Microsoft
Software
Hardware
Network
Question : Cisco PIX 501: VPN Tunnel doesn't reconnect after PIX reboot
I have a 501 PIX running a VPN to another 501 though the internet at another location. I had to shut down the PIX on one end so I could move some equipment. After I boot it back up, the VPN tunnel doesn't reconnect. Before the shut down, everything was working fine, so I don't believe it is a configuration error.
I had this problem once before, quite a while ago, and, like an idiot, I didn't write down the fix. I believe it has something to do with resetting the VPN is some way so it can reconnect. Let me know...
High points are due to the urgency of the fix. Just in case, here is the config...
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password c.WQcaqN2RaDxaDI encrypted
passwd c.WQcaqN2RaDxaDI encrypted
hostname xxx
domain-name xxx.com
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list out permit icmp any any
access-list out permit tcp any host 64.207.xxx.xxx eq smtp
access-list out permit tcp any host 64.207.xxx.xxx eq www
access-list out permit tcp any host 64.207.xxx.xxx eq 3389
access-list out permit tcp any host 64.207.xxx.xxx eq 3389
access-list out permit tcp any host 64.207.xxx.xxx eq pop3
access-list out permit tcp any host 64.207.xxx.xxx eq 4662
access-list VPN-nonat permit ip 10.0.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list VPN_Trenton permit ip 10.0.1.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 64.207.xxx.xxx 255.255.255.248
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 10 64.207.xxx.xxx
global (outside) 2 64.207.xxx.xxx
nat (inside) 0 access-list VPN-nonat
nat (inside) 10 10.0.1.11 255.255.255.255 0 0
nat (inside) 2 10.0.1.101 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 64.207.xxx.xxx 3389 10.0.1.10 3389 netmask 255.255.25
5.255 0 0
static (inside,outside) tcp 64.207.xxx.xxx www 10.0.1.11 www netmask 255.255.255.
255 0 0
static (inside,outside) tcp 64.207.xxx.xxx smtp 10.0.1.11 smtp netmask 255.255.25
5.255 0 0
static (inside,outside) tcp 64.207.xxx.xxx 3389 10.0.1.11 3389 netmask 255.255.25
5.255 0 0
static (inside,outside) tcp 64.207.xxx.xxx pop3 10.0.1.11 pop3 netmask 255.255.25
5.255 0 0
static (inside,outside) tcp 64.207.xxx.xxx 3389 10.0.1.101 3389 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 64.207.xxx.xxx 4662 10.0.1.101 4662 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 64.207.xxx.xxx www 10.0.1.101 www netmask 255.255.255
.255 0 0
access-group out in interface outside
route outside 0.0.0.0 0.0.0.0 64.207.xxx.xxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map VPN_xxx 20 ipsec-isakmp
crypto map VPN_xxx 20 match address VPN_Trenton
crypto map VPN_xxx 20 set peer 12.39.xxx.xxx
crypto map VPN_xxx 20 set transform-set strong
crypto map VPN_xxx interface outside
isakmp enable outside
isakmp key ******** address 12.39.xxx.xxx netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 10.0.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:f0bb64437da
d130767bb4
439c02bb3f
e
: end
Answer : Cisco PIX 501: VPN Tunnel doesn't reconnect after PIX reboot
Is the other PIX also running 6.3 series? And if the other PIX has either of the following lines, you'll need to add them to the PIX above:
isakmp identity address
isakmp nat-traversal
I see above that you have the following:
>isakmp policy 9 encryption 3des
>isakmp policy 9 hash sha
>isakmp policy 9 group 1
Is the other side set up identically?? If using "3des" & "sha" you should instead use "group 2" to avoid problems.
Also, just be aware that even if both sides are properly configured with identical ipsec & isakmp parameters, the tunnel won't come up until you start sending traffic from one network to the other.
cheers
Random Solutions
Novell, Netware 6.5 , SP 6, Excessive failed logins
Issue with moving DHCP from 2000 to 2003 box with DHCPEXIM
Terminal server License question
Slow networking
Receive IPSec packet, but no corresponding tunnel exists
EXCEL TO SQL Table
I have a PIX 515 firewall and want to add a line which only allows Inbound emails from a particular IP address range
Make DNS Server use local hosts file to answer queries
Terminal Services clients blank desktop and no icons on Windows Server 2003
Termina Services NLB host can't communicate with other 3 hosts