Advertisement

06.30.2008 at 08:07AM PDT, ID: 23527135
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
8.8

VPN tunneling issues

Asked by graveldog in IPSec Security Protocol, Virtual Private Networking (VPN), Cisco PIX Firewall

Tags: , , ,

Hi there this is my first question I have listed here.I hope someone can assist me in resolving my issue

I am attempting to establish a VPN tunnel from a Cisco 515 dmz interface over 10 mbps leased line
to another business on whos network we have staff sitting at one of their locations the remote end device is a Cisco PIX 50. The link also provides access to servers located within the other business  
the VPN tunnel is a new requirement.
Bellow I have pasted the current configs, show ver, show crypto isakmp sa and debug crypto ISAKMP outputs from both the 515 and the 501.

Cisco PIX 515 Details as follows :-


PIX-515# sh crypto isakmp sa
Total     : 1
Embryonic : 0
        dst             src          state       pending    created
      172.17.2.1    172.23.64.250    QM_IDLE         0           1


PIX-515# sh ver

Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.1(1)

Compiled on Fri 07-Jun-02 17:49 by morlee

PIX-515 up 43 days 5 hours

Hardware:   PIX-515, 64 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

Encryption hardware device : IRE2141 with 0KB, HW:1.0, CGXROM:1.9, FW:6.5
0: ethernet0: address is 0003.e300.5006, irq 11
1: ethernet1: address is 0003.e300.5007, irq 10
2: ethernet2: address is 00e0.b604.2045, irq 7
3: ethernet3: address is 00e0.b604.2044, irq 7
4: ethernet4: address is 00e0.b604.2043, irq 7
5: ethernet5: address is 00e0.b604.2042, irq 7
Licensed Features:
Failover:           Enabled
VPN-DES:            Enabled
VPN-3DES:           Enabled
Maximum Interfaces: 6
Cut-through Proxy:  Enabled
Guards:             Enabled
URL-filtering:      Enabled
Inside Hosts:       Unlimited
Throughput:         Unlimited
IKE peers:          Unlimited

Serial Number: 481020031 (0x1cabc87f)
Running Activation Key: 0xce5fe2ab 0xa1eb14bf 0x9199120a 0x4e1b9ea0
Configuration last modified by enable_15 at 15:51:34.492 GMT/BDT Mon Jun 30 2008


PIX-515# wr t
PIX Version 6.2(2)
nameif ethernet5 WMDC security25
access-list WMDC-ACL permit icmp object-group WMDC-Web-Servers any echo
access-list WMDC-ACL permit icmp object-group WMDC-Web-Servers any echo-reply
access-list WMDC-ACL permit ip 192.168.60.0 255.255.255.0 192.168.32.0 255.255.2
55.0
access-list WMDC-ACL permit ip any 192.168.60.0 255.255.255.0
access-list WMDC-ACL permit ip any 192.168.0.0 255.255.0.0
access-list WMDC_cryptomap_dyn_20 permit ip any 192.168.60.0 255.255.255.0
interface ethernet5 10full
mtu WMDC 1500
ip address WMDC 172.17.2.1 255.255.255.0
global (WMDC) 1 interface
access-group WMDC-ACL in interface WMDC
route WMDC 172.23.64.0 255.255.255.0 172.17.2.100 1
route WMDC 192.168.60.0 255.255.255.0 172.17.2.1 1
crypto ipsec transform-set WMDC_tset_1 esp-3des esp-md5-hmac
crypto dynamic-map WMDC_dyn_map 20 set transform-set WMDC_tset_1
crypto map WMDC_map 65535 ipsec-isakmp dynamic WMDC_dyn_map
crypto map WMDC_map client configuration address initiate
crypto map WMDC_map client configuration address respond
crypto map WMDC_map interface WMDC
isakmp enable WMDC
isakmp identity address
isakmp keepalive 10
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup WMDC split-tunnel WMDC-ACL
vpngroup WMDC idle-time 1800
vpngroup WMDC password w@kefield
vpngroup split-tunnel idle-time 1800
username outwood password 0utw00d

Debug Crypto ISAKMP output from Cisco 515


crypto_isakmp_process_block: src 172.23.64.250, dest 172.17.2.1
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 3049804711
ISAMKP (0): received DPD_R_U_THERE from peer 172.23.64.250
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS


Cisco PIX 501 Details as follows :-


501-PIX# sh crypto isakmp sa                                    
Total     : 1            
Embryonic : 0            
        dst               src        state     pending     created                                                                  
      172.17.2.1    172.23.64.250    QM_IDLE         0           0                                                                  


501-PIX# debug crypto isakmp                                    
ISAKMP (0): sending NOTIFY message 36136 protocol 1                                                  
crypto_isakmp_process_block:src:172.17.2.1, dest:172.23.64.250 spt:500 dpt:500                                                                              
ISAKMP (0): processing NOTIFY payload 36137 protocol 1                                                      
        spi 0, message ID = 319150175                                    
ISAMKP (0): received DPD_R_U_THERE_ACK f                                      
return status is IKMP_NO_ERR_NO_TRANS                                    
                       
501-PIX#  wr t                      
Building configuration...                        
: Saved      
:
PIX Version 6.3(5)                  
interface ethernet0 auto                        
interface ethernet1 100full                          
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
domain-name ciscopix.com                        
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
pager lines 24              
mtu outside 1500                
mtu inside 1500              
ip address outside 172.23.64.250 255.2                                    
ip address inside 192.168.60.1 255.255.255.240                                              
ip audit info action alarm                          
ip audit attack action alarm                            
pdm location 192.168.136.0 255.255.255.0 outside                                                
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
route outside 0.0.0.0 0.0.0.0 172.23.64.1 1                                          
timeout xlate 0:05:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout sip-disconnect 0:02:                          
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ deadtime 10                              
aaa-server RADIUS protocol radius                                
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10                            
aaa-server LOCAL protocol local                              
http server enable                  
http 192.168.1.0 255.255.255.0 inside                                    
http 192.168.199.0 255.255.255.0 inside                                      
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps                          
floodguard enable                
isakmp nat-traversal 20                      
vpngroup WMDC idle-time 1800                            
vpngroup WMDC password w@kefield                            
telnet timeout 5                
ssh timeout 5            
management-access inside                        
console timeout 0                
dhcpd address 192.168.60.2-192.168.60.14 inside                                              
dhcpd dns 192.168.32.22 192.168.32.21                                    
dhcpd wins 192.168.197.106 10.200.10.24                                      
dhcpd lease 3600                
dhcpd ping_timeout 750                      
dhcpd domain xswyt.nhs.uk                        
dhcpd auto_config outside                        
dhcpd enable inside                  
vpnclient server 172.17.2.1                          
vpnclient mode network-extension-mode                                    
vpnclient vpngroup WMDC password  w@kefield                                      
vpnclient username outwood password 0utw00d                                    
vpnclient management tunnel 192.168.136.0 255.255.255.0                                                      
vpnclient enable                

Start Free Trial
[+][-]06.30.2008 at 10:12AM PDT, ID: 21901034

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.01.2008 at 12:46AM PDT, ID: 21905600

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07.01.2008 at 04:25AM PDT, ID: 21906512

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.01.2008 at 04:35AM PDT, ID: 21906552

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07.09.2008 at 01:48AM PDT, ID: 21961563

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07.09.2008 at 05:15AM PDT, ID: 21962681

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: IPSec Security Protocol, Virtual Private Networking (VPN), Cisco PIX Firewall
Tags: Cisco, PIX, 515, VPN tunneling
Sign Up Now!
Solution Provided By: Voltz-dk
Participating Experts: 1
Solution Grade: A
 
 
[+][-]07.09.2008 at 06:11AM PDT, ID: 21963163

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07.09.2008 at 06:45AM PDT, ID: 21963464

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628