Closing of TCP-over-IPSec or IPSec-over-UDP on PIX
Cisco VPN Client (no hub) end on a PIX firewall outside interface. Some users behind a nat/pat device. Therefore, we bring transparency NAT via UDP or TCP. The PIX firewall must be ready to put an end to these sessions. Does anyone know how?
Thank you
Edgar
Hi Edgar,
Yes, the feature has been added to 6.3. We use Nat traversal for PIX (UDP 4500), version of the client VPN Cisco that supports this type of nat - t are 3.6 and later versions. Here are the URLs with info on both:
PIX
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/63rnotes/pixrn63.htm#65230
VPN client
http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/client/3_6/365clnt.htm#1175427
Kind regards
Arthur
Tags: Cisco Security
Similar Questions
-
PIX support IPsec over UDP or TCP
Series 500 firewall Cisco PIX support IPsec over UDP or TCP so that the secure tunnel VPN IPsec can go through the PAT and NAT. If so, how to configure it? THX
Concerning
Jeffrey
Hi Jeff,
The tentative date is around end of March 2003.
Kind regards
Arul
-
IPsec over UDP - remote VPN access
Hello world
The VPN client user PC IPSEC over UDP option is checked under transport.
When I check the details of the phase 1 of IKE ASDM of user login, it shows only UDP 500 port not port 4500.
Means that user PC VPN ASA there that no device in question makes NAT.
What happens if we checked the same option in the client IPSEC VPN - over UDP and now, if we see the port UDP 4500 under IKE phase 1 Connection Details
This means that there is now ASA a NAT device VPN Client PC, but he allows IKE connection phase 1?
Concerning
MAhesh
Hello Manu,
I suggest to use the following commands on your ASA have a look at these ports as the test of VPN connections. The command that you use depends on your level of software as minor changes in the format of the command
View details remote vpn-sessiondb
view sessiondb-vpn remote detail filter p-ipaddress
Or
View details of ra-ikev1-ipsec-vpn-sessiondb
display the filter retail ra-ikev1-ipsec-vpn-sessiondb p-ipaddress
These will provide information on the type of VPN Client connection.
Here are a few out of different situations when connecting with the VPN Client
Dynamic PAT - no Transparent on the Client VPN tunnel
- Through the VPN connections do not work as connects via PAT without Transparent tunnel
Username: Index: 22
Public IP address 10.0.1.2 assigned IP::
Protocol: IPsec IKEv1
IKEv1:
Tunnel ID: 22.1
The UDP Src Port: 18451 UDP Dst Port: 500
IKE Neg Mode: Aggressive Auth Mode: preSharedKeys
Encryption: AES 256 hash: SHA1
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28551 seconds
Group D/H: 2
Name of the filter:
Client OS: Windows NT Client OS worm: 5.0.07.0290
IPsec:
Tunnel ID: 22.2
Local addr: 0.0.0.0/0.0.0.0/0/0
Remote addr: 10.0.1.2/255.255.255.255/0/0
Encryption: AES 256 hash: SHA1
Encapsulation: Tunnel
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28551 seconds
Idle Time Out: 30 Minutes idling left: 25 Minutes
TX Bytes: 0 Rx bytes: 0
TX pkts: Rx Pkts 0: 0
Dynamic PAT - Transparent tunnel (NAT/PAT) on the VPN Client
- Via VPN connections work as we use Tunneling Transparent when we train the dynamic VPN Client through PAT connection
Username: Index: 28
Public IP address 10.0.1.2 assigned IP::
Protocol: IKEv1 IPsecOverNatT
IKEv1:
Tunnel ID: 28.1
The UDP Src Port: 52825 UDP Dst Port: 4500
IKE Neg Mode: Aggressive Auth Mode: preSharedKeys
Encryption: AES 256 hash: SHA1
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28784 seconds
Group D/H: 2
Name of the filter:
Client OS: Windows NT Client OS worm: 5.0.07.0290
IPsecOverNatT:
Tunnel ID: 28.2
Local addr: 0.0.0.0/0.0.0.0/0/0
Remote addr: 10.0.1.2/255.255.255.255/0/0
Encryption: AES 256 hash: SHA1
Encapsulation: Tunnel
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28784 seconds
Idle Time Out: 30 Minutes idling left: 30 Minutes
TX Bytes: 360 bytes Rx: 360
TX pkts: 6 Pkts Rx: 6
Dynamics PAT, Transparent IPsec (TCP) on the Client VPN tunnel
- Via VPN connections work as we use Tunneling Transparent when we train the dynamic VPN Client through PAT connection
Username: Index: 24
Public IP address 10.0.1.2 assigned IP::
Protocol: IKEv1 IPsecOverTCP
IKEv1:
Tunnel ID: 24.1
The UDP Src Port: 20343 UDP Dst Port: 500
IKE Neg Mode: Aggressive Auth Mode: preSharedKeys
Encryption: AES 256 hash: SHA1
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28792 seconds
Group D/H: 2
Name of the filter:
Client OS: Windows NT Client OS worm: 5.0.07.0290
IPsecOverTCP:
Tunnel ID: 24,2
Local addr: 0.0.0.0/0.0.0.0/0/0
Remote addr: 10.0.1.2/255.255.255.255/0/0
Encryption: AES 256 hash: SHA1
Encapsulation: Tunnel TCP Src Port: 20343
The TCP Dst Port: 10000
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28792 seconds
Idle Time Out: 30 Minutes idling left: 30 Minutes
TX Bytes: 180 bytes Rx: 180
TX pkts: Rx 3 Pkts: 3
Static NAT - no Transparent on the Client VPN tunnel
- VPN Client connections to the LAN work because our VPN Client has a static NAT configured for its local IP address. This allows the ESP without encapsulation through the device doing the static NAT. You must allow the ESP traffic through the NAT device of management of the device VPN or configure VPN connections inspection if there is an ASA acting as the NAT device.
Username: Index: 25
Public IP address 10.0.1.2 assigned IP::
Protocol: IPsec IKEv1
IKEv1:
Tunnel ID: 25.1
The UDP Src Port: 50136 UDP Dst Port: 500
IKE Neg Mode: Aggressive Auth Mode: preSharedKeys
Encryption: AES 256 hash: SHA1
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28791 seconds
Group D/H: 2
Name of the filter:
Client OS: Windows NT Client OS worm: 5.0.07.0290
IPsec:
Tunnel ID: 25.2
Local addr: 0.0.0.0/0.0.0.0/0/0
Remote addr: 10.0.1.2/255.255.255.255/0/0
Encryption: AES 256 hash: SHA1
Encapsulation: Tunnel
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28791 seconds
Idle Time Out: 30 Minutes idling left: 30 Minutes
TX Bytes: 120 bytes Rx: 120
TX pkts: Rx 2 Pkts: 2
Static NAT - Transparent tunnel (NAT/PAT) on the VPN Client
- The VPN Client connections are functioning normally. Even if the host Staticly using a NAT VPN Client does not need UDP encapsulation it is always used if your connection of the VPN Client profile is configured to use (tab in the Transport of the client software)
Username: Index: 26
Public IP address 10.0.1.2 assigned IP::
Protocol: IKEv1 IPsecOverNatT
IKEv1:
Tunnel ID: 26.1
The UDP Src Port: 60159 UDP Dst Port: 4500
IKE Neg Mode: Aggressive Auth Mode: preSharedKeys
Encryption: AES 256 hash: SHA1
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28772 seconds
Group D/H: 2
Name of the filter:
Client OS: Windows NT Client OS worm: 5.0.07.0290
IPsecOverNatT:
Tunnel ID: 26.2
Local addr: 0.0.0.0/0.0.0.0/0/0
Remote addr: 10.0.1.2/255.255.255.255/0/0
Encryption: AES 256 hash: SHA1
Encapsulation: Tunnel
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28772 seconds
Idle Time Out: 30 Minutes idling left: 29 Minutes
TX Bytes: 1200 bytes Rx: 1200
TX pkts: Rx 20 Pkts: 20
Static NAT - Transparent tunnel on the VPN Client (IPsec, TCP)
- The VPN Client connections are functioning normally. Even if the host Staticly using a NAT VPN Client does not need TCP encapsulation it is always used if your connection of the VPN Client profile is configured to use (tab in the Transport of the client software)
Username: Index: 27
Public IP address 10.0.1.2 assigned IP::
Protocol: IKEv1 IPsecOverTCP
IKEv1:
Tunnel ID: 27.1
The UDP Src Port: 61575 UDP Dst Port: 500
IKE Neg Mode: Aggressive Auth Mode: preSharedKeys
Encryption: AES 256 hash: SHA1
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28790 seconds
Group D/H: 2
Name of the filter:
Client OS: Windows NT Client OS worm: 5.0.07.0290
IPsecOverTCP:
Tunnel ID: 27.2
Local addr: 0.0.0.0/0.0.0.0/0/0
Remote addr: 10.0.1.2/255.255.255.255/0/0
Encryption: AES 256 hash: SHA1
Encapsulation: Tunnel TCP Src Port: 61575
The TCP Dst Port: 10000
Generate a new key Int (T): 28800 seconds given to the key Left (T): 28790 seconds
Idle Time Out: 30 Minutes idling left: 30 Minutes
TX Bytes: 120 bytes Rx: 120
TX pkts: Rx 2 Pkts: 2
VPN device with a public IP address directly connected (as a customer VPN) to an ASA
Username: Index: 491
Assigned IP: 172.31.1.239 public IP address:
Protocol: IPsec IKE
IKE:
Tunnel ID: 491.1
The UDP Src Port: 500 UDP Dst Port: 500
IKE Neg Mode: Aggressive Auth Mode: preSharedKeys
Encryption: 3DES hash: SHA1
Generate a new key Int (T): 86400 seconds given to the key Left (T): 71016 seconds
Group D/H: 2
Name of the filter:
IPsec:
Tunnel ID: 491.2
Local addr: 0.0.0.0/0.0.0.0/0/0
Remote addr: 172.31.1.239/255.255.255.255/0/0
Encryption: AES128 hash: SHA1
Encapsulation: Tunnel
Generate a new key Int (T): 28800 seconds given to the key Left (T): 12123 seconds
Generate a new key Int (D): 4608000 K-bytes given to the key Left (D): 4607460 K-bytes
Idle Time Out: 0 Minutes idling left: 0 Minutes
TX Bytes: bytes 3767854 Rx: 7788633
TX pkts: 56355 Pkts Rx: 102824
Above are examples for your reference. I must also say that I am absolutely not an expert when it comes to virtual private networks in general. I had to learn two firewall/vpn basically on my own, as during my studies, we had no classes related to them (which was quite strange).
While I learned how to set up VPN and troubleshoot them I think I missed on the basic theory. I had plans to get the title Associates CCNA/CCNP certifications but at the moment everything is possible. Don't have the time for it.
I guess that you already go to the VPN security CCNP Exam?
Hope this helps and I hope that I didn't get anything wrong above
-Jouni
-
1812-IPSEC Site to Site PIX 6.3
We have a 1812 and need to create a vpn site-to-site with a PIX 6.3 running tunnel. Yes, I know the PIX is old, but we cannot control it. It's a firewall hosted, that we don't have this kind of control. My configs are displayed for each. Please advise on what you think I should do to get these two to talk.
Thank you
-= = 1812 is-
adminfirewall #sh run
Building configuration...Current configuration: 2649 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname adminfirewall
!
boot-start-marker
boot-end-marker
!
!
AAA new-model
!
!
!
AAA - the id of the joint session
!
resources policy
!
MMI-60 polling interval
No mmi self-configuring
No pvc mmi
MMI snmp-timeout 180
IP subnet zero
!
!
IP cef
!
!
no ip domain search
Chrysalis IP domain name - shelter.org
!
!
!
!
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
address of butterfly key crypto isakmp 1.1.1.1 255.255.255.0
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set esp-3des esp-sha-hmac admtrans
!
adminvpn 1 ipsec-isakmp crypto map
defined peer 1.1.1.1
Set transform-set admtrans
PFS group2 Set
match address 100
!
!
!
!
interface FastEthernet0
Wan outside description
IP address 2.2.2.2 255.255.255.240
no ip unreachable
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
Fair/fair-queue 1 256 0
adminvpn card crypto
!
interface FastEthernet1
Local network inside description
no ip address
no ip unreachable
Shutdown
automatic duplex
automatic speed
!
interface BRI0
no ip address
encapsulation hdlc
Shutdown
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
FastEthernet6 interface
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
Local network inside description
IP 192.168.254.253 255.255.255.252
IP nat inside
IP virtual-reassembly
!
IP classless
IP route 0.0.0.0 0.0.0.0 FastEthernet0 2.2.2.3
IP route 10.1.0.0 Vlan1 192.168.254.254 255.255.255.0
IP route 10.2.0.0 Vlan1 192.168.254.254 255.255.255.0
IP route 10.3.0.0 255.255.255.0 Vlan1 192.168.254.254
!
!
no ip address of the http server
no ip http secure server
overload of IP nat inside source list 101 interface FastEthernet0
!
Note access-list 100 VPN SHEEP
access-list 100 permit ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.2.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255
Note access-list 101 NAT
access-list 101 permit ip 10.1.0.0 0.0.0.255 any
access-list 101 permit ip 10.2.0.0 0.0.0.255 any
access-list 101 permit ip 10.3.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.254.252 0.0.0.3 all
!
!
!
!
control plan
!
!
Line con 0
telnet output transport
line to 0
telnet output transport
line vty 0 4
exec-timeout 0 9
privilege level 15
entry ssh transport
!
No Scheduler allocate
end-= = PIX IS-
pixfirewall # sh run
: Saved
:
6.3 (5) PIX version
interface ethernet0 100full
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
pixfirewall hostname
WR domain name
clock timezone STD - 7
clock to summer time recurring MDT
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
chrysalisadmin name 10.1.0.0
name 10.3.0.0 chrysalis10.3
name 10.2.0.0 chrysalis10.2
outside_access_in ip access list allow a whole
outside_access_in list access permit tcp any any eq ftp - data
outside_access_in list access permit tcp any any eq ftp
outside_access_in list access permit tcp any any eq ssh
outside_access_in list access permit tcp any any eq 42
outside_access_in list access permit udp any any eq name server
outside_access_in list access permit tcp any any eq field
outside_access_in list of access permit udp any any eq field
outside_access_in list access permit tcp any any eq www
outside_access_in list access permit tcp any any eq pop3
outside_access_in tcp allowed access list everything all https eq
outside_access_in list access permit tcp any any eq 465
outside_access_in list access permit tcp any any eq 587
outside_access_in list access permit tcp any any eq 995
outside_access_in list access permit tcp any any eq 993
outside_access_in list access permit tcp any any eq 3389
outside_access_in list access permit tcp any any eq 2006
outside_access_in list access permit tcp any any eq 8447
outside_access_in list access permit tcp any any eq 8443
outside_access_in list access permit tcp any any eq 9999
outside_access_in list access permit tcp any any eq 2086
outside_access_in list access permit tcp any any eq 2087
outside_access_in list access permit tcp any any eq 2082
outside_access_in list access permit tcp any any eq 2083
outside_access_in list access permit tcp any any eq 2096
outside_access_in list access permit tcp any any eq 2095
outside_access_in tcp access list deny any any eq telnet
outside_access_in list access permit tcp any any eq smtp
outside_access_in tcp access list deny any any eq imap4
outside_access_in tcp access-list deny any any eq 1433
outside_access_in tcp access-list deny any any eq 3306
outside_access_in tcp access-list deny any any eq 9080
outside_access_in tcp access-list deny any any eq 9090
outside_access_in list access permit icmp any any echo response
outside_access_in list access permit icmp any any source-quench
outside_access_in list all permitted access all unreachable icmp
access-list outside_access_in allow icmp all once exceed
allow the ip host 64.202.161.122 access list outside_access_in a
allow the ip host 208.109.188.21 access list outside_access_in a
allow the ip host 208.109.188.22 access list outside_access_in a
allow the ip host 208.109.188.10 access list outside_access_in a
outside_access_in list of allowed access host icmp 64.202.161.122 no echo
outside_access_in list of allowed access host icmp 208.109.188.21 no echo
outside_access_in list of allowed access host icmp 208.109.188.22 no echo
outside_access_in list of allowed access host icmp 208.109.188.10 no echo
outside_access_in list of access permit udp any any eq isakmp
inside_nat0_outbound list of ip 10.0.0.0 access allow 255.255.255.0 chrysalisadmin 255.255.255.0
inside_nat0_outbound list of ip 10.0.0.0 access allow 255.255.255.0 chrysalis10.2 255.255.255.0
inside_nat0_outbound list of ip 10.0.0.0 access allow 255.255.255.0 chrysalis10.3 255.255.255.0
Note to outside_cryptomap_1 to access list GoDaddy for Chrysalis Admin network 10.1.0.0
outside_cryptomap_1 list of ip 10.0.0.0 access allow 255.255.255.0 chrysalisadmin 255.255.255.0
Note to outside_cryptomap_1 to access list GoDaddy network 10.2.0.0 Chrysalis
outside_cryptomap_1 list of ip 10.0.0.0 access allow 255.255.255.0 chrysalis10.2 255.255.255.0
Note to outside_cryptomap_1 to access list GoDaddy to Chrysalis 10.3.0.0 network
outside_cryptomap_1 list of ip 10.0.0.0 access allow 255.255.255.0 chrysalis10.3 255.255.255.0
pager lines 24
opening of session
Outside 1500 MTU
Within 1500 MTU
2.2.2.2 foreign IP address 255.255.255.0
IP address inside 10.0.0.254 255.255.255.0
IP verify reverse path to the outside interface
alarm action IP verification of information
alarm action attack IP audit
location of PDM 10.0.0.1 255.255.255.255 inside
location of PDM 192.168.1.0 255.255.255.0 inside
location of PDM 72.167.38.79 255.255.255.255 outside
location of PDM 208.109.96.4 255.255.255.255 outside
location of PDM 208.109.188.4 255.255.255.255 outside
location of PDM 216.69.160.4 255.255.255.255 outside
location of PDM 64.202.161.122 255.255.255.255 outside
location of PDM 208.109.188.21 255.255.255.255 outside
location of PDM 208.109.188.22 255.255.255.255 outside
location of PDM 208.109.188.10 255.255.255.255 outside
PDM location chrysalisadmin 255.255.255.0 outside
PDM location chrysalis10.2 255.255.255.0 outside
PDM location chrysalis10.3 255.255.255.0 outside
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
public static 10.0.0.1 (exterior, Interior) 72.167.38.79 netmask 255.255.255.255 0 0
public static 72.167.38.79 (Interior, exterior) 10.0.0.1 netmask 255.255.255.255 0 0
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 72.167.38.254 1
Route outside 208.109.96.4 255.255.255.255 72.167.38.254 1
Route outside 208.109.188.4 255.255.255.255 72.167.38.254 1
Route outside 216.69.160.4 255.255.255.255 72.167.38.254 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
the ssh LOCAL console AAA authentication
Enable http server
http 0.0.0.0 0.0.0.0 outdoors
http 192.168.1.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set strong esp-3des esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Chrysalis 1 ipsec-isakmp crypto map
card crypto Chrysalis 1 corresponds to the address outside_cryptomap_1
card crypto Chrysalis 1 set peer 1.1.1.1
Chrysalis 1 transform-set ESP-3DES-SHA crypto card game
Chrysalis crypto card 1 set security-association seconds of life 86400 4608000 kilobytes
Chrysalis outside crypto map interface
ISAKMP allows outside
ISAKMP key * address 1.1.1.1 netmask 255.255.255.255 No.-xauth No. config-mode
ISAKMP identity address
part of pre authentication ISAKMP policy 1
ISAKMP policy 1 3des encryption
ISAKMP policy 1 sha hash
Group of ISAKMP policy 1 2
ISAKMP policy 1 life 86400
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 5
outside access management
Console timeout 0
terminal width 511
Cryptochecksum:80ccff6b5b84bdd6b0359afd7ee44b48
: end(1) is there a typing error in your configuration? The two 1812 and PIX has the same outside interface IP address, IE 2.2.2.2 in your example. So I don't know if there is a typing error, which can lead to the incorrect configuration on 'card crypto defined peer' as well as «crypo isakmp key» configuration Please kindly check.
(2) you have also "set pfs group2" configured on the router, however, not on the PIX. You either need to remove it from the router, OR configured the same policy on the PIX.
(3) 101 ACL that applies to education of a NAT should be as follows:
access-list 101 deny ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny 10.2.0.0 ip 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 deny ip 10.3.0.0 0.0.0.255 10.0.0.0 0.0.0.255access-list 101 permit ip 10.1.0.0 0.0.0.255 any
access-list 101 permit ip 10.2.0.0 0.0.0.255 any
access-list 101 permit ip 10.3.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.254.252 0.0.0.3 allPlease kindly make sure all statements 'decline' are above the "permit" as statement above.
Finally, please please advise where the site to site VPN is a failure. After the above changes, please clear the tunnel on both sides establish the tunnel again and if it still does not work, please let us know the output of:
See the isa scream his
See the ipsec scream his
And also to share the latest config after the above changes. Hope that helps.
-
Problem with IPSEC tunnel between Cisco PIX and Cisco ASA
Hi all!
Have a strange problem with one of our tunnel ipsec for one of our customers, we can open the tunnel of the customers of the site, but not from our site, don't understand what's wrong, if it would be a configuration problem should can we not all up the tunnel.
On our side as initiator:
Jan 14 13:53:26 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:26 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:26 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:26 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (initiator), 2.2.2.2/500 remotely, authentication = pre-action, encryption = 3DES-CBC, hash = SHA, group = 2, life = 86400 s)
Jan 14 13:53:26 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:26 172.27.1.254% PIX-7-702201: ISAKMP Phase 1 delete received (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:26 172.27.1.254% PIX-6-602203: ISAKMP disconnected session (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:56 172.27.1.254% PIX-7-702303: sa_request, CBC (MSG key in English) = 1.1.1.1, dest = 2.2.2.2, src_proxy = 172.27.1.10/255.255.255.255/0/0 (type = 1), dest_proxy = 192.168.100.18/255.255.255.255/0/0 (type = 1), Protocol is ESP transform = lifedur hmac-sha-esp, esp-3des 28800 = s and 4608000 Ko, spi = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 4004
The site of the customer like an answering machine:
14 jan 11:58:23 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)
14 jan 11:58:23 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)
14 jan 11:58:23 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (answering machine), 2.2.2.2 remote)
14 jan 11:58:23 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (answering machine), distance 2.2.2.2/500, authentication = pre-action, encryption = 3DES-CBC, hash = MD5, group = 1, life = 86400 s)
14 jan 11:58:23 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)
14 jan 11:58:23 172.27.1.254% PIX-6-602301: its created, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645) sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 116
14 jan 11:58:23 172.27.1.254% PIX-7-702211: Exchange of ISAKMP Phase 2 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)
Jan 14 12:28:54 172.27.1.254% PIX-6-602302: SA deletion, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645), sa_trans = esp-3desesp-sha-hmac, sa_conn_id = 116
Kind regards
Johan
From my experience when a tunnel is launched on one side, but it is not on the other hand, that the problem is with an inconsistency of the isakmp and ipsec policies, mainly as ipsec policies change sets and corresponding address with ASA platform when a tunnel is not a statically defined encryption card he sometimes use the dynamic tag to allocate this vpn connection. To check if this is the case go ahead and make a "crypto ipsec to show his" when the tunnel is active on both sides, see on the SAA if the corresponding tunnel is the static encryption card set or if it presents the dynamic encryption card.
I advise you to go to the settings on both sides and ensure that they are both in the opposite direction.
-
L2l IPSec VPN 3000 and PIX 501
Hello
I have a remote site that has a broadband internet connection and uses a PIX 501. We wanted to connect them with our main office using our VPN 3000 via VPN site-to-site.
I followed the following documentation:
However the L2L session does not appear on the hub when I check the active sessions.
The network diagram, as well as the PIX config and the screenshots of the VPN configuration for the IPSec-L2L tunnel is attached.
Any help or advice are appreciated.
I just noticed that the PIX firewall, the phase 1 paramateres are not configured. You must configure the same PASE 1 and phase 2 settings on both ends of the tunnel.
For example, on CVPN 3000, you have configured settings Phase 1 as 3DES, pre-shared key etc... We have the same configuration on the PIX firewall too.
Here is an example of sample config
I hope this helps!
-
OK TCP to port 80 on device, UDP, but failed
Abandoned project midlet, I finally tested tcp ok in a normal project with StreamConnection to ' socket://ip
tro; deviceside = true; interface wifi =' even if the port is equal to 80.UDP in vain with DatagramConnection to ' udp://ip
ort /; " deviceside = true; interface wifi =' for device and ' udp://iptro ' for the emulator. All of them ran to NoSuchFile.java when debugging manages to send (datagram) service, no exception is thrown. I don't know why. Here is my code (BlackBerry 8320, V4.2.2):class UdpConnectionThread extends Thread { private String host; UdpConnectionThread(String s){ host = s; } public void run() { DatagramConnection udp_client = null; Datagram dg_out = null; Datagram dg_in = null; try { System.out.println("UDP initializing:" + host); udp_client = (DatagramConnection) Connector.open(host); } catch (IOException ioe) { System.out.println("connector.open IOException:"+ioe); } int len = 0; String strbuf = "test"; byte[] send_buf = strbuf.getBytes(); len = strbuf.length(); try { dg_out = udp_client.newDatagram(send_buf, len, host); } catch (IOException ioe) { System.out.print("newDatagram error:"+ioe.toString()); } try { System.out.println("Datagram:" + dg_out.getData()[0] + " Addr:" + dg_out.getAddress()); udp_client.send(dg_out); } catch (IOException ioe) { System.out.println("send IOException:"+ioe); } try{ udp_client.close(); }catch (IOException ioe) { System.out.print("TCP close IOException:"+ioe); } } }Moreover, is there any sample code for client UDP for 4.2? I Googled it and looked through com.rim.samples in JDE4.2.1, found nothing.
I fixed it by upgrading OS to 4.5.124.
Thank you very much!
-
IPSec over TCP on PIX 501F to the catalog
Hello
Is there a way I can configure IPSec over TCP as default configuration in the PIX firewall. I'm under 6.3
The PIX does not support IPsec over TCP. It doesn't support NAT - T, which is IPSec over UDP/4500, which houses also of the Cisco VPN client. Just add the following command on the PIX:
ISAKMP nat-traversal
The PIX and VPN client auto-négociera if necessary IPSec encapsulation. See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312 for more details.
-
Difference between IPSec over TCP and UDP IPsecover
Hello world
I'm testing the VPN to the user's PC.
When I test the PC of the user using IPsecoverTCP it uses protocol 10000.
When I check on ASA - ASDM under connection details
ike1 - UDP Destination Port 500
IPsecOverTCP TCP Dst Port 10000
using Ipsecover UDP
IKEv1 - Destination UDP 500 Port
IPsecOverUDP - Port of Destination UDP Tunnel 10000
Therefore when using TCP or UDP uses the same port 500 and 10000.
Is need to know what is the major difference between these two connections just TCP or UDP?
Concerning
MAhesh
IPSec over TCP is used in scenarios where:
1 UDP port 500 is blocked, resulting in incomplete IKE negotiations
2 ESP is not allowed to cross and encrypted traffic thus do not cross.
3. network administrator prefers to use a connection oriented protocol.
4. IPSec over TCP may be necessary when the intermediate NAT or PAT device is stateful firewall.
As there are IPSec over UDP with IPSec over TCP, there is no room for negotiation. IPSec on the TCP packets are encapsulated from the beginning of the cycle of implementation of the tunnel. This feature is available only for remote access VPN not for tunnel L2L. Also does not work with proxy firewall.
While IPSec via UDP, similar to NAT - T, is used to encapsulate ESP packets using a UDP wrapper. Useful in scenarios where the VPN clients don't support NAT - T and are behind a firewall that does not allow the ESP packets to pass through. IN IPSec over UDP, the IKE negotiations has always use port UDP 500.
-
Nice day
I would like to know if there is the possibility of configuring IPSEC over TCP on the pix Firewall.
This features are supported by the latest Pix OS (6.3.3)?
Thank you
Diego
The pix does not support ipsec over tcp. It supports NAT Traversal that is ipsec over udp. IPSEC over tcp is compatible with the VPN concentrator. The next link talks about NAT traversal.
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/PIX/pix_sw/v_63/config/ipsecint.htm#1057446
Take a look at this link to configure IPSec over TCP on a VPN 3000 Concentrator
-
Client VPN with tunneling IPSEC over TCP transport does not
Hello world
Client VPN works well with tunneling IPSEC over UDP transport.
I test to see if it works when I chose the VPN client with ipsec over tcp.
Under the group policy, I disabled the IPSEC over UDP and home port 10000
But the VPN connection has failed.
What should I do to work VPN using IPSEC over TCP
Concerning
MAhesh
Mahesh,
You must use "ikev1 crypto ipsec-over-tcp port 10000.
As crypto isakmp ipsec-over-tcp work on image below 8.3
HTH
-
When you set this option on the SAA, that affect all VPN? It is an element of configuration global, if I work with UDP VPN, but I am to set up a VPN using TCP, the other VPN still use UDP, or that they do not fail as the other end isn't the same configuration?
IPSec over TCP is supported only for the connection to access remote vpn client for the SAA. It is not supported for VPN LAN-to-LAN tunnel.
And Yes, it will affect all the client connection to access remote vpn for the SAA once you activate it in the world.
Here is the document for your reference:
http://www.Cisco.com/en/us/docs/security/ASA/asa83/configuration/guide/IKE.html#wp1059912
-
3.5.1 to 506th Pix VPN Client using IPsec over TCP
Is it possible to do when there is a device in the path of the VPN tunnel that will make the static NAT?
The reason is that the external interface of the Pix will have a private address, and it is the endpoint of the tunnel. The performance of NAT device has a public address, who thinks that the VPN client is the end of the tunnel, the static NAT will result the incoming packets on port UDP 500 for a destination of the Pix.
Thank you.
The Pix can not do TCP encapsulation. He can do UDP encapsulation.
You can create IPSec tunnels to the external of the Pix even if address he addresses NATted provided that it is NOT of PAT and NAT.
-
IPSec on the Client TCP connections via USB
We have a problem (and I noticed that several other people here are as well) to our users of broadband remote is not not able to connect. We just recently started getting complaints from users at home XP they were getting errors while trying to connect to the hub.
To begin troubleshooting we moved our hub 3015 outside our firewall temporarily. Users were still unable to connect. After some additional troubleshooting, we were able to successfully reproduce this problem by simply changing the VPN client to users of IPsec over TCP to IPsec over UDP.
Then, we tried to identify why she passed to some customers, but not all. In the end, the only thing we could find really different was that customers who have a USB port to connect to the network instead of a correct Ethernet port cannot connect via IPSec over TCP. We have tested and verified on several operating systems, including Windows 2000, XP Home and XP PRO. We have also tested and verified with multiple VPN Clients including 3.5.1 and 3.6.3b.
The end result is that all case users who use a type USB connection cannot connect via IPSec over TCP. All users who connect through a correct Ethernet adapter are able to connect via another method.
Our problem is that we cannot run UDP connections behind our firewall without conversion on NAT. We send a client preconfigured to our users which forces to use tcp port udp by default 10000 10000 verses. We do this for several reasons, but the most important of them is our firewall will not redirect sessions IPSec UDP, IPSec TCP sessions only.
Leaving the VPN concentrator outside the firewall and exposed is not an option. So, I find myself with say to all my users USB that is the only way that they can connect to install an Ethernet card, which ultimately is not really much of an option considering expenditure and technical knowledge necessary to pull it off the coast with hundreds of individuals it just will not fly.
So, this brings me to this forum. Before I open a TAC case I hear experts to try to determine as closely as possible, if this is a problem of Microsoft or Cisco VPN client. I have my suspicions that this is owned by Microsoft, but I can't prove anything yet. Does anyone else have an idea on this? Please, I invite everyone to test this out and let us know what you find. If you would like more details on the methodology please let me know and I would be happy to provide it. I think it is potentially a huge problem only by the number of complaints I've seen in this forum. My supervisor thinks I smoking something when I try to explain this to him. All he can say is "if it was really a problem, more people would certainly also, and you would have heard about it now, it must be in your configuration." GO FIX"(does all this sound familiar?)
I appreciate all of the comments that everyone is willing to give. I think that if we as a community get together on this we can find a solution.
Thanks for your time!
It is a bug, use the bugtool kit to see bug CSCdv00229.
-
Hello
I finally got my vpn for work (router 1712), but only with IPSEC over UDP. Everything works well, but some clients are behind a firewall and only port 80 and 443 are allowed. Is it not possible to create a vpn tunnel low port 443?
I tried looking for examples, but can not find, I found some info that I should use IPSEC over TCP. Can I use Ipsec over UDP and TCP at the same time?
Greetings,
Gunther.
Hi Gunther,
IOS does not yet support ipsec over tcp.
You can not run VPN on port 443 (SSL vpn) with a router either.
You should go for a hub of series k 3 or wait for a newer version of IOS or PIX code.
Maybe you are looking for
-
If I had a contact and now shows '? "does that mean?
Greetings, If I had a contact coming online, green, went far etc, but now it says "?" in gray. This means that it has deleted his ACC? See you soon
-
A degradation of the WiFi Signal with laptop lid closed
I have a HP Presario DV6 running Windows 7 64-bit. It has an Atheros AR9285 802.11b/g/n WiFi Adapter using the 8.0.0.172 driver Version dated 09/23/2009 I noticed that if I run the laptop with the lid closed there is a degradation in WiFi signal. Mo
-
I'm not very knowledgeable, both programs have been removed. They are mfc100u.dll and MSVCR100.dll. I don't know how to restore them. Help, please. Thank you.
-
DROID: Cannot transfer MMS? Why?
It of crazy, that you cannot transfer of MMS, why the droid cannot send MMS?
-
cancellation of the subscription sends me in circles
Hi, I'm trying to cancel my subscription as well, but the system me round takes literally in circles. It is as bad as one of those scammy websites that subscribe and then make it impossible to unsubscribe.