Re: Fwd: dsl and pix

From: john matijevic (john.matijevic@gmail.com)
Date: Thu Apr 14 2005 - 14:22:48 GMT-3

• Next message: Troy: "Re: RPF failure"
• Previous message: gladston@br.ibm.com: "RE: Multicast filter does not avoid reply"
• Maybe in reply to: john matijevic: "Fwd: dsl and pix"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello Guilherme,
Thanks again for your help, on another client that is working it has
identical config on the key and the vpn is up, it has the same " no-xauth"
and "no config-mode" that I am trying to configure, and the server does not
have these options, also if there was a key negotiation failure we would be
able to see that using the debug crypto isakmp, during the Key exchange
phase of IPSEC, I am not getting any IPsec debug output, when I enable the
debugs. Thanks again for all of your efforts.
Sincerely,
john

 On 4/14/05, Guilherme Correia <razzolini80@hotmail.com> wrote:
>
> HI John,
>
> Additionally, add " no-xauth" and "no config-mode" on the "isakmp key " on
> the server side.
> Check with " clear isakmp sa" and "debug crypto isakmp"
>
> HTH
> #13754
> =================
>
>
> Hello Guilherme and Team,
> The command is on the server:
> crypto ipsec transform-set usinstall esp-3des esp-md5-hmac
> just didnt include it in the output, but its there on the server.
> Thanks again Team.
> Sincerely,
> John Matijevic, CCIE #13254
>
> On 4/14/05, Guilherme Correia <razzolini80@hotmail.com> wrote:
> >
> > Hi John
> >
> > I dont see:
> >
> > crypto ipsec transform-set
> >
> > on your server side; make sure that it is the same as the client side.
> >
> > ================================
> >
> > Hello Team,
> > I appreciate all of your help on this one. Here is an update on the
> > particular issue I am having, I can ping from external address to other
> > external address, however, I cant seem to get to phase 1 of IPSEC. I
> turn
> > on
> > the debug for crypto and I see no output. I am attatching the configs
> here
> > for assistance. Also on the client side there is a PIX with DSL
> connection
> > on the server side, there is a router on the outside with a T1 coming in
> > and
> > then a PIX firewall. Please feel free to call me if you need any
> > additional
> > information.
> > Sincerely,
> > John Matijevic, CCIE #13254
> > Senior Network Engineer
> > U.S. Installation Group
> > 954-969-7160 extension 1147 office
> > 305-321-6232 cell
> > Client config:
> >
> > name 192.168.101.0 <http://192.168.101.0> <http://192.168.101.0> <
> http://192.168.101.0> Server
> > access-list inside_outbound_nat0_acl permit ip
> > 192.168.21.0 <http://192.168.21.0> <http://192.168.21.0><
> http://192.168.21.0>
> > 255.255.255.0 <http://255.255.255.0> <http://255.255.255.0> <
> http://255.255.255.0> Server
> > 255.255.255.0 <http://255.255.255.0> <http://255.255.255.0><
> http://255.255.255.0>
> >
> > access-list outside_cryptomap_20 permit ip
> 192.168.21.0 <http://192.168.21.0><http://192.168.21.0>
> > <http://192.168.21.0>
> > 255.255.255.0 <http://255.255.255.0> <http://255.255.255.0> <
> http://255.255.255.0> Server
> > 255.255.255.0 <http://255.255.255.0> <http://255.255.255.0><
> http://255.255.255.0>
> >
> > access-list inside_access_in remark VPN access to Server
> > access-list inside_access_in permit ip 192.168.21.0<http://192.168.21.0>
> <http://192.168.21.0><
> > http://192.168.21.0>
> > 255.255.255.0 <http://255.255.255.0> <http://255.255.255.0> <
> http://255.255.255.0> Server
> > 255.255.255.0 <http://255.255.255.0> <http://255.255.255.0><
> http://255.255.255.0>
> > access-list inside_access_in remark Block all Access
> > access-list inside_access_in deny ip 192.168.21.0 <http://192.168.21.0><
> http://192.168.21.0> <
> > http://192.168.21.0>
> > 255.255.255.0 <http://255.255.255.0> <http://255.255.255.0> <
> http://255.255.255.0> any
> >
> > global (outside) 1 interface
> > nat (inside) 0 access-list inside_outbound_nat0_acl
> > nat (inside) 1 0.0.0.0 <http://0.0.0.0> <http://0.0.0.0> <http://0.0.0.0
> >
> 0.0.0.0 <http://0.0.0.0><http://0.0.0.0><
> > http://0.0.0.0> 0 0
> > access-group inside_access_in in interface inside
> > route outside 0.0.0.0 <http://0.0.0.0> <http://0.0.0.0> <http://0.0.0.0>
> 0.0.0.0 <http://0.0.0.0><http://0.0.0.0><
> > http://0.0.0.0>
> > 68.213.219.250 <http://68.213.219.250> <http://68.213.219.250> <
> http://68.213.219.250> 1
> >
> > sysopt connection permit-ipsec
> > sysopt connection permit-pptp
> >
> > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> >
> > crypto map outside_map 20 ipsec-isakmp
> > crypto map outside_map 20 match address outside_cryptomap_20
> > crypto map outside_map 20 set peer 65.240.142.186<http://65.240.142.186>
> <http://65.240.142.186><
> > http://65.240.142.186>
> > crypto map outside_map 20 set transform-set ESP-3DES-MD5
> >
> > crypto map outside_map interface outside
> > isakmp enable outside
> > isakmp key ******** address 65.240.142.186 <http://65.240.142.186> <
> http://65.240.142.186> <
> > http://65.240.142.186> netmask
> > 255.255.255.255 <http://255.255.255.255> <http://255.255.255.255> <
> http://255.255.255.255>
> no-xauth
> > no-c
> > onfig-mode
> >
> > isakmp policy 20 authentication pre-share
> > isakmp policy 20 encryption 3des
> > isakmp policy 20 hash md5
> > isakmp policy 20 group 2
> > isakmp policy 20 lifetime 86400
> >
> > Server Config:
> >
> > name 192.168.26.0 <http://192.168.26.0> <http://192.168.26.0> <
> http://192.168.26.0> Client
> > name 68.213.219.250 <http://68.213.219.250> <http://68.213.219.250> <
> http://68.213.219.250>
> > Client_Public
> >
> > object-group network RemoteLocationsVPN
> > description These are the remote locations that VPN in to this network.
> > network-object Client 255.255.255.0 <http://255.255.255.0> <
> http://255.255.255.0> <
> > http://255.255.255.0>
> >
> > access-list 10 permit ip 192.168.101.0 <http://192.168.101.0> <
> http://192.168.101.0> <
> > http://192.168.101.0>
> > 255.255.255.0 <http://255.255.255.0> <http://255.255.255.0><
> http://255.255.255.0>Client
> > 255.255.255.0 <http://255.255.255.0> <http://255.255.255.0> <
> http://255.255.255.0>
> >
> > access-list 20 permit tcp host Client_Public host
> > 65.240.142.187 <http://65.240.142.187> <http://65.240.142.187><
> http://65.240.142.187>eq www
> >
> > access-list 106 permit ip 192.168.101.0 <http://192.168.101.0> <
> http://192.168.101.0> <
> > http://192.168.101.0>
> > 255.255.255.0 <http://255.255.255.0> <http://255.255.255.0><
> http://255.255.255.0>Client
> > 255.255.255.0 <http://255.255.255.0> <http://255.255.255.0> <
> http://255.255.255.0>
> >
> > ip address outside 65.240.142.186 <http://65.240.142.186> <
> http://65.240.142.186> <
> > http://65.240.142.186>
> > 255.255.255.248 <http://255.255.255.248> <http://255.255.255.248><
> http://255.255.255.248>
> > ip address inside 192.168.101.1 <http://192.168.101.1> <
> http://192.168.101.1> <
> > http://192.168.101.1>
> > 255.255.255.0 <http://255.255.255.0> <http://255.255.255.0><
> http://255.255.255.0>
> >
> > global (outside) 1 interface
> > global (outside) 4 65.240.142.189 <http://65.240.142.189> <
> http://65.240.142.189> <
> > http://65.240.142.189>
> >
> > nat (inside) 0 access-list 10
> > nat (inside) 1 192.168.101.0 <http://192.168.101.0> <
> http://192.168.101.0>
> <http://192.168.101.0>
> > 255.255.255.0 <http://255.255.255.0> <http://255.255.255.0><
> http://255.255.255.0>400 200
> >
> > access-group 20 in interface outside
> > access-group inside_access_in in interface inside
> > route outside 0.0.0.0 <http://0.0.0.0> <http://0.0.0.0> <http://0.0.0.0>
> 0.0.0.0 <http://0.0.0.0><http://0.0.0.0><
> > http://0.0.0.0>
> > 65.240.142.185 <http://65.240.142.185> <http://65.240.142.185> <
> http://65.240.142.185> 1
> >
> > sysopt connection permit-ipsec
> > sysopt connection permit-pptp
> >
> > crypto map corpvpn 106 ipsec-isakmp
> > crypto map corpvpn 106 match address 106
> > crypto map corpvpn 106 set peer Client_Public
> > crypto map corpvpn 106 set transform-set usinstall
> >
> > crypto map corpvpn interface outside
> > isakmp enable outside
> >
> > isakmp key ******** address Client_Public netmask
> > 255.255.255.255 <http://255.255.255.255> <http://255.255.255.255><
> http://255.255.255.255>
> >
> >
> > isakmp identity address
> > isakmp policy 10 authentication pre-share
> > isakmp policy 10 encryption 3des
> > isakmp policy 10 hash md5
> > isakmp policy 10 group 2
> > isakmp policy 10 lifetime 86400
> >
> > ---------- Forwarded message ----------
> > From: john matijevic <john.matijevic@gmail.com>
> > Date: Apr 12, 2005 5:11 PM
> > Subject: dsl and pix
> > To: ccielab@groupstudy.com
> >
> > Hello Team,
> > I was wondering if anyone has come across using a dsl for internet in
> > corporate environment and have used the pix firewall for establishing a
> > vpn
> > network over the dsl network. Please contact me offline to discuss.
> > Sincerely,
> > John Matijevic
> > 305-321-6232
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
>
> --
> John Matijevic, CCIE #13254
> U.S. Installation Group
> Senior Network Engineer
> 954-969-7160 (office)
> 305-321-6232 (cell)
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

--
John Matijevic, CCIE #13254
U.S. Installation Group
Senior Network Engineer
954-969-7160 ext. 1147 (office)
305-321-6232 (cell)

• Next message: Troy: "Re: RPF failure"
• Previous message: gladston@br.ibm.com: "RE: Multicast filter does not avoid reply"
• Maybe in reply to: john matijevic: "Fwd: dsl and pix"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:58 GMT-3