can also use pixcript to generate configuration for versions 6.x and above:

http://teachers.sivan.co.il/yizhar#pixcript

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Oh]

PIX 1: working like a Hub

: Saved
: Written by enable_15 at 00:02:27.754 UTC Tue Jun 25 2002
PIX Version 6.2(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname XXX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip host 192.28.16.5 10.0.2.0 255.255.255.248
access-list 101 permit ip host 192.28.16.1 10.0.2.0 255.255.255.248
access-list 101 permit ip host 192.28.16.10 10.0.2.0 255.255.255.248
access-list 101 permit ip host 192.17.226.1 10.0.2.0 255.255.255.248
access-list 101 permit ip host 192.17.226.3 10.0.2.0 255.255.255.248
access-list 101 permit ip host 192.17.24.4 10.0.2.0 255.255.255.248
access-list 101 permit ip host 192.17.228.6 10.0.2.0 255.255.255.248
access-list 101 permit ip 192.17.227.0 255.255.255.0 10.0.2.0 255.255.255.248
access-list 110 permit ip 192.28.16.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list 120 permit ip 192.28.16.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list 130 permit ip 192.28.16.0 255.255.255.0 10.10.30.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap debugging
logging history debugging
logging host inside 192.28.16.8
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 212.196.xxx.xxx 255.255.255.248
ip address inside 192.28.16.17 255.255.255.0
ip address dmz 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.0.2.1-10.0.2.7
no failover
pdm history enable
arp timeout 14400
global (inside) 1 192.28.16.56
nat (outside) 1 10.0.2.0 255.255.255.248 outside 0 0
nat (inside) 0 access-list 101
conduit permit icmp any any echo
route outside 0.0.0.0 0.0.0.0 221.196.xxx.xxx 1
route inside 190.66.0.0 255.255.0.0 192.28.16.254 1
route inside 192.16.0.0 255.240.0.0 192.28.16.254 1
route inside 192.17.0.0 255.255.0.0 192.28.16.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server micro-auth protocol radius
aaa-server micro-auth (inside) host 192.28.16.9 cisco123 timeout 5
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 50 set transform-set myset
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 110
crypto map mymap 10 set peer 211.143.XXX.XXX
crypto map mymap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address 120
crypto map mymap 20 set peer 161.99.XXX.XXX
crypto map mymap 20 set transform-set myset
crypto map mymap 30 ipsec-isakmp
crypto map mymap 30 match address 130
crypto map mymap 30 set peer 228.24.XXX.XXX
crypto map mymap 30 set transform-set myset
crypto map mymap 40 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication micro-auth
crypto map mymap interface outside
isakmp enable outside
isakmp key xxxxxxxxxxxx address 211.143.XXX.XXX netmask 255.255.255.255 no-xauth no-config-mode
isakmp key xxxxxxxxxxxx address 161.99.XXX.XXX netmask 255.255.255.255 no-xauth no-config-mode
isakmp key xxxxxxxxxxxx address 228.24.XXX.XXX netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup pixjp address-pool ippool
vpngroup pixjp dns-server 192.17.24.4
vpngroup pixjp default-domain AA.BB.CC
vpngroup pixjp idle-time 1800
vpngroup pixjp password xxxxxxxxxx
telnet 192.0.0.0 255.0.0.0 inside
telnet timeout 15
ssh timeout 15
terminal width 80
Cryptochecksum:d648d131c108be05db512f98b5998e02
: end


and this config can't let cisco VPN client 3.5 to access in.
but before we add the "site to site vpn", it works.
when I use "sh isakmp sa" is shows there are 2 tunnels created for dynamic-map. I think it should be right when only one tunnel here.

thanks

 

[yizhar]

HI.

What about the configuration of the other side (a sample branch office)?

Try to add a split tunnel statement:
vpngroup pixjp split-tunnel 101

> this config can't let cisco VPN client 3.5 to access
But is the pix to pix vpn working?
Please be more clear about the problem, and add relevant syslog messages that you get (or not).
What tests are you doing and what are the results?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar