bigdogg2
join:2004-08-11
| Issues with Cisco 871 tunnel with Pix515e
The Tunnel is up between my Cisco 871 and my Pix 515e but I can't ping through the tunnel on either side:-\ I moved my 871 to the outside of my firewall in a testing lab scenario, the tunnel builds but I can't ping from either side. More than likely this is a nat issue on my pix but I can't find out what the issue is through my debug sessions.
I also want to keep Vlan1 up on my Cisco 871 even though I have nothing plugged into it. I can't even ping vlan1 on the Cisco 871 because the protocol layer is down.
--------------------------------------
pix515(config)# sh vpn-sessiondb l2l
Session Type: LAN-to-LAN
Connection : 192.168.10.50
Index : 101 IP Addr : 10.44.44.0
Protocol : IKE IPsec
Encryption : 3DES Hashing : MD5
Bytes Tx : 127000 Bytes Rx : 1400
Login Time : 19:23:38 UTC Fri Jun 26 2009
Duration : 0h:06m:34s
--------------------------------------
pix515(config)# ping 10.44.44.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.44.44.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
--------------------------------------
871w-rtr#ping 10.35.1.5 source 10.44.44.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.35.1.5, timeout is 2 seconds:
Packet sent with a source address of 10.44.44.2
.....
Success rate is 0 percent (0/5)
-----------------------------
Pix
pix515(config)# sh run nat
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
pix515(config)# sh access-list nonat
access-list nonat; 5 elements
access-list nonat line 1 extended permit ip 10.35.1.0 255.255.255.0 10.44.44.0 255.255.255.0 (hitcnt=0) 0x33ce6f2d
static (inside,DMZ) 10.44.44.0 10.44.44.0 netmask 255.255.255.0
crypto map cmap-vpncient 1 match address outside_cryptomap
crypto map cmap-vpncient 1 set peer 192.168.10.50
crypto map cmap-vpncient 1 set transform-set ESP-3DES-MD5
-----------------------------
871
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key ******** address 192.168.10.20
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map IPSec 1 ipsec-isakmp
set peer 192.168.10.20
set transform-set myset
match address tunnel
!
crypto map testmap 10 ipsec-isakmp
set peer 192.168.10.20
set security-association idle-time 300
set transform-set myset
match address tunnel
!
interface FastEthernet4
ip address 192.168.10.50 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map IPSec
!
interface Vlan1
description Users
ip address 10.44.44.2 255.255.255.0
ip tcp adjust-mss 1452
!
!
-----------------------------
871w-rtr#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset up down
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
FastEthernet4 192.168.10.50 YES manual up up
Dot11Radio0 unassigned YES NVRAM administratively down down
Vlan1 10.44.44.2 YES manual up down
-----------------------------
871w-rtr#ping 10.35.1.5 source 10.44.44.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.35.1.5, timeout is 2 seconds:
Packet sent with a source address of 10.44.44.2
.....
Success rate is 0 percent (0/5)
-----------------------------
871w-rtr#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.10.20 192.168.10.50 QM_IDLE 2056 0 ACTIVE
IPv6 Crypto ISAKMP SA
871w-rtr#
----------------------------- |
|
Mash_man1
@mashnet.nl | You should not ping from the vpn devices as they will use the source adress which is the closest to de destiantion according to the route table. Which usualy is not in the crypto domiein. |
|
bigdogg2
join:2004-08-11 | reply to bigdogg2
But I'm sourcing my ping from my inside vlan1.
ping 10.35.1.5 source 10.44.44.2
This should work.. |
|
mash_man2
@mashnet.nl
| reply to bigdogg2
But we can not see that that is true for the pix, What is the 10.235.1.5 node ? I hope this is not the pix interface as it will answer from another interface. And if it is not the pix are you shure it nows the route back to 10.44.44.2 and does the pix have this route ?
Maybe a full config will clarify more. |
|
elnino
join:2006-08-27
Akron, OH | reply to bigdogg2
There's not enough in the original post to troubleshoot (especially the PIX portion). Please post full configs minus passwords and external IP addresses.
Thanks |
|
bigdogg2
join:2004-08-11
| reply to bigdogg2
I guess I should have scrubbed the config before and posted it :\
-----
pix515# sh run
: Saved
:
PIX Version 8.0(3)
!
hostname pix515
domain-name test.local
enable password ************ encrypted
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.10.20 255.255.255.0
!
interface Ethernet1
description Inside Trunk
no nameif
no security-level
no ip address
!
interface Ethernet1.100
vlan 100
nameif inside
security-level 100
ip address 10.45.45.2 255.255.255.248
!
interface Ethernet2
description DMZ Trunk
no nameif
no security-level
no ip address
!
interface Ethernet2.50
vlan 50
nameif DMZ
security-level 80
ip address 192.168.1.1 255.255.255.0
!
passwd *********** encrypted
boot system flash:/pix803.bin
ftp mode passive
dns server-group DefaultDNS
domain-name test.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service dns tcp-udp
description DNS Port Mapping
port-object eq domain
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside-test extended permit ip any any log critical
access-list inside extended permit ip any any log
access-list nonat extended permit ip 10.35.1.0 255.255.255.0 10.44.44.0 255.255.255.0
access-list out extended deny icmp any any alternate-address
access-list out extended deny icmp any any router-advertisement
access-list out extended deny icmp any any router-solicitation
access-list out extended deny icmp any any timestamp-request
access-list out extended deny icmp any any timestamp-reply
access-list out extended deny icmp any any information-request
access-list out extended deny icmp any any information-reply
access-list out extended deny icmp any any mask-request
access-list out extended deny icmp any any mask-reply
access-list out extended deny icmp any any mobile-redirect
access-list out extended deny icmp any any echo
access-list out extended permit icmp any any
access-list out extended deny ip any any log critical
access-list inside_cryptomap extended permit ip 10.35.1.0 255.255.255.0 10.44.44.0 255.255.255.0
access-list dmz-in extended permit ip any any
access-list S2S-Split extended permit ip 10.100.100.0 255.255.255.0 10.35.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 10.35.1.0 255.255.255.0 10.44.44.0 255.255.255.0
pager lines 14
logging enable
logging timestamp
logging list VPN-debug level debugging class vpn
logging buffer-size 50000
logging asdm-buffer-size 512
logging console debugging
logging monitor critical
logging buffered debugging
logging trap critical
logging asdm debugging
logging host inside 10.35.1.20
no logging message 305012
no logging message 305011
no logging message 305010
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool vpn-dhcp 10.35.254.50-10.35.254.60 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list nonat-dmz
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (inside,DMZ) 10.35.1.0 10.35.1.0 netmask 255.255.255.0
static (inside,DMZ) 10.44.44.0 10.44.44.0 netmask 255.255.255.0
access-group out in interface outside
access-group dmz-in in interface DMZ
route outside 0.0.0.0 0.0.0.0 192.168.10.1 1
route inside 10.35.1.0 255.255.255.0 10.45.45.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server local protocol radius
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community **
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set xform-3des-md5 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set S2S esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map dcmap-vpnclient 1 set transform-set xform-3des-md5
crypto map cmap-vpncient 1 match address outside_cryptomap
crypto map cmap-vpncient 1 set peer 192.168.10.50
crypto map cmap-vpncient 1 set transform-set ESP-3DES-MD5 xform-3des-md5 ESP-DES-MD5
crypto map cmap-vpncient 65535 ipsec-isakmp dynamic dcmap-vpnclient
crypto map cmap-vpncient interface outside
crypto map SiteToSiteVPN 1 match address inside_cryptomap
crypto map SiteToSiteVPN 1 set peer 10.44.44.2
crypto map SiteToSiteVPN 1 set transform-set ESP-3DES-MD5 ESP-DES-MD5 xform-3des-md5
crypto map SiteToSiteVPN interface inside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 2
console timeout 0
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
vpn-idle-timeout none
vpn-tunnel-protocol IPSec
password-storage disable
re-xauth disable
pfs disable
username **
tunnel-group 10.44.44.2 type ipsec-l2l
tunnel-group 10.44.44.2 ipsec-attributes
pre-shared-key *
tunnel-group 192.168.10.50 type ipsec-l2l
tunnel-group 192.168.10.50 ipsec-attributes
pre-shared-key *
!
class-map voip
description High Priority = voip
match dscp ef
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect http
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect sip
inspect xdmcp
policy-map general
class voip
priority
!
service-policy global_policy global
service-policy general interface outside
prompt hostname context
Cryptochecksum:a333040ff1f2a173d40122e0d5ab4de9
: end
pix515# |
|
bigdogg2
join:2004-08-11
1 edit | reply to bigdogg2
871 Config
871w-rtr#sh run
Building configuration...
Current configuration : 4168 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 871w-rtr
!
boot-start-marker
boot-end-marker
!
logging buffered 20000
enable password ************
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization template
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-3262587873
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3262587873
revocation-check none
rsakeypair TP-self-signed-3262587873
!
!
crypto pki certificate chain TP-self-signed-3262587873
certificate self-signed 01
*******************************************************
quit
dot11 syslog
ip cef
ip dhcp excluded-address 10.10.10.1
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip domain lookup
ip domain name local.test.local
!
!
!
username ***********
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key ************* address 192.168.10.20
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
!
crypto map IPSec 1 ipsec-isakmp
set peer 192.168.10.20
set transform-set myset
match address tunnel
!
crypto map testmap 10 ipsec-isakmp
set peer 192.168.10.20
set security-association idle-time 300
set transform-set myset
match address tunnel
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 192.168.10.50 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map IPSec
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description test user
ip address 10.44.44.2 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.10.20
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip access-list extended tunnel
permit ip 10.44.44.0 0.0.0.255 10.35.1.0 0.0.0.255
!
no cdp run
!
!
!
control-plane
!
banner motd ^C
******************************************
* Unauthorized access prohibited
******************************************
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end
871w-rtr# |
|
nfx
The Wire
Premium
join:2001-05-21
Vancouver, BC
clubs:
2 edits | crypto map SiteToSiteVPN 1 match address inside_cryptomap
crypto map SiteToSiteVPN 1 set peer 10.44.44.2
crypto map SiteToSiteVPN 1 set transform-set ESP-3DES-MD5 ESP-DES-MD5 xform-3des-md5
crypto map SiteToSiteVPN interface inside
Is this the crypto map you're using for the site-to-site VPN?
If so, the ACL it's matching, inside_cryptomap, only allows IP traffic.
This is the ACL it's matching: access-list inside_cryptomap extended permit ip 10.35.1.0 255.255.255.0 10.44.44.0 255.255.255.0
You need to add ICMP to that ACL.
edit: Same for the 871 config, you need to add ICMP to the ACL called "tunnel".
--
nfx |
|
bigdogg2
join:2004-08-11
| When you do a "permit ip" you are permitting everything over the protocol stack which would include TCP, UDP and ICMP.
I did fix the issue by removing "ip nat inside" on "int vlan1" and removing "ip nat outside" from "int f4". Since vlan 1 was not coming up I added my Loop Back IP into the tunnel ACL and then I was able to ping and telnet to ports on both sides of the crypto tunnel. |
|
nfx
The Wire
Premium
join:2001-05-21
Vancouver, BC
clubs: | You're right. I had to go back and review CCNA material to realize this. Thanks.
--
nfx |
|
