hello,
I am attemting to create a site to site vpn in lab environment. Howerver, i was not succesfull, woul someone please tell me what wrong with my configuration? Any help is creeatly apprecated.
Thanks,
Binh
********** First Firewall **********************
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 172.27.4.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list NoNAT permit ip 172.27.4.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.18 255.255.255.248
ip address inside 172.27.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 access-list NoNAT
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set mva esp-des esp-md5-hmac
crypto map mvavpn 1 ipsec-isakmp
crypto map mvavpn 1 match address 101
crypto map mvavpn 1 set peer 192.168.1.22
crypto map mvavpn 1 set transform-set mva
crypto map mvavpn interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.22 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:e9c7f76aba76c8d173466d79675d344c
: end
pixfirewall# sh crypto ipsec sa
interface: outside
Crypto map tag: mvavpn, local addr. 192.168.1.18
local ident (addr/mask/prot/port): (172.27.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 192.168.1.22:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.18, remote crypto endpt.: 192.168.1.22
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: cf21bcec
inbound esp sas:
spi: 0x5c8b6307(1552638727)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: mvavpn
sa timing: remaining key lifetime (k/sec): (4607999/28699)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xcf21bcec(3475094764)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: mvavpn
sa timing: remaining key lifetime (k/sec): (4608000/28699)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
pixfirewall# sh crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
192.168.1.18 192.168.1.22 QM_IDLE 0 1
pixfirewall#
********** Second Firewall **********************
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname edg-pix
domain-name test.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.1.1.0 255.255.255.0 172.27.4.0 255.255.255.0
access-list NoNAT permit ip 10.1.1.0 255.255.255.0 172.27.4.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 192.168.1.22 255.255.255.248
ip address inside 10.1.1.1 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
pdm history enable
arp timeout 14400
nat (inside) 0 access-list NoNAT
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.1.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ph esp-des esp-md5-hmac
crypto map phvpn 1 ipsec-isakmp
crypto map phvpn 1 match address 101
crypto map phvpn 1 set peer 192.168.1.18
crypto map phvpn 1 set transform-set ph
crypto map phvpn interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.18 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:9eed9d5290e33046de739b7c841d86f8
: end
edg-pix(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: phvpn, local addr. 192.168.1.22
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.27.4.0/255.255.255.0/0/0)
current_peer: 192.168.1.18:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 393, #pkts encrypt: 393, #pkts digest 393
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 33, #recv errors 0
local crypto endpt.: 192.168.1.22, remote crypto endpt.: 192.168.1.18
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 5c8b6307
inbound esp sas:
spi: 0xcf21bcec(3475094764)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: phvpn
sa timing: remaining key lifetime (k/sec): (4608000/28417)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5c8b6307(1552638727)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: phvpn
sa timing: remaining key lifetime (k/sec): (4607998/28408)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
edg-pix(config)# sh crypto isamkmp sa
Total : 1
Embryonic : 0
dst src state pending created
192.168.1.18 192.168.1.22 QM_IDLE 0 1
edg-pix(config)# exti it
edg-pix#
I am attemting to create a site to site vpn in lab environment. Howerver, i was not succesfull, woul someone please tell me what wrong with my configuration? Any help is creeatly apprecated.
Thanks,
Binh
********** First Firewall **********************
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 172.27.4.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list NoNAT permit ip 172.27.4.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.18 255.255.255.248
ip address inside 172.27.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 access-list NoNAT
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set mva esp-des esp-md5-hmac
crypto map mvavpn 1 ipsec-isakmp
crypto map mvavpn 1 match address 101
crypto map mvavpn 1 set peer 192.168.1.22
crypto map mvavpn 1 set transform-set mva
crypto map mvavpn interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.22 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:e9c7f76aba76c8d173466d79675d344c
: end
pixfirewall# sh crypto ipsec sa
interface: outside
Crypto map tag: mvavpn, local addr. 192.168.1.18
local ident (addr/mask/prot/port): (172.27.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 192.168.1.22:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.18, remote crypto endpt.: 192.168.1.22
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: cf21bcec
inbound esp sas:
spi: 0x5c8b6307(1552638727)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: mvavpn
sa timing: remaining key lifetime (k/sec): (4607999/28699)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xcf21bcec(3475094764)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: mvavpn
sa timing: remaining key lifetime (k/sec): (4608000/28699)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
pixfirewall# sh crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
192.168.1.18 192.168.1.22 QM_IDLE 0 1
pixfirewall#
********** Second Firewall **********************
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname edg-pix
domain-name test.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.1.1.0 255.255.255.0 172.27.4.0 255.255.255.0
access-list NoNAT permit ip 10.1.1.0 255.255.255.0 172.27.4.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 192.168.1.22 255.255.255.248
ip address inside 10.1.1.1 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
pdm history enable
arp timeout 14400
nat (inside) 0 access-list NoNAT
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.1.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ph esp-des esp-md5-hmac
crypto map phvpn 1 ipsec-isakmp
crypto map phvpn 1 match address 101
crypto map phvpn 1 set peer 192.168.1.18
crypto map phvpn 1 set transform-set ph
crypto map phvpn interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.18 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:9eed9d5290e33046de739b7c841d86f8
: end
edg-pix(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: phvpn, local addr. 192.168.1.22
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.27.4.0/255.255.255.0/0/0)
current_peer: 192.168.1.18:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 393, #pkts encrypt: 393, #pkts digest 393
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 33, #recv errors 0
local crypto endpt.: 192.168.1.22, remote crypto endpt.: 192.168.1.18
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 5c8b6307
inbound esp sas:
spi: 0xcf21bcec(3475094764)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: phvpn
sa timing: remaining key lifetime (k/sec): (4608000/28417)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5c8b6307(1552638727)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: phvpn
sa timing: remaining key lifetime (k/sec): (4607998/28408)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
edg-pix(config)# sh crypto isamkmp sa
Total : 1
Embryonic : 0
dst src state pending created
192.168.1.18 192.168.1.22 QM_IDLE 0 1
edg-pix(config)# exti it
edg-pix#