Question

Locked

VPN Tunnel strange issue (aren't they all?)

By bk6662 ·
Have two internet connections at home: a DSL, and cable. Have 2 PIX-501s (one on each end) with a site-2-site IPSEC tunnel. Have both PIX's logging to a Linux machine on the cable end (192.168.1.201) Everything worked great until yesterday, when I started trying to allow outside access to a web server on the Linux box. After agonizing for about 4 hours, I never got that working. But in the process I somewhat broke the VPN connection. It's back up, but now I cannot ping from the DSL-end PIX to anything on the Cable-end. (Even though the tunnel is up). Hosts on that end can ping the cable end just fine; so it has to be in the PIX. But I didn't change anything on that config? The problem with this is that it can't reach the syslog server.

I've checked access-lists on both PIX's - don't see anything being dropped. I don't know how MTU size can suddenly be an issue (especially since pinging between hosts works fine. And the cable-end PIX can ping the other way just fine as well).

Here's what I think are the relevant config entries from each PIX:

DSL:
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NoNat permit IP 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
ip address inside 192.168.0.2 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NoNat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-3des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 70.176.x.x
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key *** address 70.176.x.x netmask 255.255.255.0
isakmp identity address
isakmp policy 1 authenticate pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000

And for the cable:
access-list outbound deny ip any host 216.163.137.68
access-list outbound permit ip any any
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside-entry permit tcp any host 192.168.1.201 eq www
access-list outside-entry permit tcp any host 192.168.1.201 eq https
access-list outside-entry permit tcp any host 192.168.1.201 eq ssh
access-list outside-entry permit tcp any host 192.168.1.201 eq ftpaccess-list outbound deny ip any host 216.163.137.68
access-list outbound permit ip any any
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside-entry permit tcp any host 192.168.1.201 eq www
access-list outside-entry permit tcp any host 192.168.1.201 eq https
access-list outside-entry permit tcp any host 192.168.1.201 eq ssh
access-list outside-entry permit tcp any host 192.168.1.201 eq ftp
ip address inside 192.168.1.199 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.1.201 www netmask 255.255.255.255 0 0
access-group outside-entry in interface outside
access-group outbound in interface inside
route inside 11.0.0.0 255.0.0.0 192.168.1.200 1
sysopt connection permit-ipsec
crypto ipsec transform-set toyota esp-3des esp-md5-hmac
crypto map bmw 1 ipsec-isakmp
crypto map bmw 1 match address 101
crypto map bmw 1 set peer 75.171.44.40
crypto map bmw 1 set transform-set toyota
crypto map bmw interface outside
isakmp enable outside
isakmp key ******** address 75.171.44.40 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000

Sorry about the length - hopefully this is enough to provide an idea what is going on. (And if anybody sees why my Linux machine webserver isn't available please let me know what I'm missing there as well!)

Thank you in advance!
-BK

This conversation is currently closed to new comments.

38 total posts (Page 1 of 4)   01 | 02 | 03 | 04   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

what's the rule about access lists? first match no others apply

by CG IT In reply to VPN Tunnel strange issue ...

so what's your first access list that would have a match?

Collapse -

First Rule

by bk6662 In reply to what's the rule about acc ...

Are you referring to the "Deny" rule on the second (cable) config I posted? But that's for outbound traffic, and it has been there all along. Also if that was the problem wouldn't it affect all hosts trying to ping from the remote LAN? (Followup question since this is a VPN tunnel, is the remote LAN considered inside or outside?)

I will remove that to test, but I didn't think that could be causing this. Of course I may be totally misundersanding your reply!

Thank you,
BK

Collapse -

Re: First rule

by bk6662 In reply to First Rule

Removed the "Deny" rule - still can't ping from the PIX to anything on the other end of the tunnel. Please let me know what I am missing.

Thanks!
BK

Collapse -

paste a show interface [your exit interface]

by CG IT In reply to Re: First rule

and a sh controllers on the exit interface.

thanks

Collapse -

Show interface

by bk6662 In reply to paste a show interface [y ...

I'm not sure how to show controllers - here's the show interfacee output of each. Thanks!!

------------------------------------------
PIX2# (Cable):
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000b.be94.a529
IP address 70.176.101.4, subnet mask 255.255.248.0
MTU 1500 bytes, BW 10000 Kbit half duplex
525688 packets input, 35271882 bytes, 0 no buffer
Received 505547 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
23093 packets output, 2827768 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 21 deferred
1 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/12 software (0/29)
output queue (curr/max blocks): hardware (0/4) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000b.be94.a52a
IP address 192.168.1.199, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
23774 packets input, 3969616 bytes, 0 no buffer
Received 4420 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
17640 packets output, 1684041 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/12 software (0/4)
output queue (curr/max blocks): hardware (1/2 software (0/1)

-----------------------------------------

PIX1# (DSL)

interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000f.24e9.c57e
IP address 75.171.44.40, subnet mask 255.255.255.255
MTU 1492 bytes, BW 100000 Kbit full duplex
40907 packets input, 13177418 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
47467 packets output, 8125552 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/12 software (0/4)
output queue (curr/max blocks): hardware (0/35) software (0/1)
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000f.24e9.c57f
IP address 192.168.0.2, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
32419 packets input, 7012923 bytes, 0 no buffer
Received 4294 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
29437 packets output, 11448943 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/12 software (0/65)
output queue (curr/max blocks): hardware (1/4) software (0/1)

Collapse -

well your interfaces are up and protocols up

by CG IT In reply to Show interface

so you're up on both ends which means the tunnel is established between the 2 PIX firewalls, and you can ping one way but not the other so the interface that you can't ping through is the problem. you mentioned that the cable interface can ping through to the DSL end, but the DSL end can't ping through the cable interface, so that's the interface with the problem, maybe....

and debug info?

Have to ask, did you copy your working running config to a TFTP ? and do a copy run start? if you rebooted and still have the problem, sounds like you did a copy run start without backing up the current run config.

probably not if you asking the question..but had to ask.

Collapse -

Try the follwing

by NetMan1958 In reply to VPN Tunnel strange issue ...

If you haven't already done so, reboot both PIXs. After the reboot if the problem persists run the following on both PIXs and post the output:

"sh ipsec sa"

Collapse -

Re: Try the folllowing

by bk6662 In reply to Try the follwing

Hi NetMan,

Yes I've rebooted both several times. Below is the output you've requested. Thanks for your assistance!

-Bk
------------------------------------------
PIX1# (DSL PIX)

interface: outside
Crypto map tag: transam, local addr. 75.171.44.40

local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 70.176.101.4:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14658, #pkts encrypt: 14658, #pkts digest 14658
#pkts decaps: 14648, #pkts decrypt: 14648, #pkts verify 14648
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 259, #recv errors 0

local crypto endpt.: 75.171.44.40, remote crypto endpt.: 70.176.101.4
path mtu 1492, ipsec overhead 56, media mtu 1492
current outbound spi: 45b590e9

inbound esp sas:
spi: 0x77a6b304(200741350
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: transam
sa timing: remaining key lifetime (k/sec): (4607999/24472)
IV size: 8 bytes
replay detection support: Y


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0x45b590e9(1169527017)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: transam
sa timing: remaining key lifetime (k/sec): (4607999/24409)
IV size: 8 bytes
replay detection support: Y


outbound ah sas:
outbound pcp sas:
-------------------------------------------
Pix2# (Cable PIX)

interface: outside
Crypto map tag: bmw, local addr. 70.176.101.4

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer: 75.171.44.40:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14648, #pkts encrypt: 14648, #pkts digest 14648
#pkts decaps: 14658, #pkts decrypt: 14658, #pkts verify 14658
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 70.176.101.4, remote crypto endpt.: 75.171.44.40
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 77a6b304

inbound esp sas:
spi: 0x45b590e9(1169527017)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: bmw
sa timing: remaining key lifetime (k/sec): (4607999/24266)
IV size: 8 bytes
replay detection support: Y


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0x77a6b304(200741350
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: bmw
sa timing: remaining key lifetime (k/sec): (4607999/24239)
IV size: 8 bytes
replay detection support: Y


outbound ah sas:
outbound pcp sas:

Collapse -

Send Errors

by NetMan1958 In reply to Re: Try the folllowing

Well you do have send errors on the DSL PIX:
#send errors 259, #recv errors 0

Can you post or PM me the complete configs for both PIXs?

Collapse -

Complete Configs

by bk6662 In reply to Send Errors

Here goes!

PIX1:

: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password UhOh encrypted
passwd UhOh encrypted
hostname PIX1
domain-name ecc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NoNAT permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap informational
logging facility 22
logging host outside 192.168.1.201
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.0.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.12 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 198.60.22.240 source outside
http server enable
http 192.168.1.12 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-3des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 70.176.101.4
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 70.176.101.4 netmask 255.255.248.0
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet 70.176.101.4 255.255.255.255 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname krbrian1012@qwest.net
vpdn group ISP ppp authentication pap
vpdn username XYZ@qwest.net password *********
dhcpd address 192.168.0.11-192.168.0.50 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:
: end

--------------------------------------------------------------------

PIX2:

: Saved
:
PIX Version 6.3(5)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password OhBoy encrypted
passwd OhBoy encrypted
hostname PIX2
domain-name epx.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outbound permit ip any any
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside-entry permit tcp any host 192.168.1.201 eq www
access-list outside-entry permit tcp any host 192.168.1.201 eq https
access-list outside-entry permit tcp any host 192.168.1.201 eq ssh
access-list outside-entry permit tcp any host 192.168.1.201 eq ftp
pager lines 24
logging on
logging timestamp
logging trap notifications
logging host inside 192.168.1.201
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.199 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.16 255.255.255.255 inside
pdm location 216.163.137.68 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.1.201 www netmask 255.255.255.255 0 0
access-group outside-entry in interface outside
access-group outbound in interface inside
route inside 11.0.0.0 255.0.0.0 192.168.1.200 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 198.60.22.240 source outside
http server enable
http 192.168.1.26 255.255.255.255 inside
http 192.168.1.201 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set toyota esp-3des esp-md5-hmac
crypto map bmw 1 ipsec-isakmp
crypto map bmw 1 match address 101
crypto map bmw 1 set peer 75.171.44.40
crypto map bmw 1 set transform-set toyota
crypto map bmw interface outside
isakmp enable outside
isakmp key ******** address 75.171.44.40 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 15
management-access inside
console timeout 0
dhcpd address 192.168.1.10-192.168.1.50 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:
: end

Back to Networks Forum
38 total posts (Page 1 of 4)   01 | 02 | 03 | 04   Next

Related Forums