Issues with Cisco 871 tunnel with Pix515e code 8.03

[lodogg]

The Tunnel is up between my Cisco 871 and my Pix 515e but I can't ping through the tunnel on either side:-\ I moved my 871 to the outside of my firewall in a testing lab scenario, the tunnel builds but I can't ping from either side. More than likely this is a nat issue on my pix but I can't find out what the issue is through my debug sessions.

I also want to keep Vlan1 up on my Cisco 871 even though I have nothing plugged into it. I can't even ping vlan1 on the Cisco 871 because the protocol layer is down.

The 10.35.1.0/24 network is on the inside of my network so the traffic flows through the inside interface of the Pix.

--------------------------------------
pix515(config)# sh vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection : 192.168.10.50
Index : 101 IP Addr : 10.44.44.0
Protocol : IKE IPsec
Encryption : 3DES Hashing : MD5
Bytes Tx : 127000 Bytes Rx : 1400
Login Time : 19:23:38 UTC Fri Jun 26 2009
Duration : 0h:06m:34s
--------------------------------------
pix515(config)# ping 10.44.44.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.44.44.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
--------------------------------------
871w-rtr#ping 10.35.1.5 source 10.44.44.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.35.1.5, timeout is 2 seconds:
Packet sent with a source address of 10.44.44.2
.....
Success rate is 0 percent (0/5)
-----------------------------
Pix

pix515(config)# sh run nat
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0

pix515(config)# sh access-list nonat
access-list nonat; 5 elements
access-list nonat line 1 extended permit ip 10.35.1.0 255.255.255.0 10.44.44.0 255.255.255.0 (hitcnt=0) 0x33ce6f2d

static (inside,DMZ) 10.44.44.0 10.44.44.0 netmask 255.255.255.0

crypto map cmap-vpncient 1 match address outside_cryptomap
crypto map cmap-vpncient 1 set peer 192.168.10.50
crypto map cmap-vpncient 1 set transform-set ESP-3DES-MD5

-----------------------------
871

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key ******** address 192.168.10.20
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map IPSec 1 ipsec-isakmp
set peer 192.168.10.20
set transform-set myset
match address tunnel
!
crypto map testmap 10 ipsec-isakmp
set peer 192.168.10.20
set security-association idle-time 300
set transform-set myset
match address tunnel
!
interface FastEthernet4
ip address 192.168.10.50 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map IPSec
!
interface Vlan1
description Users
ip address 10.44.44.2 255.255.255.0
ip tcp adjust-mss 1452
!
!
-----------------------------
871w-rtr#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset up down
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
FastEthernet4 192.168.10.50 YES manual up up
Dot11Radio0 unassigned YES NVRAM administratively down down
Vlan1 10.44.44.2 YES manual up down
-----------------------------
871w-rtr#ping 10.35.1.5 source 10.44.44.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.35.1.5, timeout is 2 seconds:
Packet sent with a source address of 10.44.44.2
.....
Success rate is 0 percent (0/5)
-----------------------------
871w-rtr#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.10.20 192.168.10.50 QM_IDLE 2056 0 ACTIVE

IPv6 Crypto ISAKMP SA

871w-rtr#
-----------------------------

 

[unclerico]

please post full scrubbed configs

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[lodogg]

pix515# sh run
: Saved
:
PIX Version 8.0(3)
!
hostname pix515
domain-name test.local
enable password ************ encrypted
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.10.20 255.255.255.0
!
interface Ethernet1
description Inside Trunk
no nameif
no security-level
no ip address
!
interface Ethernet1.100
vlan 100
nameif inside
security-level 100
ip address 10.45.45.2 255.255.255.248
!
interface Ethernet2
description DMZ Trunk
no nameif
no security-level
no ip address
!
interface Ethernet2.50
vlan 50
nameif DMZ
security-level 80
ip address 192.168.1.1 255.255.255.0
!
passwd *********** encrypted
boot system flash:/pix803.bin
ftp mode passive
dns server-group DefaultDNS
domain-name test.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service dns tcp-udp
description DNS Port Mapping
port-object eq domain
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside-test extended permit ip any any log critical
access-list inside extended permit ip any any log

access-list nonat extended permit ip 10.35.1.0 255.255.255.0 10.44.44.0 255.255.255.0

access-list out extended deny icmp any any alternate-address
access-list out extended deny icmp any any router-advertisement
access-list out extended deny icmp any any router-solicitation
access-list out extended deny icmp any any timestamp-request
access-list out extended deny icmp any any timestamp-reply
access-list out extended deny icmp any any information-request
access-list out extended deny icmp any any information-reply
access-list out extended deny icmp any any mask-request
access-list out extended deny icmp any any mask-reply
access-list out extended deny icmp any any mobile-redirect
access-list out extended deny icmp any any echo
access-list out extended permit icmp any any
access-list out extended deny ip any any log critical

access-list inside_cryptomap extended permit ip 10.35.1.0 255.255.255.0 10.44.44.0 255.255.255.0

access-list dmz-in extended permit ip any any

access-list S2S-Split extended permit ip 10.100.100.0 255.255.255.0 10.35.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 10.35.1.0 255.255.255.0 10.44.44.0 255.255.255.0

pager lines 14
logging enable
logging timestamp
logging list VPN-debug level debugging class vpn
logging buffer-size 50000
logging asdm-buffer-size 512
logging console debugging
logging monitor critical
logging buffered debugging
logging trap critical
logging asdm debugging
logging host inside 10.35.1.20
no logging message 305012
no logging message 305011
no logging message 305010
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool vpn-dhcp 10.35.254.50-10.35.254.60 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list nonat-dmz
nat (DMZ) 1 0.0.0.0 0.0.0.0

static (inside,DMZ) 10.35.1.0 10.35.1.0 netmask 255.255.255.0
static (inside,DMZ) 10.44.44.0 10.44.44.0 netmask 255.255.255.0

access-group out in interface outside
access-group dmz-in in interface DMZ

route outside 0.0.0.0 0.0.0.0 192.168.10.1 1
route inside 10.35.1.0 255.255.255.0 10.45.45.1 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server local protocol radius
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community **
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set xform-3des-md5 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set S2S esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map dcmap-vpnclient 1 set transform-set xform-3des-md5
crypto map cmap-vpncient 1 match address outside_cryptomap
crypto map cmap-vpncient 1 set peer 192.168.10.50
crypto map cmap-vpncient 1 set transform-set ESP-3DES-MD5 xform-3des-md5 ESP-DES-MD5
crypto map cmap-vpncient 65535 ipsec-isakmp dynamic dcmap-vpnclient
crypto map cmap-vpncient interface outside
crypto map SiteToSiteVPN 1 match address inside_cryptomap
crypto map SiteToSiteVPN 1 set peer 10.44.44.2
crypto map SiteToSiteVPN 1 set transform-set ESP-3DES-MD5 ESP-DES-MD5 xform-3des-md5
crypto map SiteToSiteVPN interface inside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 2
console timeout 0
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
vpn-idle-timeout none
vpn-tunnel-protocol IPSec
password-storage disable
re-xauth disable
pfs disable
username **
tunnel-group 10.44.44.2 type ipsec-l2l
tunnel-group 10.44.44.2 ipsec-attributes
pre-shared-key *
tunnel-group 192.168.10.50 type ipsec-l2l
tunnel-group 192.168.10.50 ipsec-attributes
pre-shared-key *
!
class-map voip
description High Priority = voip
match dscp ef
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect http
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect sip
inspect xdmcp
policy-map general
class voip
priority
!
service-policy global_policy global
service-policy general interface outside
prompt hostname context
Cryptochecksum:a333040ff1f2a173d40122e0d5ab4de9
: end
pix515#

-------------------------------
871

lodogg-871w-rtr#sh run
Building configuration...

Current configuration : 4168 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname lodogg-871w-rtr
!
boot-start-marker
boot-end-marker
!
logging buffered 20000
enable password ************
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization template
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-3262587873
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3262587873
revocation-check none
rsakeypair TP-self-signed-3262587873
!
!
crypto pki certificate chain TP-self-signed-3262587873
certificate self-signed 01
*******************************************************
quit
dot11 syslog
ip cef
ip dhcp excluded-address 10.10.10.1
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip domain lookup
ip domain name local.test.local
!
!
!
username *************
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key ************* address 192.168.10.20
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
!
crypto map IPSec 1 ipsec-isakmp
set peer 192.168.10.20
set transform-set myset
match address tunnel
!
crypto map testmap 10 ipsec-isakmp
set peer 192.168.10.20
set security-association idle-time 300
set transform-set myset
match address tunnel
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 192.168.10.50 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map IPSec
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description test user
ip address 10.44.44.2 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.10.20
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip access-list extended tunnel
permit ip 10.44.44.0 0.0.0.255 10.35.1.0 0.0.0.255
!
no cdp run
!
!
!
control-plane
!
banner motd ^C
******************************************
* Unauthorized access prohibited
******************************************
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end

lodogg-871w-rtr#

 

[lodogg]

ssh timeout 30
ssh version 2
console timeout 0
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
vpn-idle-timeout none
vpn-tunnel-protocol IPSec
password-storage disable
re-xauth disable
pfs disable
username **
tunnel-group 10.44.44.2 type ipsec-l2l
tunnel-group 10.44.44.2 ipsec-attributes
pre-shared-key *
tunnel-group 192.168.10.50 type ipsec-l2l
tunnel-group 192.168.10.50 ipsec-attributes
pre-shared-key *
!
class-map voip
description High Priority = voip
match dscp ef
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect http
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect sip
inspect xdmcp
policy-map general
class voip
priority
!
service-policy global_policy global
service-policy general interface outside
prompt hostname context
Cryptochecksum:a333040ff1f2a173d40122e0d5ab4de9
: end
pix515#

-----------------
871

lodogg-871w-rtr#sh run
Building configuration...

Current configuration : 4168 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname lodogg-871w-rtr
!
boot-start-marker
boot-end-marker
!
logging buffered 20000
enable password ************
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization template
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-3262587873
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3262587873
revocation-check none
rsakeypair TP-self-signed-3262587873
!
!
crypto pki certificate chain TP-self-signed-3262587873
certificate self-signed 01
*******************************************************
quit
dot11 syslog
ip cef
ip dhcp excluded-address 10.10.10.1
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip domain lookup
ip domain name local.test.local
!
!
!
username *****************
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key ************* address 192.168.10.20
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
!
crypto map IPSec 1 ipsec-isakmp
set peer 192.168.10.20
set transform-set myset
match address tunnel
!
crypto map testmap 10 ipsec-isakmp
set peer 192.168.10.20
set security-association idle-time 300
set transform-set myset
match address tunnel
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 192.168.10.50 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map IPSec
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description test user
ip address 10.44.44.2 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.10.20
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip access-list extended tunnel
permit ip 10.44.44.0 0.0.0.255 10.35.1.0 0.0.0.255
!
no cdp run
!
!
!
control-plane
!
banner motd ^C
******************************************
* Unauthorized access prohibited
******************************************
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end

lodogg-871w-rtr#

 

[lodogg]

I did fix the issue by removing "ip nat inside" on "int vlan1" and removing "ip nat outside" from "int f4". Since vlan 1 was not coming up I added my Loop Back IP into the tunnel ACL and then I was able to ping and telnet to ports on both sides of the crypto tunnel.