Home
Premium
NEW

How to fix VPN tunnel-related issues on the PIX Firewall, Concentrator - PDF

W
Shared by: xsl18466
Categories
Tags
-
Stats
views:
10
posted:
2/16/2010
language:
English
pages:
2
Document Sample
scope of work template 
							How to fix VPN tunnel-related issues on the
PIX Firewall, Concentrator, ASA and Router

Core issue


These are a few of the common reasons why a VPN tunnel does not come up or fails to pass traffic on a PIX
Firewall,Concentrator, ASA or router:
      • The wrong IP address is configured in the pre-shared key or crypto map.
      • The crypto map is not bound to the outside interface.
      • There are mismatched access control lists (ACLs) on the peers.
      • The ACLs overlap with other tunnels.
      • NATting is not bypassed on the router or PIX Firewall.
      • The same ACLs applied for crypto map and NAT bypass (NAT 0 ACLs) on the PIX Firewall.
      • ACLs for NAT bypass configured with keyword any, instead of specific source and destination.
      • The ISP blocks UDP port 500 or changes the IP address of the remote peer.
      • There is a mismatch in the ISAKMP policies.
      • There are routing issues.
      • There are older Security Associations.
      • Perfect Forward Secracy (PFS) is incorrectly enabled or disabled.




Resolution
In order to isolate and resolve these issues, review this checklist:




      1. Make sure crypto map is applied to the outside interface, the interface that faces the Internet.
      2. Match the access-lists with peers and make sure these do not overlap with the ACLs of any other
          tunnels that exist.
      3. Match the ISAKMP policies on peers. Both end devices must have similar ISAKMP policies.
      4. If the show crypto isakmp sa command shows MM_KEY_EXCH in the output, refer to The
          user receives the ISAKMP (0:xxx): deleting SA reason gen_ipsec_isakmp_delete but doi isakmp
          state (I) MM_KEY_EXCH (peer x.x.x.x) input queue 0 message


      5. If the ISP has changed the IP address of the remote peer, refer to The VPN tunnel fails to come up
          on the PIX Firewall after the ISP changes the IP address for the remote device
      6. While you troubleshoot, it is always good practice to reapply crypto map on the outside interface and
         to clear older Security Associations with the use of the clear crypto sa command on the router and
          the clear isakmp sa command on the PIX Firewall. But, these commands bring down other tunnels
          and Security Associations are cleared for tunnels that exist.




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                            1
How to fix VPN tunnel-related issues on the PIX Firewall, Concentrator, ASA and Router


      7. On the PIX Firewall, always create and bind separate access-lists to NAT 0 and crypto map. NAT 0
         and crypto ACLs should be identical but with a different sequence number.
      8. Make sure that interesting traffic should be DENIED first in order to correct the NAT bypass order on
         routers, and the PERMIT statement should come in last. For example: Bad Configuration ip access-
         list extended nonat deny ip 192.168.15.0 0.0.0.255 10.1.2.0 0.0.0.255 permit ip 192.168.15.0
         0.0.0.255 any deny ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255Good Configuration
         ip access-list extended nonat deny ip 192.168.15.0 0.0.0.255 10.1.2.0 0.0.0.255 deny ip 192.168.15.0
         0.0.0.255 192.168.16.0 0.0.0.255 permit ip 192.168.15.0 0.0.0.255 any
      9. PFS must be enabled or disabled on both peers. Refer to How to configure PFS with IPSec VPN for
         more information about PFS.
      10. If PIX, ASA or Router is configured for LAN-to-LAN and VPN client access, make sure that dynamic
         crypto map comes in the last. For example, according to this configuration, LAN-to-LAN tunnel for
         peer 2.2.2.2 fails to come up, as PIX stops to look for actual peer once it hits dynamic crypto map
         according to sequence number. It is always a good idea to assign highest sequence number to
         dynamic maps, for example, 65535.

         BAD configuration

         crypto ipsec transform-set myset esp-3des esp-md5-hmaccrypto dynamic-map dynmap 30
         set transform-set mysetcrypto map newmap 20 ipsec-isakmp dynamic dynmapcrypto map
         newmap 30 ipsec-isakmpcrypto map newmap 30 match address 120crypto map newmap
         30 set peer 2.2.2.2crypto map newmap 30 set transform-set mysetcrypto map newmap
         interface outside




         Good configuration

         crypto ipsec transform-set myset esp-3des esp-md5-hmaccrypto dynamic-
         map dynmap 30 set transform-set mysetcrypto map newmap 30 ipsec-
         isakmpcrypto map newmap 30 match address 120crypto map newmap 30
         set peer 2.2.2.2crypto map newmap 30 set transform-set mysetcrypto map
         newmap 65535 ipsec-isakmp dynamic dynmapcrypto map newmap interface
         outside

Refer to IP Security Troubleshooting - Understanding and Using debug Commands for more information and to
resolve common VPN related issues that use debug commands.




Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
                                                                                                            2
Related docs
VPN Tunnel Management
Views: 4  |  Downloads: 0
10_problems_vpn
Views: 37  |  Downloads: 2
VPN HOWTO
Views: 47  |  Downloads: 0
VPN ?? ? ??
Views: 134  |  Downloads: 0
microsoft.public.isa.vpn Re IPSec Tunnel VPN up _ running but no
Views: 3  |  Downloads: 0
vpn What
Views: 15  |  Downloads: 4