[xern]

Good afternoon everybody,

the last week I was requested for a new client make a IPSec tunnel between an old PIX with S.O. 6.3 and a new watchguard.

I have the CCNA certificate and experience with Watchguard devices, Dell, Dlink, Fortigate, etc, but I have a lot of problems with this tunnel.

Reading a watchguard guide, I only find the way to make a tunnel any to any, but when the tunnel is running, the users connected with the cisco vpn client doesn't connect.
On the other hand, If I try to filter the incoming connections to connect a specific machine, sometimes the Public IP doesn't respond and sometimes I have a loop debug message of incomplete acl.

anyone can help me and tell me if I have something very wrong? I paste the running-config.





pix-test# SH CONF
: Saved
: Written by enable_15 at 00:01:41.271 UTC Fri Jan 1 1993
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password /YkF3jFJJD3lD52G encrypted
passwd M0i.ccMTbS9Biy.W encrypted
hostname pix-test
domain-name pruebas.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list ping-out permit icmp any any
access-list ping-out deny udp any any eq tftp
access-list ping-out deny udp any any eq 135
access-list ping-out deny udp any any eq netbios-ns
access-list ping-out deny udp any any eq netbios-dgm
access-list ping-out deny tcp any any eq 69
access-list ping-out deny tcp any any eq 135
access-list ping-out deny tcp any any eq 445
access-list ping-out deny tcp any any eq 593
access-list ping-out deny udp any any eq 4665
access-list ping-out permit tcp any host 96.98.21.169 eq www
access-list ping-out permit tcp any host 96.98.21.169 eq https
access-list ping-out permit tcp any host 96.98.21.169 eq pop3
access-list ping-out permit tcp any host 96.98.21.169 eq smtp
access-list ping-out permit tcp any host 96.98.21.169 eq pptp
access-list ping-out permit tcp any host 96.98.21.169 eq 8080
access-list ping-out permit tcp any host 96.98.21.170 eq www
access-list ping-out permit tcp any host 96.98.21.170 eq https
access-list ping-out permit tcp any host 96.98.21.170 eq pop3
access-list ping-out permit tcp any host 96.98.21.170 eq smtp
access-list ping-out permit tcp any host 96.98.21.170 eq 8080
access-list ping-out permit tcp any host 96.98.21.171 eq www
access-list ping-out permit tcp any host 96.98.21.171 eq https
access-list ping-out permit tcp any host 96.98.21.171 eq pop3
access-list ping-out permit tcp any host 96.98.21.171 eq smtp
access-list ping-out permit tcp any host 96.98.21.171 eq 8080
access-list ping-out permit tcp any host 96.98.21.172 eq 6666
access-list LISTDMZ permit ip host 192.1.1.10 150.2.0.0 255.255.0.0
access-list LISTDMZ permit ip host 192.1.1.12 150.2.0.0 255.255.0.0
access-list LISTDMZ permit ip host 192.1.1.14 150.2.0.0 255.255.0.0
access-list LISTDMZ permit ip host 192.1.1.5 150.2.0.0 255.255.0.0
access-list inside permit ip host 192.168.0.46 any
access-list inside permit ip host 192.168.0.4 any
access-list inside permit ip host 192.168.0.5 any
access-list inside permit ip host 192.168.0.242 any
access-list inside permit ip host 192.168.0.243 any
access-list inside permit ip host 192.168.0.7 any
access-list inside permit ip any any
access-list inside permit ip host 192.168.1.115 any
access-list 110 permit ip 192.168.0.0 255.255.255.0 10.28.1.0 255.255.255.0 -- I added this line
access-list 110 permit ip 10.28.1.0 255.255.255.0 192.168.0.0 255.255.255.0 -- I added this line
paLISTDMZr lines 24
logging on
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 96.98.21.173 255.255.255.248
ip address inside 192.168.0.200 255.255.248.0 -- I have found it so, but really the network that is used is 255.255.0.0
ip address dmz 192.1.1.200 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnlocal2 192.168.1.200-192.168.1.232
pdm location 111.111.0.0 255.255.255.0 inside
pdm location 192.168.0.4 255.255.255.255 inside
pdm location 192.168.0.5 255.255.255.255 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 88.2.136.124 255.255.255.255 outside
pdm location 192.168.0.7 255.255.255.255 inside
pdm location 192.168.2.167 255.255.255.255 inside
pdm location 196.168.2.167 255.255.255.255 outside
pdm location 192.168.1.115 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 96.98.21.169
nat (inside) 0 access-list 100
nat (inside) 0 access-list 110 -- I added this line
nat (inside) 2 192.168.0.4 255.255.255.255 0 0
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
nat (dmz) 0 access-list LISTDMZ
static (inside,outside) 96.98.21.169 192.168.0.4 netmask 255.255.255.255 0 0
static (inside,outside) 96.98.21.171 192.168.0.7 netmask 255.255.255.255 0 0
static (inside,outside) 96.98.21.170 192.168.0.5 netmask 255.255.255.255 0 0
static (inside,outside) 96.98.21.172 192.168.1.115 netmask 255.255.255.255 0 0
access-group ping-out in interface outside
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 96.98.21.174 1
route inside 111.111.0.0 255.255.255.0 192.168.0.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set VPN esp-3des esp-md5-hmac
crypto ipsec transform-set GOAL esp-des esp-md5-hmac
crypto ipsec transform-set VPNNEW esp-3des esp-sha-hmac -- I added this line
crypto dynamic-map dynmap 1 set transform-set VPN
crypto dynamic-map dynmapdes 2 set transform-set GOAL
crypto map vpnmap 1 ipsec-isakmp dynamic dynmap
crypto map vpnmap 10 ipsec-isakmp
crypto map vpnmap 10 match address LISTDMZ
crypto map vpnmap 10 set peer 212.171.22.215
crypto map vpnmap 10 set transform-set VPN
crypto map vpnmap 11 ipsec-isakmp -- I added this line
crypto map vpnmap 11 match address 110 -- I added this line
crypto map vpnmap 11 set peer 212.179.12.124 -- I added this line
crypto map vpnmap 11 set transform-set VPNNEW -- I added this line
crypto map vpnmap 11 set security-association lifetime seconds 360 kilobytes 8192 -- I added this line
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address 212.171.22.215 netmask 255.255.255.255
isakmp key ******** address 212.179.12.124 netmask 255.255.255.255 -- I added this line
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 1800
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption des
isakmp policy 2 hash md5
isakmp policy 2 group 2
isakmp policy 2 lifetime 1800
isakmp policy 3 authentication pre-share
isakmp policy 3 encryption 3des
isakmp policy 3 hash md5
isakmp policy 3 group 2
isakmp policy 3 lifetime 86400
isakmp policy 4 authentication pre-share -- I added this line
isakmp policy 4 encryption des -- I added this line
isakmp policy 4 hash sha -- I added this line
isakmp policy 4 group 1 -- I added this line
isakmp policy 4 lifetime 86400 -- I added this line
vpngroup vpnmovil address-pool vpnlocal2
vpngroup vpnmovil dns-server 192.168.0.242
vpngroup vpnmovil default-domain pruebas.com
vpngroup vpnmovil idle-time 1800
vpngroup vpnmovil password ********
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh 88.2.136.124 255.255.255.255 outside
ssh 84.124.26.122 255.255.255.255 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:7ee03c8b03958012df5d9973e3b5a8b9




thank all and best regards,
Xern

[auglan]

Is this a site to site vpn? If so why would you use a the vpn client software on the client machines? The vpn client is used for remote access ("Easy VPN") which would require the configuration of the "Easy VPN Server" as well as the client.

Is the tunnel up?

show crypto isakmp sa

show crypto ipsec sa