VPN Not Routing, Reboot Fixes it.
in [Cisco]
|
From: scooter133 on 16 Jul 2008 13:48 So i have 2 PIXs that connect via the internet and when I first boot them, they connect up via IPSec Preshared Keys LAN-to-LAN and all is good in the world. HQ 10.1.x.x <- Internet -> SF 10.2.x.x <- rotuer-> 10.6.x.x Some number of hours later, It stops passing traffic from 10.6.x.x to 10.1.x.x. 10.2.x.x to 10.1.x.x works fine. If I reboot the SF PIX, the traffic will Flow from 10.6.x.x to 10.1.x.x. again for a while. We also have some PIX 501, and some 1700 routers that do remote IPSec Preshared Keys and they are solid. Though they only have 1 Subnet behind it... What can I do to troubleshoot this? I've included the Sh Ver of the 2 main PIXs. Thanks, Scott<- -------------------------------------------------------------------------------- HQ PIX -------------------------------------------------------------------------------- Cisco PIX Security Appliance Software Version 7.0(5) Device Manager Version 5.0(5) Compiled on Mon 10-Apr-06 14:40 by builders System image file is "flash:/pix705.bin" Config file at boot was "startup-config" charlie2 up 78 days 17 hours Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz Flash E28F128J3 @ 0xfff00000, 16MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB 0: Ext: Ethernet0 : address is 0019.2f6b.44d6, irq 10 1: Ext: Ethernet1 : address is 0019.2f6b.44d7, irq 11 2: Ext: Ethernet2 : address is 0002.b3b6.cbb4, irq 11 Licensed features for this platform: Maximum Physical Interfaces : 6 Maximum VLANs : 25 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled Cut-through Proxy : Enabled Guards : Enabled URL Filtering : Enabled Security Contexts : 2 GTP/GPRS : Disabled VPN Peers : Unlimited This platform has an Unrestricted (UR) license. ------------------------------------------------------------------------------- Far End PIX -------------------------------------------------------------------------------- Cisco PIX Security Appliance Software Version 7.0(5) Device Manager Version 5.0(5) Compiled on Mon 10-Apr-06 14:40 by builders System image file is "flash:/pix705.bin" Config file at boot was "startup-config" moonrazor up 26 mins 8 secs Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz Flash i28F640J5 @ 0x300, 16MB BIOS Flash AT29C257 @ 0xfffd8000, 32KB 0: Ext: Ethernet0 : address is 0050.54fe.ef68, irq 10 1: Ext: Ethernet1 : address is 0050.54fe.ef69, irq 7 2: Ext: Ethernet2 : address is 0002.b3ad.7fda, irq 9 Licensed features for this platform: Maximum Physical Interfaces : 3 Maximum VLANs : 10 Inside Hosts : Unlimited Failover : Disabled VPN-DES : Enabled VPN-3DES-AES : Enabled Cut-through Proxy : Enabled Guards : Enabled URL Filtering : Enabled Security Contexts : 0 GTP/GPRS : Disabled VPN Peers : Unlimited This platform has a Restricted (R) license.
From: Artie Lange on 16 Jul 2008 13:53 scooter133(a)gmail.com wrote: > So i have 2 PIXs that connect via the internet and when I first boot > them, they connect up via IPSec Preshared Keys LAN-to-LAN and all is > good in the world. > > HQ 10.1.x.x <- Internet -> SF 10.2.x.x <- rotuer-> 10.6.x.x > > Some number of hours later, It stops passing traffic from 10.6.x.x to > 10.1.x.x. 10.2.x.x to 10.1.x.x works fine. > > If I reboot the SF PIX, the traffic will Flow from 10.6.x.x to > 10.1.x.x. again for a while. > > We also have some PIX 501, and some 1700 routers that do remote IPSec > Preshared Keys and they are solid. Though they only have 1 Subnet > behind it... > > What can I do to troubleshoot this? > > > I've included the Sh Ver of the 2 main PIXs. > > Thanks, > Scott<- how bout a show conf ?
From: scooter133 on 16 Jul 2008 14:34 On Jul 16, 10:53 am, Artie Lange <spam...(a)jamiebaillie.net> wrote: > how bout a show conf ?- Hide quoted text - > > - Show quoted text - It jsut takes a bit to sanitize it up a little... Thanks, -------------------------------------------------------------------------------- HQ PIX -------------------------------------------------------------------------------- PIX Version 7.0(5) ! hostname charlie2 domain-name haydon-mill.com names name 10.10.0.0 NETWORK-HA name 10.11.0.0 NETWORK-OLIVET name 10.12.0.0 NETWORK-235HBG name 10.13.0.0 NETWORK-FITCH name 10.2.0.0 NETWORK-SF2 name 10.200.0.0 NETWORK-IPSec-POOL description IPSec DHCP Pool name 10.201.0.0 NETWORK-PPTP-POOL description PPTP DHCP Pool name 10.203.0.0 NETWORK-PPTP-POOL2 description PPTP DHCP Pool2 name 10.254.0.0 NETWORK-SERIAL description Serial Interfaces name 10.3.0.0 NETWORK-SF name 10.6.0.0 NETWORK-TRAINING name 172.16.0.0 NETWORK-DMZ name 10.14.0.0 NETWORK-OLIVET2 name 10.15.0.0 NETWORK-HA2 dns-guard ! interface Ethernet0 nameif outside-HBG security-level 0 ip address charlie_o 255.255.255.0 ! interface Ethernet1 nameif inside-HBG security-level 100 ip address charlie_i 255.255.0.0 ! interface Ethernet2 duplex half nameif dmz-HBG security-level 10 ip address charlie_dmz 255.255.255.0 ! boot system flash:/pix705.bin ftp mode passive clock timezone PST -8 clock summer-time PDT recurring same-security-traffic permit intra-interface object-group network NETWORK-HBG-ALL network-object NETWORK-HBG 255.255.0.0 network-object NETWORK-HBG 255.255.255.0 network-object NETWORK-SERIAL 255.255.0.0 object-group network NETWORK-FITCH-ALL network-object NETWORK-FITCH 255.255.0.0 object-group network NETWORK-OLIVET-ALL network-object NETWORK-OLIVET 255.255.0.0 object-group network NETWORK-235HBG-ALL network-object NETWORK-235HBG 255.255.0.0 object-group protocol VPN-PROTOCOLS protocol-object ip protocol-object tcp protocol-object udp protocol-object icmp object-group network NETWORK-VPN-ALL network-object NETWORK-HBG 255.255.0.0 network-object NETWORK-SF2 255.255.0.0 network-object NETWORK-SF 255.255.0.0 network-object NETWORK-TRAINING 255.255.0.0 object-group network NETWORK-SF-VPN network-object NETWORK-SF2 255.255.0.0 network-object NETWORK-TRAINING 255.255.0.0 object-group network NETWORK-HBG-VPN network-object NETWORK-HBG 255.255.0.0 network-object NETWORK-SF 255.255.0.0 network-object NETWORK-HA 255.255.0.0 network-object NETWORK-FITCH 255.255.0.0 network-object NETWORK-OLIVET 255.255.0.0 network-object NETWORK-235HBG 255.255.0.0 network-object NETWORK-SERIAL 255.255.0.0 network-object NETWORK-IPSec-POOL 255.255.0.0 network-object NETWORK-OLIVET2 255.255.0.0 network-object NETWORK-HA2 255.255.0.0 object-group network NETWORK-SF2-VPN network-object NETWORK-TRAINING 255.255.0.0 object-group network NETWORK-HBG2-VPN network-object NETWORK-HBG 255.255.0.0 object-group network NETWORK-OLIVET2-ALL network-object NETWORK-OLIVET2 255.255.0.0 access-list inside_nat extended permit ip NETWORK-HBG 255.255.0.0 NETWORK-DMZ 255.255.255.0 access-list inside_nat extended permit ip NETWORK-HBG 255.255.0.0 192.168.1.0 255.255.255.0 access-list inside_nat extended permit ip NETWORK-HBG 255.255.0.0 NETWORK-IPSec-POOL 255.255.0.0 access-list inside_nat extended permit ip NETWORK-HBG 255.255.0.0 NETWORK-OLIVET 255.255.0.0 access-list inside_nat extended permit ip NETWORK-HBG 255.255.0.0 NETWORK-235HBG 255.255.0.0 access-list inside_nat extended permit ip NETWORK-HBG 255.255.0.0 NETWORK-FITCH 255.255.0.0 access-list inside_nat extended permit ip NETWORK-HBG 255.255.0.0 NETWORK-SF 255.255.0.0 access-list inside_nat extended permit ip NETWORK-HA 255.255.0.0 NETWORK-SF 255.255.0.0 access-list inside_nat extended permit ip NETWORK-SERIAL 255.255.0.0 NETWORK-SF 255.255.0.0 access-list inside_nat extended permit ip NETWORK-235HBG 255.255.0.0 NETWORK-SF 255.255.0.0 access-list inside_nat extended permit ip NETWORK-FITCH 255.255.0.0 NETWORK-SF 255.255.0.0 access-list inside_nat extended permit ip NETWORK-OLIVET 255.255.0.0 NETWORK-SF 255.255.0.0 access-list inside_nat extended permit ip NETWORK-SF 255.255.0.0 NETWORK-HBG 255.255.0.0 access-list inside_nat extended permit ip object-group NETWORK-OLIVET- ALL object-group NETWORK-SF-VPN access-list inside_nat extended permit ip object-group NETWORK-HBG-VPN object-group NETWORK-SF-VPN access-list inside_nat extended permit ip NETWORK-SF 255.255.0.0 NETWORK-IPSec-POOL 255.255.0.0 access-list inside_nat extended permit ip NETWORK-HBG 255.255.0.0 NETWORK-OLIVET2 255.255.0.0 access-list inside_nat extended permit ip NETWORK-OLIVET2 255.255.0.0 NETWORK-SF 255.255.0.0 access-list inside_nat extended permit ip NETWORK-HBG 255.255.0.0 NETWORK-HA2 255.255.0.0 access-list inside_nat extended permit ip NETWORK-HBG 255.255.0.0 NETWORK-HA 255.255.0.0 access-list 110 extended permit ip 10.0.0.0 255.0.0.0 NETWORK-IPSec- POOL 255.255.0.0 access-list outside-HBG_cryptomap_40 extended permit ip object-group NETWORK-HBG-VPN object-group NETWORK-SF-VPN access-list outside-HBG_cryptomap_40 extended permit ip object-group NETWORK-OLIVET-ALL object-group NETWORK-SF-VPN access-list outside-HBG_cryptomap_40 extended permit ip object-group NETWORK-OLIVET2-ALL object-group NETWORK-SF-VPN access-list outside-HBG_cryptomap_20 extended permit ip object-group NETWORK-HBG-VPN object-group NETWORK-SF-VPN access-list outside-HBG_cryptomap_20 extended permit ip object-group NETWORK-OLIVET-ALL object-group NETWORK-SF-VPN access-list outside-HBG_cryptomap_20 extended permit ip object-group NETWORK-OLIVET2-ALL object-group NETWORK-SF-VPN access-list outside-HBG_nat0_inbound extended permit ip object-group NETWORK-HBG-VPN object-group NETWORK-SF-VPN access-list outside-HBG_nat0_inbound extended permit ip object-group NETWORK-OLIVET-ALL object-group NETWORK-SF-VPN access-list outside-HBG_nat0_inbound extended permit ip object-group NETWORK-OLIVET2-ALL object-group NETWORK-SF-VPN access-list outside-HBG_nat0_outbound extended permit ip object-group NETWORK-HBG-VPN object-group NETWORK-SF-VPN access-list outside-HBG_nat0_outbound extended permit ip object-group NETWORK-OLIVET-ALL object-group NETWORK-SF-VPN access-list outside-HBG_nat0_outbound extended permit ip object-group NETWORK-OLIVET2-ALL object-group NETWORK-SF-VPN access-list test extended permit ip 10.2.3.0 255.255.255.0 host 10.1.1.17 access-list test extended permit ip host 10.1.1.17 10.2.3.0 255.255.255.0 access-list CAPIN extended permit ip host 206.13.28.10 host hbg- stownsend_i access-list CAPIN extended permit ip host hbg-stownsend_i host 206.13.28.10 access-list CAPOUT extended permit ip host 206.13.28.10 host hbg- stownsend_o access-list CAPOUT extended permit ip host hbg-stownsend_o host 206.13.28.10 access-list capli extended permit ip NETWORK-HBG 255.255.0.0 NETWORK- TRAINING 255.255.0.0 access-list capli extended permit ip NETWORK-TRAINING 255.255.0.0 NETWORK-HBG 255.255.0.0 pager lines 66 logging enable logging timestamp logging list xlate-log message 202001 logging list xlate-log message 305009-305012 logging list SMTP-log message 108002 logging list startup-log message 199001-199005 logging list GRE-log message 302017-302018 logging list verifycertdn-log message 320001 logging list IDS-log message 400000-400050 logging list sa-log message 602201 logging list sa-log message 602301-602302 logging list mobileclient-log message 611301-611323 logging list ISAKMP-log message 702201-702212 logging list IPSecConnect-log message 113019 logging list MISC-Log message 713900-713906 logging console notifications logging monitor informational logging trap informational logging asdm warnings logging mail warnings logging from-address charlie2(a)enm.com logging device-id hostname logging host inside-HBG SERVER-SMS logging debug-trace logging permit-hostdown no logging message 302015 no logging message 302014 no logging message 302013 no logging message 304001 no logging message 609002 no logging message 609001 no logging message 302016 no logging message 302021 no logging message 302020 logging message 305012 level warnings logging message 305011 level warnings logging message 305010 level warnings logging message 305009 level warnings logging message 302013 level warnings mtu outside-HBG 1500 mtu inside-HBG 1500 mtu dmz-HBG 1500 ip local pool ipsecpool 10.200.0.1-10.200.1.254 mask 255.255.0.0 ip verify reverse-path interface outside-HBG no failover asdm image flash:/asdm-505.bin asdm history enable arp timeout 14400 nat-control global (outside-HBG) 1 204.145.245.181-204.145.245.245 netmask 255.255.255.0 global (outside-HBG) 1 204.145.245.50-204.145.245.160 global (outside-HBG) 1 204.145.245.20 netmask 255.255.255.0 nat (inside-HBG) 0 access-list inside_nat nat (inside-HBG) 1 NETWORK-HBG 255.255.0.0 nat (inside-HBG) 1 NETWORK-SF 255.255.0.0 nat (inside-HBG) 1 NETWORK-HA 255.255.0.0 nat (inside-HBG) 1 NETWORK-SERIAL 255.255.0.0 nat (dmz-HBG) 1 NETWORK-DMZ 255.255.255.0 access-group acl_outside in interface outside-HBG access-group acl_dmz in interface dmz-HBG route outside-HBG 0.0.0.0 0.0.0.0 204.145.245.15 1 route inside-HBG NETWORK-SF 255.255.0.0 10.1.0.3 1 route inside-HBG NETWORK-SERIAL 255.255.0.0 10.1.0.1 1 timeout xlate 1:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius group-policy hiddenacres.pix internal group-policy hiddenacres.pix attributes vpn-idle-timeout 30 split-tunnel-policy tunnelspecified split-tunnel-network-list value 110 default-domain value haydon-mill.com group-policy DfltGrpPolicy attributes wins-server value 10.1.0.8 dns-server value 10.1.0.5 10.1.0.9 dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain value haydon-mill.com split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none group-policy prancer.235hbg internal group-policy prancer.235hbg attributes vpn-idle-timeout 30 split-tunnel-policy tunnelspecified split-tunnel-network-list value 110 default-domain value haydon-mill.com group-policy moonrazor.olivet internal group-policy moonrazor.olivet attributes vpn-idle-timeout 30 split-tunnel-policy tunnelspecified split-tunnel-network-list value 110 default-domain value haydon-mill.com group-policy moonrazor internal group-policy moonrazor attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value outside-HBG_cryptomap_40 group-policy eandmmobileclient internal group-policy eandmmobileclient attributes vpn-idle-timeout 30 split-tunnel-policy tunnelspecified split-tunnel-network-list value 110 default-domain value haydon-mill.com group-policy cupid.fitch internal group-policy cupid.fitch attributes vpn-idle-timeout 30 split-tunnel-policy tunnelspecified split-tunnel-network-list value 110 default-domain value haydon-mill.com group-policy mobileclient internal group-policy mobileclient attributes vpn-idle-timeout 30 split-tunnel-policy tunnelspecified split-tunnel-network-list value 110 default-domain value haydon-mill.com group-policy comet.olivet internal group-policy comet.olivet attributes vpn-idle-timeout 30 split-tunnel-policy tunnelspecified split-tunnel-network-list value 110 default-domain value haydon-mill.com aaa authentication ssh console LOCAL snmp-server location NetCenter snmp-server contact Scott Townsend snmp-server community public snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set mobileclient_set2 esp-3des esp-md5-hmac crypto ipsec transform-set mobileclient_set esp-des esp-md5-hmac crypto ipsec transform-set vpn-des-set esp-des esp-md5-hmac crypto ipsec transform-set olivet-set esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 3600 crypto dynamic-map dynmap 10 set transform-set mobileclient_set mobileclient_set2 crypto dynamic-map olivet 1 set transform-set olivet-set crypto dynamic-map vpn-des 2 set transform-set vpn-des-set crypto map my_cry_map 999 ipsec-isakmp dynamic dynmap crypto map vpn-des-dyn-map 21 ipsec-isakmp dynamic vpn-des crypto map olivet-dyn-map 20 match address outside-HBG_cryptomap_20 crypto map olivet-dyn-map 20 set peer <remote IP of Moonrazor> crypto map olivet-dyn-map 20 set transform-set ESP-3DES-SHA crypto map olivet-dyn-map 65535 ipsec-isakmp dynamic olivet crypto map olivet-dyn-map interface outside-HBG crypto ca trustpoint enmvpnca crl required enrollment retry count 20 enrollment url http://10.1.9.61:80//certsrv/mscep/mscep.dll crl configure crypto ca certificate map 10 subject-name attr cn eq comet.olivet crypto ca certificate chain enmvpnca certificate 610b484e000c0000023d quit certificate ca 728f42234a1e8497433a3917b85b02a6 quit isakmp enable outside-HBG isakmp policy 8 authentication rsa-sig isakmp policy 8 encryption 3des isakmp policy 8 hash md5 isakmp policy 8 group 2 isakmp policy 8 lifetime 86400 isakmp policy 10 authentication rsa-sig isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 11 authentication rsa-sig isakmp policy 11 encryption des isakmp policy 11 hash md5 isakmp policy 11 group 1 isakmp policy 11 lifetime 86400 isakmp policy 13 authentication rsa-sig isakmp policy 13 encryption des isakmp policy 13 hash md5 isakmp policy 13 group 2 isakmp policy 13 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 isakmp policy 21 authentication pre-share isakmp policy 21 encryption 3des isakmp policy 21 hash md5 isakmp policy 21 group 1 isakmp policy 21 lifetime 86400 isakmp policy 22 authentication pre-share isakmp policy 22 encryption des isakmp policy 22 hash md5 isakmp policy 22 group 2 isakmp policy 22 lifetime 86400 isakmp policy 23 authentication pre-share isakmp policy 23 encryption 3des isakmp policy 23 hash md5 isakmp policy 23 group 2 isakmp policy 23 lifetime 86400 isakmp policy 24 authentication pre-share isakmp policy 24 encryption des isakmp policy 24 hash sha isakmp policy 24 group 2 isakmp policy 24 lifetime 86400 isakmp policy 26 authentication pre-share isakmp policy 26 encryption 3des isakmp policy 26 hash sha isakmp policy 26 group 2 isakmp policy 26 lifetime 86400 isakmp policy 30 authentication rsa-sig isakmp policy 30 encryption 3des isakmp policy 30 hash sha isakmp policy 30 group 2 isakmp policy 30 lifetime 86400 isakmp policy 65535 authentication pre-share isakmp policy 65535 encryption 3des isakmp policy 65535 hash sha isakmp policy 65535 group 2 isakmp policy 65535 lifetime 86400 isakmp nat-traversal 20 isakmp ipsec-over-tcp port 10000 57268 tunnel-group DefaultL2LGroup ipsec-attributes trust-point enmvpnca tunnel-group DefaultRAGroup general-attributes authentication-server-group (outside-HBG) none tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * trust-point enmvpnca tunnel-group mobileclient type ipsec-ra tunnel-group mobileclient general-attributes address-pool ipsecpool authentication-server-group (outside-HBG) none default-group-policy mobileclient tunnel-group mobileclient ipsec-attributes trust-point enmvpnca tunnel-group comet.olivet general-attributes authentication-server-group (outside-HBG) none default-group-policy comet.olivet tunnel-group comet.olivet ipsec-attributes pre-shared-key * trust-point enmvpnca tunnel-group cupid.fitch type ipsec-ra tunnel-group cupid.fitch general-attributes authentication-server-group (outside-HBG) none default-group-policy cupid.fitch tunnel-group cupid.fitch ipsec-attributes pre-shared-key * trust-point enmvpnca tunnel-group prancer.235hbg type ipsec-ra tunnel-group prancer.235hbg general-attributes authentication-server-group (outside-HBG) none default-group-policy prancer.235hbg tunnel-group prancer.235hbg ipsec-attributes pre-shared-key * trust-point enmvpnca tunnel-group moonrazor.olivet type ipsec-ra tunnel-group moonrazor.olivet general-attributes authentication-server-group (outside-HBG) none default-group-policy moonrazor.olivet tunnel-group moonrazor.olivet ipsec-attributes pre-shared-key * trust-point enmvpnca tunnel-group <IP of Moonrazor> type ipsec-l2l tunnel-group <IP of Moonrazor> general-attributes default-group-policy moonrazor tunnel-group <IP of Moonrazor> ipsec-attributes pre-shared-key * tunnel-group hiddenacres.pix type ipsec-ra tunnel-group hiddenacres.pix general-attributes authentication-server-group (outside-HBG) none default-group-policy moonrazor.olivet tunnel-group hiddenacres.pix ipsec-attributes pre-shared-key * trust-point enmvpnca tunnel-group eandmmobileclient type ipsec-ra tunnel-group eandmmobileclient general-attributes address-pool ipsecpool authentication-server-group (outside-HBG) none default-group-policy eandmmobileclient tunnel-group eandmmobileclient ipsec-attributes trust-point eandmvpnca tunnel-group-map enable rules tunnel-group-map 10 moonrazor.olivet no vpn-addr-assign dhcp ssh timeout 60 ssh version 1 console timeout 0 management-access inside-HBG ! class-map class_sqlnet match port tcp eq 1433 class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect ils inspect netbios inspect rsh inspect rtsp inspect skinny inspect sunrpc inspect tftp inspect sip inspect xdmcp class class_sqlnet inspect sqlnet ! service-policy global_policy global ntp server 192.6.38.127 source outside-HBG prefer : end ------------------------------------------------------------------------------- Far End PIX -------------------------------------------------------------------------------- PIX Version 7.0(5) ! hostname moonrazor domain-name haydon-mill.com no names name 10.6.0.0 NETWORK-TRAINING name 10.3.0.0 NETWORK-SF name 10.10.0.0 NETWORK-HA name 10.1.0.0 NETWORK-HBG name 10.254.0.0 NETWORK-SERIAL description Serial Interfaces name 10.201.0.0 NETWORK-IPSEC-SF-POOL description IPSec SF DHCP Pool name 172.16.0.0 NETWORK-DMZ name 10.2.0.0 NETWORK-SF2 name 10.11.0.0 NETWORK-OLIVET name 10.13.0.0 NETWORK-FITCH name 10.12.0.0 NETWORK-235HBG dns-guard ! interface Ethernet0 nameif outside-SF security-level 0 ip address moonrazor_o 255.255.255.192 ! interface Ethernet1 nameif inside-SF security-level 100 ip address moonrazor_i 255.255.0.0 ! interface Ethernet2 speed 10 duplex half nameif dmz-sf security-level 10 no ip address ! boot system flash:/pix705.bin ftp mode passive clock timezone PST -8 clock summer-time PDT recurring same-security-traffic permit intra-interface object-group network NETWORK-VPN-ALL network-object 10.1.0.0 255.255.0.0 network-object 10.2.0.0 255.255.0.0 network-object 10.3.0.0 255.255.0.0 network-object 10.6.0.0 255.255.0.0 object-group protocol VPN-PROTOCOLS protocol-object ip protocol-object tcp protocol-object udp protocol-object icmp object-group network NETWORK-OLIVET-ALL network-object 10.11.0.0 255.255.0.0 object-group network NETWORK-SF-VPN network-object 10.2.0.0 255.255.0.0 network-object 10.6.0.0 255.255.0.0 object-group network NETWORK-HBG-VPN network-object 10.10.0.0 255.255.0.0 network-object 10.1.0.0 255.255.0.0 network-object 10.3.0.0 255.255.0.0 network-object 10.13.0.0 255.255.0.0 network-object 10.11.0.0 255.255.0.0 network-object 10.12.0.0 255.255.0.0 network-object 10.254.0.0 255.255.0.0 object-group network NETWORK-SF2-VPN network-object 10.6.0.0 255.255.0.0 object-group network NETWORK-HBG2-VPN network-object 10.1.0.0 255.255.0.0 access-list inside_nat extended permit ip object-group NETWORK-SF-VPN object-group NETWORK-HBG-VPN access-list inside_nat extended permit ip object-group NETWORK-SF-VPN object-group NETWORK-OLIVET-ALL access-list inside_nat extended permit ip 10.6.0.0 255.255.0.0 10.1.0.0 255.255.0.0 access-list capli extended permit ip 10.1.0.0 255.255.0.0 10.6.0.0 255.255.0.0 access-list capli extended permit ip 10.6.0.0 255.255.0.0 10.1.0.0 255.255.0.0 access-list acl_outside extended permit icmp any any echo access-list acl_outside extended permit icmp any any echo-reply access-list acl_outside extended permit icmp any any time-exceeded access-list acl_outside extended permit icmp any any unreachable access-list outside-SF_nat0_outbound extended permit ip object-group NETWORK-SF-VPN object-group NETWORK-HBG-VPN access-list outside-SF_nat0_outbound extended permit ip object-group NETWORK-SF-VPN object-group NETWORK-OLIVET-ALL access-list outside-SF_nat0_outbound extended permit ip 10.6.0.0 255.255.0.0 10.1.0.0 255.255.0.0 access-list outside-SF_cryptomap_20 extended permit ip object-group NETWORK-SF-VPN object-group NETWORK-HBG-VPN access-list outside-SF_cryptomap_20 extended permit ip object-group NETWORK-SF-VPN object-group NETWORK-OLIVET-ALL access-list outside-SF_cryptomap_20 extended permit ip 10.6.0.0 255.255.0.0 10.1.0.0 255.255.0.0 access-list outside-SF_nat0_inbound extended permit ip object-group NETWORK-SF-VPN object-group NETWORK-HBG-VPN access-list outside-SF_nat0_inbound extended permit ip object-group NETWORK-SF-VPN object-group NETWORK-OLIVET-ALL access-list outside-SF_nat0_inbound extended permit ip 10.6.0.0 255.255.0.0 10.1.0.0 255.255.0.0 access-list charlie_tunnel extended permit ip object-group NETWORK-SF- VPN object-group NETWORK-HBG-VPN access-list charlie_tunnel extended permit ip object-group NETWORK-SF- VPN object-group NETWORK-OLIVET-ALL access-list charlie_tunnel extended permit ip 10.6.0.0 255.255.0.0 10.1.0.0 255.255.0.0 pager lines 55 logging enable logging timestamp logging list xlate-log message 202001 logging list xlate-log message 305009-305012 logging list SMTP-log message 108002 logging list startup-log message 199001-199005 logging list GRE-log message 302017-302018 logging list verifycertdn-log message 320001 logging list IDS-log message 400000-400050 logging list sa-log message 602201 logging list sa-log message 602301-602302 logging list mobilevpnclient-log message 611301-611323 logging list ISAKMP-log message 702201-702212 logging list IPSecConnect-log message 113019 logging list MISC-Log message 713900-713906 logging console warnings logging monitor debugging logging trap informational logging asdm warnings logging mail warnings logging from-address charlie2(a)enm.com logging device-id hostname logging host inside-SF 10.1.0.17 logging debug-trace logging permit-hostdown no logging message 302015 no logging message 302014 no logging message 302013 no logging message 304001 no logging message 609002 no logging message 609001 no logging message 302016 no logging message 302021 no logging message 302020 logging message 305012 level warnings logging message 305011 level warnings logging message 305010 level warnings logging message 305009 level warnings logging message 302013 level warnings mtu outside-SF 1500 mtu inside-SF 1500 mtu dmz-sf 1500 ip local pool ipsecpoolsf 10.201.0.1-10.201.1.254 mask 255.255.0.0 ip verify reverse-path interface outside-SF asdm image flash:/asdm-505.bin asdm history enable arp timeout 14400 nat-control global (outside-SF) 1 75.10.255.5-75.10.255.59 netmask 255.255.255.192 global (outside-SF) 1 75.10.255.60 netmask 255.255.255.255 nat (inside-SF) 0 access-list inside_nat nat (inside-SF) 1 10.2.0.0 255.255.0.0 nat (inside-SF) 1 10.6.0.0 255.255.0.0 nat (dmz-sf) 0 access-list dmz-sf_nat0_outbound access-group acl_outside in interface outside-SF route outside-SF 0.0.0.0 0.0.0.0 <router IP> 1 route inside-SF 10.6.0.0 255.255.0.0 10.2.6.1 1 timeout xlate 1:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius group-policy DfltGrpPolicy attributes wins-server value 10.1.0.8 10.1.0.5 dns-server value 10.1.0.5 10.1.0.9 dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain value haydon-mill.com split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none group-policy mobilevpnclient internal group-policy mobilevpnclient attributes vpn-idle-timeout 30 split-tunnel-policy tunnelspecified default-domain value haydon-mill.com group-policy charlie2 internal group-policy charlie2 attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value charlie_tunnel aaa authentication ssh console LOCAL snmp-server location NetCenter snmp-server contact Scott Townsend snmp-server community public snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set mobilevpnclient_set esp-des esp-md5-hmac crypto ipsec transform-set mobilevpnclient_set2 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map dynmap 10 set transform-set mobilevpnclient_set mobilevpnclient_set2 crypto dynamic-map outside-SF_dyn_map 1 set transform-set mobilevpnclient_set mobilevpnclient_set2 ESP-3DES-SHA crypto map outside-SF_map 20 match address outside-SF_cryptomap_20 crypto map outside-SF_map 20 set peer <ip address of charlie> crypto map outside-SF_map 20 set transform-set ESP-3DES-SHA crypto map outside-SF_map 65535 ipsec-isakmp dynamic outside- SF_dyn_map crypto map outside-SF_map interface outside-SF crypto ca trustpoint enmvpnca crl required enrollment retry count 20 enrollment url http://<CertSrv IP>/certsrv/mscep/mscep.dll crl configure crypto ca certificate chain enmvpnca certificate 46bd5f06000800000174 quit certificate ca 6d37e2baf0018ba644da08206ff4c15c quit isakmp enable outside-SF isakmp policy 8 authentication rsa-sig isakmp policy 8 encryption 3des isakmp policy 8 hash md5 isakmp policy 8 group 2 isakmp policy 8 lifetime 86400 isakmp policy 10 authentication rsa-sig isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 11 authentication rsa-sig isakmp policy 11 encryption des isakmp policy 11 hash md5 isakmp policy 11 group 1 isakmp policy 11 lifetime 86400 isakmp policy 13 authentication rsa-sig isakmp policy 13 encryption des isakmp policy 13 hash md5 isakmp policy 13 group 2 isakmp policy 13 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 isakmp policy 22 authentication pre-share isakmp policy 22 encryption des isakmp policy 22 hash md5 isakmp policy 22 group 2 isakmp policy 22 lifetime 86400 isakmp policy 23 authentication pre-share isakmp policy 23 encryption 3des isakmp policy 23 hash md5 isakmp policy 23 group 2 isakmp policy 23 lifetime 86400 isakmp policy 24 authentication pre-share isakmp policy 24 encryption des isakmp policy 24 hash sha isakmp policy 24 group 2 isakmp policy 24 lifetime 86400 isakmp policy 26 authentication pre-share isakmp policy 26 encryption 3des isakmp policy 26 hash sha isakmp policy 26 group 2 isakmp policy 26 lifetime 86400 isakmp policy 30 authentication rsa-sig isakmp policy 30 encryption 3des isakmp policy 30 hash sha isakmp policy 30 group 2 isakmp policy 30 lifetime 86400 isakmp policy 65535 authentication pre-share isakmp policy 65535 encryption 3des isakmp policy 65535 hash sha isakmp policy 65535 group 2 isakmp policy 65535 lifetime 86400 isakmp nat-traversal 20 isakmp ipsec-over-tcp port 10000 57268 tunnel-group DefaultL2LGroup ipsec-attributes trust-point enmvpnca tunnel-group DefaultRAGroup general-attributes authentication-server-group (outside-SF) none tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * trust-point enmvpnca tunnel-group mobilevpnclient type ipsec-ra tunnel-group mobilevpnclient general-attributes address-pool ipsecpoolsf authentication-server-group (outside-SF) none default-group-policy mobilevpnclient tunnel-group mobilevpnclient ipsec-attributes trust-point enmvpnca tunnel-group <IP Address of Charlie> type ipsec-l2l tunnel-group <IP Address of Charlie> general-attributes default-group-policy charlie2 tunnel-group <IP Address of Charlie> ipsec-attributes pre-shared-key * console timeout 0 management-access inside-SF ! class-map class_sqlnet match port tcp eq 1433 class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect ils inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp class class_sqlnet inspect sqlnet ! service-policy global_policy global ntp server 192.6.38.127 source outside-SF prefer : end
From: Artie Lange on 16 Jul 2008 14:42 scooter133(a)gmail.com wrote: > crypto ipsec transform-set mobileclient_set2 esp-3des esp-md5-hmac > crypto ipsec transform-set mobileclient_set esp-des esp-md5-hmac > crypto ipsec transform-set vpn-des-set esp-des esp-md5-hmac > crypto ipsec transform-set olivet-set esp-des esp-md5-hmac > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac > crypto ipsec security-association lifetime seconds 3600 > crypto dynamic-map dynmap 10 set transform-set mobileclient_set > mobileclient_set2 > > > crypto dynamic-map olivet 1 set transform-set olivet-set > crypto dynamic-map vpn-des 2 set transform-set vpn-des-set > crypto map my_cry_map 999 ipsec-isakmp dynamic dynmap > crypto map vpn-des-dyn-map 21 ipsec-isakmp dynamic vpn-des > crypto map olivet-dyn-map 20 match address outside-HBG_cryptomap_20 > crypto map olivet-dyn-map 20 set peer <remote IP of Moonrazor> > crypto map olivet-dyn-map 20 set transform-set ESP-3DES-SHA > crypto map olivet-dyn-map 65535 ipsec-isakmp dynamic olivet > crypto map olivet-dyn-map interface outside-HBG > crypto ca trustpoint enmvpnca > crl required > enrollment retry count 20 > enrollment url http://10.1.9.61:80//certsrv/mscep/mscep.dll > crl configure > crypto ca certificate map 10 > subject-name attr cn eq comet.olivet > crypto ca certificate chain enmvpnca > certificate 610b484e000c0000023d > quit > certificate ca 728f42234a1e8497433a3917b85b02a6 > quit > ---------------------------------------------------------------------------�---- > Far End PIX > ---------------------------------------------------------------------------�----- > crypto ipsec transform-set mobilevpnclient_set esp-des esp-md5-hmac > crypto ipsec transform-set mobilevpnclient_set2 esp-3des esp-md5-hmac > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac > crypto dynamic-map dynmap 10 set transform-set mobilevpnclient_set > mobilevpnclient_set2 > crypto dynamic-map outside-SF_dyn_map 1 set transform-set > mobilevpnclient_set mobilevpnclient_set2 ESP-3DES-SHA > crypto map outside-SF_map 20 match address outside-SF_cryptomap_20 > crypto map outside-SF_map 20 set peer <ip address of charlie> > crypto map outside-SF_map 20 set transform-set ESP-3DES-SHA > crypto map outside-SF_map 65535 ipsec-isakmp dynamic outside- > SF_dyn_map > crypto map outside-SF_map interface outside-SF > crypto ca trustpoint enmvpnca > crl required > enrollment retry count 20 > enrollment url http://<CertSrv IP>/certsrv/mscep/mscep.dll > crl configure > crypto ca certificate chain enmvpnca > certificate 46bd5f06000800000174 > quit > certificate ca 6d37e2baf0018ba644da08206ff4c15c I do not see 'crypto ipsec security-association lifetime seconds 3600' in the far end PIX
From: scooter133 on 16 Jul 2008 15:21 On Jul 16, 11:42 am, Artie Lange <spam...(a)jamiebaillie.net> wrote: > I do not see 'crypto ipsec security-association lifetime seconds 3600' > in the far end PIX- Hide quoted text - > > - Show quoted text - Hmmm... I added it to moonrazor and it dumped the VPN, reconnected and it added the following: crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800 crypto map outside-SF_map 20 set security-association lifetime seconds 28800 I do not see something similar on the HQ PIX... SHould there be? Thank you!
|
Next
|
Last
Pages: 1 2 Prev: Error unsupported TCAM value size Next: Serial ports up, but multilink down |