PIX to PIX Tunnel

[bduong1]

hello,
I am attemting to create a site to site vpn in lab environment. Howerver, i was not succesfull, woul someone please tell me what wrong with my configuration? Any help is creeatly apprecated.

Thanks,

Binh

********** First Firewall **********************
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 172.27.4.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list NoNAT permit ip 172.27.4.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.18 255.255.255.248
ip address inside 172.27.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 access-list NoNAT
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set mva esp-des esp-md5-hmac
crypto map mvavpn 1 ipsec-isakmp
crypto map mvavpn 1 match address 101
crypto map mvavpn 1 set peer 192.168.1.22
crypto map mvavpn 1 set transform-set mva
crypto map mvavpn interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.22 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:e9c7f76aba76c8d173466d79675d344c
: end

pixfirewall# sh crypto ipsec sa


interface: outside
Crypto map tag: mvavpn, local addr. 192.168.1.18

local ident (addr/mask/prot/port): (172.27.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 192.168.1.22:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.1.18, remote crypto endpt.: 192.168.1.22
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: cf21bcec

inbound esp sas:
spi: 0x5c8b6307(1552638727)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: mvavpn
sa timing: remaining key lifetime (k/sec): (4607999/28699)
IV size: 8 bytes
replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xcf21bcec(3475094764)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: mvavpn
sa timing: remaining key lifetime (k/sec): (4608000/28699)
IV size: 8 bytes
replay detection support: Y

outbound ah sas:

outbound pcp sas:

pixfirewall# sh crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
192.168.1.18 192.168.1.22 QM_IDLE 0 1
pixfirewall#


********** Second Firewall **********************

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname edg-pix
domain-name test.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25

fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.1.1.0 255.255.255.0 172.27.4.0 255.255.255.0
access-list NoNAT permit ip 10.1.1.0 255.255.255.0 172.27.4.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 192.168.1.22 255.255.255.248
ip address inside 10.1.1.1 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
pdm history enable
arp timeout 14400
nat (inside) 0 access-list NoNAT
nat (inside) 0 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 192.168.1.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ph esp-des esp-md5-hmac
crypto map phvpn 1 ipsec-isakmp
crypto map phvpn 1 match address 101
crypto map phvpn 1 set peer 192.168.1.18
crypto map phvpn 1 set transform-set ph
crypto map phvpn interface outside
isakmp enable outside
isakmp key ******** address 192.168.1.18 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:9eed9d5290e33046de739b7c841d86f8
: end
edg-pix(config)# sh crypto ipsec sa


interface: outside
Crypto map tag: phvpn, local addr. 192.168.1.22

local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.27.4.0/255.255.255.0/0/0)
current_peer: 192.168.1.18:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 393, #pkts encrypt: 393, #pkts digest 393
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 33, #recv errors 0

local crypto endpt.: 192.168.1.22, remote crypto endpt.: 192.168.1.18
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 5c8b6307

inbound esp sas:
spi: 0xcf21bcec(3475094764)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: phvpn
sa timing: remaining key lifetime (k/sec): (4608000/28417)
IV size: 8 bytes
replay detection support: Y


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0x5c8b6307(1552638727)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: phvpn
sa timing: remaining key lifetime (k/sec): (4607998/28408)
IV size: 8 bytes
replay detection support: Y


outbound ah sas:

outbound pcp sas:



edg-pix(config)# sh crypto isamkmp sa
Total : 1
Embryonic : 0
dst src state pending created
192.168.1.18 192.168.1.22 QM_IDLE 0 1

edg-pix(config)# exti  it

edg-pix#

 

[fdurham]

Binh-

To the naked eye, your config looks fine.

Try adding this to the end of your command... no-xauth no-config-mode.

isakmp key ******** address 192.168.1.18 netmask 255.255.255.255 no-xauth no-config-mode on both pix's.

Also have you enabled your debugs?

Try debug crypto isakmp first to make sure your phase 1 is correct. Then add the debug crytpo ipsec.

Frank

 

[FWHATER]

I'm curious, I don't see any Nat or Global statements in the first config. Secondly you have two Nat statements with the same id, 0 in the second config with no Global statement of the same id, 0. It should be one or the other. How do you plan to send internal traffic externally and over the vpn ? Also I don't see an access-group statment to accompany your access-lists. Access-lists need to be applied to interfaces in order to work, shouldn't they ? The "access-group in interface (inside or outside, it depends)" statement is supposed to accomplish this.

I could be wrong....

 

[bduong1]

Frank, Thank you for your suggession. I will try the debug. From the "sh crypto ipsec sa" I can see traffics from the EDG-PIX to firewall pix. howerver, I can't see traffice from the Firewall to EDG-PIX.

 

[lyndonl]

I see you have
nat (inside) 0 access-list NoNAT
and a NoNAT access list

Try making your
crypto map match address NoNAT (instead of 101)
and maybe add
isakmp nat-traversal

 

[fdurham]

Binh-

I think I might see what the problem might be. I also agree with FWATER; After looking over this in greater detail and comparing my cnig. If you look at this statement on your second PIX.

nat (inside) 0 0.0.0.0 0.0.0.0 0 0 I believe it should be
nat (inside) 1 0.0.0.0 0.0.0.0 0 0. That also depends on what your global statement is. Your gloabl should be something like global (outside) 1 interface.

Check your config on both pix's.

Frank