IPSEC Site-To-Site VPN

Hello Everyone,

I have a homelab and i configure site-to-site vpn, but the problem is pings are unsuccessful, in configuring this topology i follow this simple steps: Please help if where did i gone wrong with the configuration. I don't use SDM / PDM yet, because I want to know the basic first: Tnx in Advance...

Consider this Topology

                      PIX501 --------- Internet ---------- C2691(R1) 

    ip behind pix: 192.168.1.0 /24             ip behind R1: 192.168.1.0 /24

    internet facing ip: 1.1.1.1 /30               Internet facing ip: 2.2.2.2 /30

 

My steps in Configuring S2S VPN tunnel:

@PIX

Step 1. Configure NAT.

       PIX(Config)# nat (INSIDE) 1 192.168.1.0 255.255.255.0
       PIX(Config)# nat (OUTSIDE) 1 1.1.1.1 255.255.255.252

 Step 2. Set default route.

       PIX(Config)# route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.2 1

 Step 3. IKE Phase 1. [main mode]

        PIX(Config)# isakmp enable outside

        PIX(Config)# crypto isakmp policy 1

        PIX(config-crypto-policy)# authentication pre-share
                                

        PIX(config-crypto-policy)# hash sha
PIX(config-crypto-policy)# group 2
PIX(config-crypto-policy)# encryption 3des

        PIX(config-crypto-policy)# exit

        PIX(config)# crypto isakmp key cisco address 2.2.2.2 netmask 255.255.255.252

        PIX(config)#

 
Step 4. IKE Phase2, IPsec Policy to use in IPsec TUnnel. [Quick Mode]

        PIX(config)#  crypto ipsec transform-set MYSET esp-sha-hmac esp-3des

 Step 5. Mapping the policy above. I configure ACL for match traffic to be encrypted w/ esp.

         PIX(config)# crypto map MYMAP 10 ipsec-isakmp

         PIX(config)# crypto map MYMAP 10 set transform-set MYSET

         PIX(config)# crypto map MYMAP 10 set peer 2.2.2.2

         PIX(config)# access-list TO_ENCRYPT_TRAFFIC extended  permit ip 192.168.1.0 255.255.255.0 172.21.1.0 255.255.255.0

         PIX(config)# crypto map MYMAP 10 match address TO_ENCRYPT_TRAFFIC

         PIX(config)# 

 Step 6. Apply To interface

         PIX(config)# crypto map MYMAP interface OUTSIDE

 

Note: Same Procedure that I followed for the router config.

Comments







  • Hello:

     

    The nat commands should have a corresponding global command, which does not
    appear on your configuration.




    Regards,

     

    AS

     


    From: mactej6228

    Sent: Wednesday, May 01, 2013 12:30 PM


    Subject: [CCIE Sec] IPSEC Site-To-Site VPN

     

    Hello Everyone,

    I have a homelab and i configure site-to-site vpn, but the problem is pings
    are unsuccessful, in configuring this topology i follow this simple steps:
    Please help if where did i gone wrong with the configuration. I don't use SDM /
    PDM yet, because I want to know the basic first: Tnx in Advance...

    Consider this
    Topology

                         
    PIX501 --------- Internet ---------- C2691(R1) 

        ip behind pix: 192.168.1.0
    /24             ip
    behind R1: 192.168.1.0 /24

        internet facing ip: 1.1.1.1
    /30              
    Internet facing ip: 2.2.2.2 /30

     

    My steps in Configuring S2S VPN tunnel:

    @PIX

    Step 1. Configure NAT.

           PIX(Config)# nat (INSIDE) 1 192.168.1.0
    255.255.255.0
           PIX(Config)# nat (OUTSIDE)
    1 1.1.1.1 255.255.255.252

     Step 2. Set default route.

           PIX(Config)# route OUTSIDE 0.0.0.0
    0.0.0.0 1.1.1.2 1

     Step 3. IKE Phase 1. [main mode]

            PIX(Config)# isakmp enable
    outside

            PIX(Config)# crypto isakmp policy
    1

            PIX(config-crypto-policy)#
    authentication
    pre-share                                 

            PIX(config-crypto-policy)# hash
    sha PIX(config-crypto-policy)# group 2 PIX(config-crypto-policy)# encryption
    3des

           
    PIX(config-crypto-policy)#
    exit

            PIX(config)# crypto
    isakmp key cisco address 2.2.2.2 netmask
    255.255.255.252

           
    PIX(config)#

     
    Step 4. IKE Phase2, IPsec Policy to use in
    IPsec TUnnel. [Quick Mode]


           
    PIX(config)#  crypto ipsec transform-set MYSET esp-sha-hmac
    esp-3des

    Step 5. Mapping the policy above. I configure ACL for
    match traffic to be encrypted w/
    esp.

             PIX(config)# crypto
    map MYMAP 10
    ipsec-isakmp

            
    PIX(config)# crypto map MYMAP 10 set transform-set
    MYSET

             PIX(config)#
    crypto map MYMAP 10 set peer
    2.2.2.2

             PIX(config)#
    access-list TO_ENCRYPT_TRAFFIC extended  permit ip 192.168.1.0
    255.255.255.0 172.21.1.0
    255.255.255.0

            
    PIX(config)# crypto map MYMAP 10 match address
    TO_ENCRYPT_TRAFFIC

            
    PIX(config)# 

    Step 6. Apply To
    interface

            
    PIX(config)# crypto map MYMAP interface OUTSIDE

     

    Note: Same Procedure that I followed for the router config.




    INE
    - The Industry Leader in CCIE
    Preparation
    http://www.INE.com

    Subscription information may be found
    at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • What interesting traffic are you matching on the other side?

    The nat IP range or the real IP range?

    Is there a reason you want to nat the inside traffic or would it be ok to do a nat exempt?

     

    I agree with the above, firstly, you are lacking the global command for nat'ing. 

    Secondly, you need to check what you are matching on the itraffic acl on the router. 

     

    you would also do well to enable logging and check what the log messages say

  • Thanks for your Replies, okay here's my config for the FW and Router.

     

    FW

     

    PIX Version 7.2(2)

    !

    hostname PIX

    domain-name aida.com

    enable password 2KFQnbNIdI.2KYOU encrypted

    names

    name 172.21.1.0 network2 description n2

    !

    interface Ethernet0

     speed 100

     duplex full

     nameif OUTSIDE

     security-level 0

     ip address 1.1.1.1 255.255.255.252

    !

    interface Ethernet1

    nameif INSIDE

    security-level 100

    ip address 192.168.1.1 255.255.255.0

    !

    access-list TO_ENCRYPT_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0

    global (OUTSIDE) 1 interface

    nat (INSIDE) 1 192.168.1.0 255.255.255.0

    !

    route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1

    !

    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

    crypto ipsec transform-set MYSET esp-3des esp-sha-hmac

    crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA

    crypto map MYMAP 10 match address TO_ENCRYPT_TRAFFIC

    crypto map MYMAP 10 set peer 2.2.2.2

    crypto map MYMAP 10 set transform-set MYSET

    crypto map MYMAP interface OUTSIDE

    crypto isakmp enable OUTSIDE

    crypto isakmp policy 1

    authentication pre-share

    encryption 3des

    hash sha

    group 2

    lifetime 86400

    tunnel-group 2.2.2.2 type ipsec-l2l

    tunnel-group 2.2.2.2 ipsec-attributes

    pre-shared-key *

    !

    : end

     

     

    ROUTER

     

    !

    !

    version 12.4

    service timestamps debug datetime msec

    service timestamps log datetime msec

    no service password-encryption

    !

    hostname R9

    !

    crypto pki certificate chain TP-self-signed-998521732

    certificate self-signed 01 nvram:IOS-Self-Sig#3201.cer

    username mark privilege 15 secret 5 $1$BTWy$PNE9BFeWm1SiRa/PiO9Ak/

    !

    !

    !

    crypto isakmp policy 1

     encr 3des

     authentication pre-share

     group 2

    crypto isakmp key cisco address 1.1.1.1 255.255.255.252

    !

    !

    crypto ipsec transform-set MYSET esp-3des esp-sha-hmac

    !

    !

    crypto map MYMAP 10 ipsec-isakmp

     set peer 1.1.1.1

     set transform-set MYSET

     match address TO_ENCRYPT_TRAFFIC

    !

    !

    !

    !

    interface FastEthernet0/0

     ip address 2.2.2.2 255.255.255.252

     ip nat outside

     ip virtual-reassembly

     duplex auto

     speed auto

     crypto map MYMAP

    !

    interface FastEthernet0/1

     ip address 172.21.1.1 255.255.255.0

     ip nat inside

     ip virtual-reassembly

     duplex auto

     speed auto

    !

    ip route 172.21.1.0 255.255.255.0 2.2.2.1

    !

    !

    ip http server

    ip http authentication local

    ip http secure-server

    ip nat inside source list NAT_IP interface FastEthernet0/0 overload

    !

    ip access-list extended NAT_IP

     deny   ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255

     permit ip 172.21.1.0 0.0.0.255 any

    ip access-list extended TO_ENCRYPT_TRAFFIC

     permit ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255

    !

    !

    !

    control-plane

    !

    !

     

    line con 0

     exec-timeout 0 0

     logging synchronous

    line aux 0

    line vty 0 4

     transport input ssh

    !

    !

    end

  • Hi,

    Can you please provide the output of the following commands? We need to understand if the IPSec is falling at phase 1 or phase 2.

    - sh crypto isakmp sa (router,pix)

    - debug crypto isakmp (router)

    - debug crypto isakmp 10 (pix)

    One thing I did not understand why you configured:

    1) ip route command on router, why the local LAN points to the WAN?

    Also you did not configure NO NAT on your PIX, only on the router. Try to add the following on your PIX:

    access-list NO_NAT permit ip 192.168.1.0.0 255.255.255.0 172.21.1.0 255.255.255.0

    !

    nat (INSIDE) 0 access-list NO_NAT

     

    HTH

    Good luck!

  • Hello qqabdal,

    To answer your question:

    1.)  For IP route command: because this network 172.21.1.0 /24 and 192.168.1.0 /24 are also allowed to the internet like, google, yahoo and etc.

    2.) sh crypto isakmp sa for PIX and ROUTER:

    PIX# sh crypto isakmp sa

    There are no isakmp sas

    R9#sh crypto isakmp sa

    dst             src             state          conn-id slot status

    3. Debug PIX and ROUTER

    - NO ACTIVITY HAPPEN - < no debug output :(

    4. Updated config:

    FW

     PIX Version 7.2(2)

     

    !

     

    hostname PIX

     

    domain-name aida.com

     

    enable password 2KFQnbNIdI.2KYOU encrypted

     

    names

     

    name 172.21.1.0 network2 description n2

     

    !

     

    interface Ethernet0

     

    speed 100

     

    duplex full

     

    nameif OUTSIDE

     

    security-level 0

     

    ip address 1.1.1.1 255.255.255.252

     

    !

     

    interface Ethernet1

     

    nameif INSIDE

     

    security-level 100

     

    ip address 192.168.1.1 255.255.255.0

     

    !

     

    access-list TO_ENCRYPT_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0

     

    access-list nonat extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0

     

    global (OUTSIDE) 1 interface

     

    nat (INSIDE) 0 access-list nonat

     

    nat (INSIDE) 1 192.168.1.0 255.255.255.0

     

    !

     

    route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1

     

    !

     

    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

     

    crypto ipsec transform-set MYSET esp-3des esp-sha-hmac

     

    crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA

     

    crypto map MYMAP 10 match address TO_ENCRYPT_TRAFFIC

     

    crypto map MYMAP 10 set peer 2.2.2.2

     

    crypto map MYMAP 10 set transform-set MYSET

     

    crypto map MYMAP interface OUTSIDE

     

    crypto isakmp enable OUTSIDE

     

    crypto isakmp policy 1

     

    authentication pre-share

     

    encryption 3des

     

    hash sha

     

    group 2

     

    lifetime 86400

     

    tunnel-group 2.2.2.2 type ipsec-l2l

     

    tunnel-group 2.2.2.2 ipsec-attributes

     

    pre-shared-key *

     

    !

     

    : end

     

     

     

     

     

    ROUTER

     

     

     

    !

     

    !

     

    version 12.4

     

    service timestamps debug datetime msec

     

    service timestamps log datetime msec

     

    no service password-encryption

     

    !

     

    hostname R9

     

    !

     

    crypto pki certificate chain TP-self-signed-998521732

     

    certificate self-signed 01 nvram:IOS-Self-Sig#3201.cer

     

    username mark privilege 15 secret 5 $1$BTWy$PNE9BFeWm1SiRa/PiO9Ak/

     

    !

     

    !

     

    !

     

    crypto isakmp policy 1

     

    encr 3des

     

    authentication pre-share

     

    group 2

     

    crypto isakmp key cisco address 1.1.1.1 255.255.255.252

     

    !

     

    !

     crypto ipsec transform-set MYSET esp-3des esp-sha-hmac

    !

    !

    crypto map MYMAP 10 ipsec-isakmp

     

    set peer 1.1.1.1

     

    set transform-set MYSET

     

    match address TO_ENCRYPT_TRAFFIC

     

    !

     

    !

     

    !

     

    !

     

    interface FastEthernet0/0

     

    ip address 2.2.2.2 255.255.255.252

     

    ip nat outside

     

    ip virtual-reassembly

     

    duplex auto

     

    speed auto

     

    crypto map MYMAP

     

    !

     

    interface FastEthernet0/1

     

    ip address 172.21.1.1 255.255.255.0

     

    ip nat inside

     

    ip virtual-reassembly

     

    duplex auto

     

    speed auto

     

    !

     

    ip route 172.21.1.0 255.255.255.0 2.2.2.1

     

    !

     

    !

     ip http server

     ip http authentication local

     ip http secure-server

     ip nat inside source list NAT_IP interface FastEthernet0/0 overload

     !

     ip access-list extended NAT_IP

     deny   ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255

     permit ip 172.21.1.0 0.0.0.255 any

     ip access-list extended TO_ENCRYPT_TRAFFIC

     permit ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255

     !

     !

     !

     control-plane

     !

     !

     line con 0

     exec-timeout 0 0

     logging synchronous

     

    line aux 0

     

    line vty 0 4

     

    transport input ssh

    !

    !

     end

     

     

  • hello tau1z,

    the traffic that i have to encrypt are:

    172.21.1.0 /24 behind PIX

    and

    192.168.1.0 /24 behing ROUTER

    On the updated config, I add the exemption still could not ping the other end.

    FOR PIX:

    access-list nonat extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0

    nat (INSIDE) 0 access-list nonat

    FOR ROUTER:

    ip nat inside source list NAT_IP interface FastEthernet0/0 overload

    ip access-list extended NAT_IP

     deny   ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255

     permit ip 172.21.1.0 0.0.0.255 any

  • Hi,

    Have you generated interesting traffic to trigger IPSec?

    I guess that static route is not needed, as this is a directly connected network, you don`t need the static route.

    Try generating interesting traffic and running the debugs, you should see activity if you source traffic from 192.168.1.0 destined to 172.21.1.0.

  • This is what happen when remove the route:

     

    PIX# ping 172.21.1.1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.21.1.1, timeout is 2 seconds:
    No route to host 172.21.1.1

    Success rate is 0 percent (0/1)

     

    The interesting traffic that you mean is the traffic that will be encrypted inside the VPN Tunnel? yes i have, the 172.21.1.0 /24 and 192.168.1.0 /24 network.

  • Hang on a sec (just in case there is some misunderstanding here). I am not asking to remove the default route on the PIX. This route should remain there:

    route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1

    I am referring to the static route on the router side:


    ip route 172.21.1.0 255.255.255.0 2.2.2.1

    This route does not make sense to me, as it is directly connected on the router.


    Can you confirm?


    Thank you!

  • hello qqabdal,

     

    Okay i place the PIX default route back and remove the routers default route, but still pings are unsuccessful.

    The reason why i configure default route on the PIX and Router, because behind those device are my internal network which use internal private ip address, Yes, on the topology i've shown the ip route doesn't make any since, but i just include it there as if i'm configuring my real production network. The actual connection will be that Router / PIX will be connected to a modem then internet.

  •  

     

    mactej6228

     

    Please clearify my some stuff, but before that. 

     

    As i saw in your previous post, you are originating ping from the PIX itself. do you know about source IP that PIX will be using to send of the icmp traffic?

     

    Please try to ping from behind PIX NOT from PIX itself. if that didn't work. let me know.

  • On the PIX, remove VPN traffic from nat with a nat 0 command.

    Sent from my iPhone

    On May 4, 2013, at 15:45, mactej6228 <[email protected]> wrote:

    hello qqabdal,

     

    Okay i place the PIX default route back and remove the routers default route, but still pings are unsuccessful.

    The reason why i configure default route on the PIX and Router, because behind those device are my internal network which use internal private ip address, Yes, on the topology i've shown the ip route doesn't make any since, but i just include it there as if i'm configuring my real production network. The actual connection will be that Router / PIX will be connected to a modem then internet.




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • momari

    I also tried to ping from the other end(R9) but still unsuccessful, pings from their directly connected network are successful, but on end-end(PIX to other site Router) they are unsuccessful:

    Site 1: PIX internal Network: 192.168.1.0 /24

    Site 2: R9 internal Network: 172.21.1.0 /24

    _____________________________________________

    PIX# ping 1.1.1.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 10/22/50 ms

    PIX# ping 192.168.1.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
    PIX#

    ________________________________

    R9#ping 2.2.2.1

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 2.2.2.1, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 8/28/80 ms
    R9#ping 172.21.1.2

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.21.1.2, timeout is 2 seconds:
    .!!!!
    Success rate is 80 percent (4/5), round-trip min/avg/max = 4/20/32 ms
    R9#

    _________________________________________________

    R9#ping 192.168.1.2

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
    U.U.U
    Success rate is 0 percent (0/5)
    R9#

  • I replicated your config on a dynamips and I was able to make it work without any issues, you need:

    1) nat 0 statement on PIX to bypass nat

    2) default route on PIX

    3) default route on router

    Here are my configs:

    PIX:


    PIX(config)# sh run

    : Saved

    :

    ASA Version 8.0(2)

    !

    hostname PIX

    enable password 8Ry2YjIyt7RRXU24 encrypted

    names

    !

    interface Ethernet0/0

     nameif OUTSIDE

     security-level 0

     ip address 1.1.1.1 255.255.255.252

    !

    interface Ethernet0/1

     nameif INSIDE

     security-level 100

     ip address 192.168.1.1 255.255.255.0

    !

    interface Ethernet0/2

     shutdown

     no nameif

     no security-level

     no ip address

    !

    interface Ethernet0/3

     shutdown

     no nameif

     no security-level

     no ip address

    !

    interface Ethernet0/4

     shutdown

     no nameif

     no security-level

     no ip address

    !

    interface Ethernet0/5

     shutdown

     no nameif

     no security-level

     no ip address

    !

    passwd 2KFQnbNIdI.2KYOU encrypted

    boot config disk0:/.private/startup-config

    ftp mode passive

    access-list TO_ENCRYPT_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 172.                                                                                        21.1.0 255.255.255.0

    access-list NO_NAT extended permit ip 192.168.1.0 255.255.255.0 172.21.1.0 255.2                                                                                        55.255.0

    pager lines 24

    no logging message 402128

    mtu OUTSIDE 1500

    mtu INSIDE 1500

    no failover

    icmp unreachable rate-limit 1 burst-size 1

    no asdm history enable

    arp timeout 14400

    global (OUTSIDE) 1 interface

    nat (INSIDE) 0 access-list NO_NAT

    nat (INSIDE) 1 192.168.1.0 255.255.255.0

    route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

    timeout uauth 0:05:00 absolute

    dynamic-access-policy-record DfltAccessPolicy

    http server enable

    no snmp-server location

    no snmp-server contact

    snmp-server enable traps snmp authentication linkup linkdown coldstart

    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

    crypto ipsec transform-set MYSET esp-3des esp-sha-hmac

    crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA

    crypto map MYMAP 10 match address TO_ENCRYPT_TRAFFIC

    crypto map MYMAP 10 set peer 2.2.2.2

    crypto map MYMAP 10 set transform-set MYSET

    crypto map MYMAP interface OUTSIDE

    crypto isakmp enable OUTSIDE

    crypto isakmp policy 1

     authentication pre-share

     encryption 3des

     hash sha

     group 2

     lifetime 86400

    no crypto isakmp nat-traversal

    telnet timeout 5

    ssh timeout 5

    console timeout 0

    threat-detection basic-threat

    threat-detection statistics access-list

    !

    class-map inspection_default

     match default-inspection-traffic

    !

    !

    policy-map type inspect dns preset_dns_map

     parameters

      message-length maximum 512

    policy-map global_policy

     class inspection_default

      inspect dns preset_dns_map

      inspect ftp

      inspect h323 h225

      inspect h323 ras

      inspect netbios

      inspect rsh

      inspect rtsp

      inspect skinny

      inspect esmtp

      inspect sqlnet

      inspect sunrpc

      inspect tftp

      inspect sip

      inspect xdmcp

    !

    service-policy global_policy global

    tunnel-group 2.2.2.2 type ipsec-l2l

    tunnel-group 2.2.2.2 ipsec-attributes

     pre-shared-key *

    prompt hostname context



    VPN_ROUTER(config)#do sh run

    Building configuration...


    Current configuration : 3386 bytes

    !

    version 12.4

    service timestamps debug datetime msec

    service timestamps log datetime msec

    no service password-encryption

    !

    hostname VPN_ROUTER

    !

    boot-start-marker

    boot-end-marker

    !

    !

    no aaa new-model

    memory-size iomem 5

    ip cef

    !

    !

    !

    !

    no ip domain lookup

    ip domain name lab.local

    ip auth-proxy max-nodata-conns 3

    ip admission max-nodata-conns 3

    !

    multilink bundle-name authenticated

    !

    !

    !

    !

    !


    !

    archive

     log config

      hidekeys

    !

    !

    crypto isakmp policy 1

     encr 3des

     authentication pre-share

     group 2

    crypto isakmp key cisco address 1.1.1.1 255.255.255.252

    !

    !

    crypto ipsec transform-set MYSET esp-3des esp-sha-hmac

    !

    crypto map MYMAP 10 ipsec-isakmp

     set peer 1.1.1.1

     set transform-set MYSET

     match address TO_ENCRYPT_TRAFFIC

    !

    !

    !

    !

    !

    !

    !

    interface FastEthernet0/0

     ip address 2.2.2.2 255.255.255.252

     ip nat outside

     ip virtual-reassembly

     duplex auto

     speed auto

     crypto map MYMAP

    !

    interface FastEthernet0/1

     ip address 172.21.1.1 255.255.255.0

     ip nat inside

     ip virtual-reassembly

     duplex auto

     speed auto

    !

    ip forward-protocol nd

    ip route 0.0.0.0 0.0.0.0 2.2.2.1

    ip route 172.21.1.0 255.255.255.0 2.2.2.1

    !

    !

    ip http server

    ip http authentication local

    ip http secure-server

    ip nat inside source list NAT_IP interface FastEthernet0/0 overload

    !

    ip access-list extended NAT_IP

     deny   ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255

     permit ip 172.21.1.0 0.0.0.255 any

    ip access-list extended TO_ENCRYPT_TRAFFIC

     permit ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255


    ISP_ROUTER:


    ISP_ROUTER(config)#do sh run

    interface FastEthernet0/0


     ip address 1.1.1.2 255.255.255.0

     duplex auto

     speed auto

    !

    interface FastEthernet0/1

     ip address 2.2.2.1 255.255.255.0

     duplex auto

     speed auto

     

     

    LAN_1:


    LAN_1(config)#do sh run

    !

    interface FastEthernet0/0

     ip address 192.168.1.10 255.255.255.0

     duplex auto

     speed auto

    !

    ip route 0.0.0.0 0.0.0.0 192.168.1.1

     

    LAN_2:


    LAN_2(config)#do sh run

    !

    interface FastEthernet0/0

     ip address 172.21.1.10 255.255.255.0

     duplex auto

     speed auto

    !

    ip route 0.0.0.0 0.0.0.0 172.21.1.1

     


    PIX(config)# sh cry isa sa


       Active SA: 1

        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

    Total IKE SA: 1


    1   IKE Peer: 2.2.2.2

        Type    : L2L             Role    : initiator

        Rekey   : no              State   : MM_ACTIVE




    PIX(config)# sh cry ips sa

    interface: OUTSIDE

        Crypto map tag: MYMAP, seq num: 10, local addr: 1.1.1.1


          access-list TO_ENCRYPT_TRAFFIC permit ip 192.168.1.0 255.255.255.0 172.21.1.0 255.255.255.0

          local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

          remote ident (addr/mask/prot/port): (172.21.1.0/255.255.255.0/0/0)

          current_peer: 2.2.2.2


          #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

          #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4





    VPN_ROUTER(config)#do sh cry isa sa

    IPv4 Crypto ISAKMP SA

    dst             src             state          conn-id slot status

    2.2.2.2         1.1.1.1         QM_IDLE           1001    0 ACTIVE


    IPv6 Crypto ISAKMP SA




    interface: FastEthernet0/0

        Crypto map tag: MYMAP, local addr 2.2.2.2


       protected vrf: (none)

       local  ident (addr/mask/prot/port): (172.21.1.0/255.255.255.0/0/0)

       remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

       current_peer 1.1.1.1 port 500

         PERMIT, flags={origin_is_acl,}

        #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

        #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4




    HTH

    Good luck!

  • @qabdal,

    We have the same configuration, i just couldn't figure it out why it won't work in my end, here's my pix and router config, i also tried to ping my ISP router to other end ISP router, and it's successful:

    PIX# sh run
    : Saved
    :
    PIX Version 7.2(2)
    !
    hostname PIX
    domain-name aida.com
    enable password 2KFQnbNIdI.2KYOU encrypted
    names
    name 172.21.1.0 network2 description n2
    !
    interface Ethernet0
     speed 100
     duplex full
     nameif OUTSIDE
     security-level 0
     ip address 1.1.1.1 255.255.255.252
    !
    interface Ethernet1
     nameif INSIDE
     security-level 100
     ip address 192.168.1.1 255.255.255.0
    !
    interface Ethernet2
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface Ethernet3
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface Ethernet4
     shutdown
     no nameif
     no security-level
     no ip address
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    dns server-group DefaultDNS
     domain-name aida.com
    access-list TO_ENCRYPT_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
    access-list nonat extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
    pager lines 24
    mtu OUTSIDE 1500
    mtu INSIDE 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image flash:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (OUTSIDE) 1 interface
    nat (INSIDE) 0 access-list nonat
    nat (INSIDE) 1 192.168.1.0 255.255.255.0
    route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    username mark password MwHKvxGV7kdXuSQG encrypted
    http server enable
    http 192.168.1.3 255.255.255.255 INSIDE
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map MYMAP 10 match address TO_ENCRYPT_TRAFFIC
    crypto map MYMAP 10 set peer 2.2.2.2
    crypto map MYMAP 10 set transform-set MYSET
    crypto map MYMAP interface OUTSIDE
    crypto isakmp enable OUTSIDE
    crypto isakmp policy 1
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    tunnel-group 2.2.2.2 type ipsec-l2l
    tunnel-group 2.2.2.2 ipsec-attributes
     pre-shared-key *
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    !
    !
    prompt hostname context
    Cryptochecksum:8491323562e3f1a86ccd4334cd1d37f6
    : end

     

    ROUTER:

    R9#sh run
    Building configuration...

    Current configuration : 3313 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname R9
    !
    boot-start-marker
    boot-end-marker
    !
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authorization config-commands
    aaa authorization exec default local
    !
    aaa session-id common
    !
    resource policy
    !
    memory-size iomem 5
    ip cef
    !
    !
    !
    !
    no ip domain lookup
    ip domain name aida.com
    ip ssh version 2
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    crypto pki trustpoint TP-self-signed-998521732
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-998521732
     revocation-check none
     rsakeypair TP-self-signed-998521732
    !
    !
    crypto pki certificate chain TP-self-signed-998521732
     A75B9F04 E17B5692 35947CAC 0783AD36 A3894A64 FB6CE1AB 1E3069D3
      A818A71C 00D968FE 3AA7463D BA3B4DE8 035033D5 0CA458F3 635005C3 FB543661
      9EE305FF 63
      quit
    username mark privilege 15 secret 5 $1$BTWy$PNE9BFeWm1SiRa/PiO9Ak/
    !
    !
    !
    crypto isakmp policy 1
     encr 3des
     authentication pre-share
     group 2
    crypto isakmp key cisco address 1.1.1.1 255.255.255.252
    !
    !
    crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
    !
    crypto map MYMAP 10 ipsec-isakmp
     set peer 1.1.1.1
     set transform-set MYSET
     match address TO_ENCRYPT_TRAFFIC
    !
    !
    !
    !
    interface FastEthernet0/0
     ip address 2.2.2.2 255.255.255.252
     ip nat outside
     ip virtual-reassembly
     duplex auto
     speed auto
     crypto map MYMAP
    !
    interface FastEthernet0/1
     ip address 172.21.1.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly
     duplex auto
     speed auto
    !
    ip route 0.0.0.0 0.0.0.0 2.2.2.1
    !
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip nat inside source list NAT_IP interface FastEthernet0/0 overload
    !
    ip access-list extended NAT_IP
     deny   ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
     permit ip 172.21.1.0 0.0.0.255 any
    ip access-list extended TO_ENCRYPT_TRAFFIC
     permit ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
    !
    !
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    line con 0
     exec-timeout 0 0
     logging synchronous
    line aux 0
    line vty 0 4
     transport input ssh
    !
    !
    end

     

  • Hi,

    Right. I would recommend the following set of tests to be performed.

    On the PIX:

    - Enable debug crypto isakmp 10

    - Ping a host in the 172.21.1.x network sourcing the ping from 192.168.1.x network

    - You MUST see messages from the debug on the PIX, as there will be interesting traffic triggering the tunnel formation (post that output for me)

    On the Router:

    - Enable debug crypto isakmp

    - Ping a host in the 192.168.1.x network sourcing the ping from 172.21.1.x network

    - You will see debug messages on the router due to the interesting traffic sent (post that output for me)

    Thanks!

  • Hello qqabdal,

    YES FINALLY! IT WORKS NOW... THANKS A LOT BRO!

    The configuration actually works on what you said, my mistake is that i made ping on the router/pix, so eventually the source ip will not originate on the local network on both device(PIX/ROUTER), I attach a PC on both ends and ping each ends..

     

    Mark,

  • That makes a lot of sense, if you don't source the traffic correctly, the traffic does not match your ACL, you don't have interesting traffic and consequently IPSec is not triggered.

    Glad to hear that it is working now!

    Take care!

Sign In or Register to comment.