Hi,
Having tried various IPSEC installations (unsuccessfully) I'm now to set an IPSEC tunnel between an 801 router and PIX firewall. This configuration is complicated by having PAT configured on 801 router (IOS 12.2(7b)).
The problem I'm experiencing is not being able to establish the tunnel. Looking at the debugging information I can see that an SA is established during isakmp but then nothing else happens and the 801 router just reports MM_NO_STATE. Can anyone tell what I need to do to get these configurations to work please.
Thanks in advance.
-Andrew
801 router config:
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Branch_Router
!
boot system flash
!
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
isdn switch-type basic-net3
!
crypto isakmp policy 11
hash md5
authentication pre-share
crypto isakmp key <a key> address <remote peer address>
crypto isakmp identity hostname
!
!
crypto ipsec transform-set sharks esp-des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
set peer <remote peer address>
set transform-set sharks
match address 120
!
!
!
!
interface Ethernet0
ip address <inside local address> 255.255.255.0
ip nat inside
!
interface BRI0
no ip address
ip nat outside
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool-member 1
isdn switch-type basic-net3
crypto map nolan
!
interface Dialer0
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer idle-timeout 3600
dialer string <a telephone number>
dialer-group 1
ppp pap sent-username <a username> password 0 <a password>
crypto map nolan
!
ip nat inside source route-map nonat interface Dialer0 overload
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip pim bidir-enable
!
access-list 120 permit ip <inside local network address> 0.0.0.255 <inside remote network
address> 0.0.0.255
access-list 130 deny ip <inside local network address> 0.0.0.255 <inside remote network
address> 0.0.0.255
access-list 130 permit ip <inside local network address> 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map nonat permit 10
match ip address 130
!
!
line con 0
stopbits 1
line vty 0 4
login
!
no rcapi server
!
!
end
PIX config:
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password <a password> encrypted
passwd <a password> encrypted
hostname HQ-PIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list ipsec permit ip <inside local network address> 255.255.255.0 <outside remote network address> 255.255.255.0
access-list nonat permit ip <inside local network address> 255.255.255.0 <outside remote network address> 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside <outside local address> 255.255.255.248
ip address inside <inside local address> 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 <outside local real address>
nat (inside) 0 access-list nonat
nat (inside) 1 <inside local network address> 255.255.255.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 <outside gateway> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partner protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set avalanche esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map dynforsberg 1 set transform-set avalanche
crypto map forsberg 21 ipsec-isakmp dynamic dynforsberg
crypto map forsberg interface outside
isakmp enable outside
isakmp key <a key> address 0.0.0.0 netmask 0.0.0.0
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400
telnet timeout 5
ssh timeout 5
terminal width 80
: end
Having tried various IPSEC installations (unsuccessfully) I'm now to set an IPSEC tunnel between an 801 router and PIX firewall. This configuration is complicated by having PAT configured on 801 router (IOS 12.2(7b)).
The problem I'm experiencing is not being able to establish the tunnel. Looking at the debugging information I can see that an SA is established during isakmp but then nothing else happens and the 801 router just reports MM_NO_STATE. Can anyone tell what I need to do to get these configurations to work please.
Thanks in advance.
-Andrew
801 router config:
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Branch_Router
!
boot system flash
!
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
isdn switch-type basic-net3
!
crypto isakmp policy 11
hash md5
authentication pre-share
crypto isakmp key <a key> address <remote peer address>
crypto isakmp identity hostname
!
!
crypto ipsec transform-set sharks esp-des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
set peer <remote peer address>
set transform-set sharks
match address 120
!
!
!
!
interface Ethernet0
ip address <inside local address> 255.255.255.0
ip nat inside
!
interface BRI0
no ip address
ip nat outside
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool-member 1
isdn switch-type basic-net3
crypto map nolan
!
interface Dialer0
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer idle-timeout 3600
dialer string <a telephone number>
dialer-group 1
ppp pap sent-username <a username> password 0 <a password>
crypto map nolan
!
ip nat inside source route-map nonat interface Dialer0 overload
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip pim bidir-enable
!
access-list 120 permit ip <inside local network address> 0.0.0.255 <inside remote network
address> 0.0.0.255
access-list 130 deny ip <inside local network address> 0.0.0.255 <inside remote network
address> 0.0.0.255
access-list 130 permit ip <inside local network address> 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map nonat permit 10
match ip address 130
!
!
line con 0
stopbits 1
line vty 0 4
login
!
no rcapi server
!
!
end
PIX config:
PIX Version 6.0(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password <a password> encrypted
passwd <a password> encrypted
hostname HQ-PIX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list ipsec permit ip <inside local network address> 255.255.255.0 <outside remote network address> 255.255.255.0
access-list nonat permit ip <inside local network address> 255.255.255.0 <outside remote network address> 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside <outside local address> 255.255.255.248
ip address inside <inside local address> 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 <outside local real address>
nat (inside) 0 access-list nonat
nat (inside) 1 <inside local network address> 255.255.255.0 0 0
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 <outside gateway> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partner protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set avalanche esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map dynforsberg 1 set transform-set avalanche
crypto map forsberg 21 ipsec-isakmp dynamic dynforsberg
crypto map forsberg interface outside
isakmp enable outside
isakmp key <a key> address 0.0.0.0 netmask 0.0.0.0
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400
telnet timeout 5
ssh timeout 5
terminal width 80
: end
