From: scooter133 on
So i have 2 PIXs that connect via the internet and when I first boot
them, they connect up via IPSec Preshared Keys LAN-to-LAN and all is
good in the world.

HQ 10.1.x.x <- Internet -> SF 10.2.x.x <- rotuer-> 10.6.x.x

Some number of hours later, It stops passing traffic from 10.6.x.x to
10.1.x.x. 10.2.x.x to 10.1.x.x works fine.

If I reboot the SF PIX, the traffic will Flow from 10.6.x.x to
10.1.x.x. again for a while.

We also have some PIX 501, and some 1700 routers that do remote IPSec
Preshared Keys and they are solid. Though they only have 1 Subnet
behind it...

What can I do to troubleshoot this?


I've included the Sh Ver of the 2 main PIXs.

Thanks,
Scott<-


--------------------------------------------------------------------------------
HQ PIX
--------------------------------------------------------------------------------
Cisco PIX Security Appliance Software Version 7.0(5)
Device Manager Version 5.0(5)

Compiled on Mon 10-Apr-06 14:40 by builders
System image file is "flash:/pix705.bin"
Config file at boot was "startup-config"

charlie2 up 78 days 17 hours

Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0xfff00000, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : address is 0019.2f6b.44d6, irq 10
1: Ext: Ethernet1 : address is 0019.2f6b.44d7, irq 11
2: Ext: Ethernet2 : address is 0002.b3b6.cbb4, irq 11

Licensed features for this platform:
Maximum Physical Interfaces : 6
Maximum VLANs : 25
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : Unlimited

This platform has an Unrestricted (UR) license.



-------------------------------------------------------------------------------
Far End PIX
--------------------------------------------------------------------------------
Cisco PIX Security Appliance Software Version 7.0(5)
Device Manager Version 5.0(5)

Compiled on Mon 10-Apr-06 14:40 by builders
System image file is "flash:/pix705.bin"
Config file at boot was "startup-config"

moonrazor up 26 mins 8 secs

Hardware: PIX-515, 64 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: Ext: Ethernet0 : address is 0050.54fe.ef68, irq 10
1: Ext: Ethernet1 : address is 0050.54fe.ef69, irq 7
2: Ext: Ethernet2 : address is 0002.b3ad.7fda, irq 9

Licensed features for this platform:
Maximum Physical Interfaces : 3
Maximum VLANs : 10
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Cut-through Proxy : Enabled
Guards : Enabled
URL Filtering : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : Unlimited

This platform has a Restricted (R) license.
From: Artie Lange on
scooter133(a)gmail.com wrote:
> So i have 2 PIXs that connect via the internet and when I first boot
> them, they connect up via IPSec Preshared Keys LAN-to-LAN and all is
> good in the world.
>
> HQ 10.1.x.x <- Internet -> SF 10.2.x.x <- rotuer-> 10.6.x.x
>
> Some number of hours later, It stops passing traffic from 10.6.x.x to
> 10.1.x.x. 10.2.x.x to 10.1.x.x works fine.
>
> If I reboot the SF PIX, the traffic will Flow from 10.6.x.x to
> 10.1.x.x. again for a while.
>
> We also have some PIX 501, and some 1700 routers that do remote IPSec
> Preshared Keys and they are solid. Though they only have 1 Subnet
> behind it...
>
> What can I do to troubleshoot this?
>
>
> I've included the Sh Ver of the 2 main PIXs.
>
> Thanks,
> Scott<-


how bout a show conf ?
From: scooter133 on
On Jul 16, 10:53 am, Artie Lange <spam...(a)jamiebaillie.net> wrote:
> how bout a show conf ?- Hide quoted text -
>
> - Show quoted text -

It jsut takes a bit to sanitize it up a little...

Thanks,
---------------------------------------------------------------------------­-----
HQ PIX
---------------------------------------------------------------------------­-----

PIX Version 7.0(5)
!
hostname charlie2
domain-name haydon-mill.com
names
name 10.10.0.0 NETWORK-HA
name 10.11.0.0 NETWORK-OLIVET
name 10.12.0.0 NETWORK-235HBG
name 10.13.0.0 NETWORK-FITCH
name 10.2.0.0 NETWORK-SF2
name 10.200.0.0 NETWORK-IPSec-POOL description IPSec DHCP Pool
name 10.201.0.0 NETWORK-PPTP-POOL description PPTP DHCP Pool
name 10.203.0.0 NETWORK-PPTP-POOL2 description PPTP DHCP Pool2
name 10.254.0.0 NETWORK-SERIAL description Serial Interfaces
name 10.3.0.0 NETWORK-SF
name 10.6.0.0 NETWORK-TRAINING
name 172.16.0.0 NETWORK-DMZ
name 10.14.0.0 NETWORK-OLIVET2
name 10.15.0.0 NETWORK-HA2
dns-guard
!
interface Ethernet0
nameif outside-HBG
security-level 0
ip address charlie_o 255.255.255.0
!
interface Ethernet1
nameif inside-HBG
security-level 100
ip address charlie_i 255.255.0.0
!
interface Ethernet2
duplex half
nameif dmz-HBG
security-level 10
ip address charlie_dmz 255.255.255.0
!
boot system flash:/pix705.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit intra-interface
object-group network NETWORK-HBG-ALL
network-object NETWORK-HBG 255.255.0.0
network-object NETWORK-HBG 255.255.255.0
network-object NETWORK-SERIAL 255.255.0.0
object-group network NETWORK-FITCH-ALL
network-object NETWORK-FITCH 255.255.0.0
object-group network NETWORK-OLIVET-ALL
network-object NETWORK-OLIVET 255.255.0.0
object-group network NETWORK-235HBG-ALL
network-object NETWORK-235HBG 255.255.0.0
object-group protocol VPN-PROTOCOLS
protocol-object ip
protocol-object tcp
protocol-object udp
protocol-object icmp
object-group network NETWORK-VPN-ALL
network-object NETWORK-HBG 255.255.0.0
network-object NETWORK-SF2 255.255.0.0
network-object NETWORK-SF 255.255.0.0
network-object NETWORK-TRAINING 255.255.0.0
object-group network NETWORK-SF-VPN
network-object NETWORK-SF2 255.255.0.0
network-object NETWORK-TRAINING 255.255.0.0
object-group network NETWORK-HBG-VPN
network-object NETWORK-HBG 255.255.0.0
network-object NETWORK-SF 255.255.0.0
network-object NETWORK-HA 255.255.0.0
network-object NETWORK-FITCH 255.255.0.0
network-object NETWORK-OLIVET 255.255.0.0
network-object NETWORK-235HBG 255.255.0.0
network-object NETWORK-SERIAL 255.255.0.0
network-object NETWORK-IPSec-POOL 255.255.0.0
network-object NETWORK-OLIVET2 255.255.0.0
network-object NETWORK-HA2 255.255.0.0
object-group network NETWORK-SF2-VPN
network-object NETWORK-TRAINING 255.255.0.0
object-group network NETWORK-HBG2-VPN


network-object NETWORK-HBG 255.255.0.0
object-group network NETWORK-OLIVET2-ALL
network-object NETWORK-OLIVET2 255.255.0.0
access-list inside_nat extended permit ip NETWORK-HBG 255.255.0.0
NETWORK-DMZ 255.255.255.0
access-list inside_nat extended permit ip NETWORK-HBG 255.255.0.0
192.168.1.0 255.255.255.0
access-list inside_nat extended permit ip NETWORK-HBG 255.255.0.0
NETWORK-IPSec-POOL 255.255.0.0
access-list inside_nat extended permit ip NETWORK-HBG 255.255.0.0
NETWORK-OLIVET 255.255.0.0
access-list inside_nat extended permit ip NETWORK-HBG 255.255.0.0
NETWORK-235HBG 255.255.0.0
access-list inside_nat extended permit ip NETWORK-HBG 255.255.0.0
NETWORK-FITCH 255.255.0.0
access-list inside_nat extended permit ip NETWORK-HBG 255.255.0.0
NETWORK-SF 255.255.0.0
access-list inside_nat extended permit ip NETWORK-HA 255.255.0.0
NETWORK-SF 255.255.0.0
access-list inside_nat extended permit ip NETWORK-SERIAL 255.255.0.0
NETWORK-SF 255.255.0.0
access-list inside_nat extended permit ip NETWORK-235HBG 255.255.0.0
NETWORK-SF 255.255.0.0
access-list inside_nat extended permit ip NETWORK-FITCH 255.255.0.0
NETWORK-SF 255.255.0.0
access-list inside_nat extended permit ip NETWORK-OLIVET 255.255.0.0
NETWORK-SF 255.255.0.0
access-list inside_nat extended permit ip NETWORK-SF 255.255.0.0
NETWORK-HBG 255.255.0.0
access-list inside_nat extended permit ip object-group NETWORK-OLIVET-
ALL object-group NETWORK-SF-VPN
access-list inside_nat extended permit ip object-group NETWORK-HBG-VPN
object-group NETWORK-SF-VPN
access-list inside_nat extended permit ip NETWORK-SF 255.255.0.0
NETWORK-IPSec-POOL 255.255.0.0
access-list inside_nat extended permit ip NETWORK-HBG 255.255.0.0
NETWORK-OLIVET2 255.255.0.0
access-list inside_nat extended permit ip NETWORK-OLIVET2 255.255.0.0
NETWORK-SF 255.255.0.0
access-list inside_nat extended permit ip NETWORK-HBG 255.255.0.0
NETWORK-HA2 255.255.0.0
access-list inside_nat extended permit ip NETWORK-HBG 255.255.0.0
NETWORK-HA 255.255.0.0
access-list 110 extended permit ip 10.0.0.0 255.0.0.0 NETWORK-IPSec-
POOL 255.255.0.0
access-list outside-HBG_cryptomap_40 extended permit ip object-group
NETWORK-HBG-VPN object-group NETWORK-SF-VPN
access-list outside-HBG_cryptomap_40 extended permit ip object-group
NETWORK-OLIVET-ALL object-group NETWORK-SF-VPN
access-list outside-HBG_cryptomap_40 extended permit ip object-group
NETWORK-OLIVET2-ALL object-group NETWORK-SF-VPN
access-list outside-HBG_cryptomap_20 extended permit ip object-group
NETWORK-HBG-VPN object-group NETWORK-SF-VPN
access-list outside-HBG_cryptomap_20 extended permit ip object-group
NETWORK-OLIVET-ALL object-group NETWORK-SF-VPN
access-list outside-HBG_cryptomap_20 extended permit ip object-group
NETWORK-OLIVET2-ALL object-group NETWORK-SF-VPN
access-list outside-HBG_nat0_inbound extended permit ip object-group
NETWORK-HBG-VPN object-group NETWORK-SF-VPN
access-list outside-HBG_nat0_inbound extended permit ip object-group
NETWORK-OLIVET-ALL object-group NETWORK-SF-VPN
access-list outside-HBG_nat0_inbound extended permit ip object-group
NETWORK-OLIVET2-ALL object-group NETWORK-SF-VPN
access-list outside-HBG_nat0_outbound extended permit ip object-group
NETWORK-HBG-VPN object-group NETWORK-SF-VPN
access-list outside-HBG_nat0_outbound extended permit ip object-group
NETWORK-OLIVET-ALL object-group NETWORK-SF-VPN
access-list outside-HBG_nat0_outbound extended permit ip object-group
NETWORK-OLIVET2-ALL object-group NETWORK-SF-VPN
access-list test extended permit ip 10.2.3.0 255.255.255.0 host
10.1.1.17
access-list test extended permit ip host 10.1.1.17 10.2.3.0
255.255.255.0
access-list CAPIN extended permit ip host 206.13.28.10 host hbg-
stownsend_i
access-list CAPIN extended permit ip host hbg-stownsend_i host
206.13.28.10
access-list CAPOUT extended permit ip host 206.13.28.10 host hbg-
stownsend_o
access-list CAPOUT extended permit ip host hbg-stownsend_o host
206.13.28.10
access-list capli extended permit ip NETWORK-HBG 255.255.0.0 NETWORK-
TRAINING 255.255.0.0
access-list capli extended permit ip NETWORK-TRAINING 255.255.0.0
NETWORK-HBG 255.255.0.0


pager lines 66
logging enable
logging timestamp
logging list xlate-log message 202001
logging list xlate-log message 305009-305012
logging list SMTP-log message 108002
logging list startup-log message 199001-199005
logging list GRE-log message 302017-302018
logging list verifycertdn-log message 320001
logging list IDS-log message 400000-400050
logging list sa-log message 602201
logging list sa-log message 602301-602302
logging list mobileclient-log message 611301-611323
logging list ISAKMP-log message 702201-702212
logging list IPSecConnect-log message 113019
logging list MISC-Log message 713900-713906
logging console notifications
logging monitor informational
logging trap informational
logging asdm warnings
logging mail warnings
logging from-address charlie2(a)enm.com
logging device-id hostname
logging host inside-HBG SERVER-SMS
logging debug-trace
logging permit-hostdown
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 609002
no logging message 609001
no logging message 302016
no logging message 302021
no logging message 302020
logging message 305012 level warnings
logging message 305011 level warnings
logging message 305010 level warnings
logging message 305009 level warnings
logging message 302013 level warnings
mtu outside-HBG 1500
mtu inside-HBG 1500
mtu dmz-HBG 1500
ip local pool ipsecpool 10.200.0.1-10.200.1.254 mask 255.255.0.0
ip verify reverse-path interface outside-HBG
no failover
asdm image flash:/asdm-505.bin
asdm history enable
arp timeout 14400
nat-control
global (outside-HBG) 1 204.145.245.181-204.145.245.245 netmask
255.255.255.0
global (outside-HBG) 1 204.145.245.50-204.145.245.160
global (outside-HBG) 1 204.145.245.20 netmask 255.255.255.0
nat (inside-HBG) 0 access-list inside_nat
nat (inside-HBG) 1 NETWORK-HBG 255.255.0.0
nat (inside-HBG) 1 NETWORK-SF 255.255.0.0
nat (inside-HBG) 1 NETWORK-HA 255.255.0.0
nat (inside-HBG) 1 NETWORK-SERIAL 255.255.0.0
nat (dmz-HBG) 1 NETWORK-DMZ 255.255.255.0

access-group acl_outside in interface outside-HBG
access-group acl_dmz in interface dmz-HBG
route outside-HBG 0.0.0.0 0.0.0.0 204.145.245.15 1
route inside-HBG NETWORK-SF 255.255.0.0 10.1.0.3 1
route inside-HBG NETWORK-SERIAL 255.255.0.0 10.1.0.1 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy hiddenacres.pix internal
group-policy hiddenacres.pix attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 110
default-domain value haydon-mill.com
group-policy DfltGrpPolicy attributes
wins-server value 10.1.0.8
dns-server value 10.1.0.5 10.1.0.9
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value haydon-mill.com
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable


leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
group-policy prancer.235hbg internal
group-policy prancer.235hbg attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 110
default-domain value haydon-mill.com
group-policy moonrazor.olivet internal
group-policy moonrazor.olivet attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 110
default-domain value haydon-mill.com
group-policy moonrazor internal
group-policy moonrazor attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value outside-HBG_cryptomap_40
group-policy eandmmobileclient internal
group-policy eandmmobileclient attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 110
default-domain value haydon-mill.com
group-policy cupid.fitch internal
group-policy cupid.fitch attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 110
default-domain value haydon-mill.com
group-policy mobileclient internal
group-policy mobileclient attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 110
default-domain value haydon-mill.com
group-policy comet.olivet internal
group-policy comet.olivet attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 110
default-domain value haydon-mill.com
aaa authentication ssh console LOCAL
snmp-server location NetCenter
snmp-server contact Scott Townsend
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set mobileclient_set2 esp-3des esp-md5-hmac
crypto ipsec transform-set mobileclient_set esp-des esp-md5-hmac
crypto ipsec transform-set vpn-des-set esp-des esp-md5-hmac
crypto ipsec transform-set olivet-set esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map dynmap 10 set transform-set mobileclient_set
mobileclient_set2


crypto dynamic-map olivet 1 set transform-set olivet-set
crypto dynamic-map vpn-des 2 set transform-set vpn-des-set
crypto map my_cry_map 999 ipsec-isakmp dynamic dynmap
crypto map vpn-des-dyn-map 21 ipsec-isakmp dynamic vpn-des
crypto map olivet-dyn-map 20 match address outside-HBG_cryptomap_20
crypto map olivet-dyn-map 20 set peer <remote IP of Moonrazor>
crypto map olivet-dyn-map 20 set transform-set ESP-3DES-SHA
crypto map olivet-dyn-map 65535 ipsec-isakmp dynamic olivet
crypto map olivet-dyn-map interface outside-HBG
crypto ca trustpoint enmvpnca
crl required
enrollment retry count 20
enrollment url http://10.1.9.61:80//certsrv/mscep/mscep.dll
crl configure
crypto ca certificate map 10
subject-name attr cn eq comet.olivet
crypto ca certificate chain enmvpnca
certificate 610b484e000c0000023d
quit
certificate ca 728f42234a1e8497433a3917b85b02a6
quit
isakmp enable outside-HBG
isakmp policy 8 authentication rsa-sig
isakmp policy 8 encryption 3des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 11 authentication rsa-sig
isakmp policy 11 encryption des
isakmp policy 11 hash md5
isakmp policy 11 group 1
isakmp policy 11 lifetime 86400

isakmp policy 13 authentication rsa-sig
isakmp policy 13 encryption des
isakmp policy 13 hash md5
isakmp policy 13 group 2
isakmp policy 13 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption 3des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400
isakmp policy 22 authentication pre-share
isakmp policy 22 encryption des
isakmp policy 22 hash md5
isakmp policy 22 group 2
isakmp policy 22 lifetime 86400
isakmp policy 23 authentication pre-share
isakmp policy 23 encryption 3des
isakmp policy 23 hash md5
isakmp policy 23 group 2
isakmp policy 23 lifetime 86400
isakmp policy 24 authentication pre-share
isakmp policy 24 encryption des
isakmp policy 24 hash sha
isakmp policy 24 group 2
isakmp policy 24 lifetime 86400
isakmp policy 26 authentication pre-share
isakmp policy 26 encryption 3des
isakmp policy 26 hash sha
isakmp policy 26 group 2
isakmp policy 26 lifetime 86400
isakmp policy 30 authentication rsa-sig
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal 20
isakmp ipsec-over-tcp port 10000 57268
tunnel-group DefaultL2LGroup ipsec-attributes
trust-point enmvpnca
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside-HBG) none
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
trust-point enmvpnca
tunnel-group mobileclient type ipsec-ra
tunnel-group mobileclient general-attributes
address-pool ipsecpool
authentication-server-group (outside-HBG) none
default-group-policy mobileclient
tunnel-group mobileclient ipsec-attributes
trust-point enmvpnca
tunnel-group comet.olivet general-attributes
authentication-server-group (outside-HBG) none
default-group-policy comet.olivet
tunnel-group comet.olivet ipsec-attributes
pre-shared-key *
trust-point enmvpnca
tunnel-group cupid.fitch type ipsec-ra
tunnel-group cupid.fitch general-attributes
authentication-server-group (outside-HBG) none
default-group-policy cupid.fitch
tunnel-group cupid.fitch ipsec-attributes
pre-shared-key *
trust-point enmvpnca
tunnel-group prancer.235hbg type ipsec-ra
tunnel-group prancer.235hbg general-attributes
authentication-server-group (outside-HBG) none
default-group-policy prancer.235hbg
tunnel-group prancer.235hbg ipsec-attributes
pre-shared-key *
trust-point enmvpnca
tunnel-group moonrazor.olivet type ipsec-ra
tunnel-group moonrazor.olivet general-attributes
authentication-server-group (outside-HBG) none
default-group-policy moonrazor.olivet
tunnel-group moonrazor.olivet ipsec-attributes
pre-shared-key *
trust-point enmvpnca
tunnel-group <IP of Moonrazor> type ipsec-l2l
tunnel-group <IP of Moonrazor> general-attributes
default-group-policy moonrazor
tunnel-group <IP of Moonrazor> ipsec-attributes
pre-shared-key *
tunnel-group hiddenacres.pix type ipsec-ra
tunnel-group hiddenacres.pix general-attributes
authentication-server-group (outside-HBG) none
default-group-policy moonrazor.olivet
tunnel-group hiddenacres.pix ipsec-attributes
pre-shared-key *
trust-point enmvpnca
tunnel-group eandmmobileclient type ipsec-ra
tunnel-group eandmmobileclient general-attributes
address-pool ipsecpool
authentication-server-group (outside-HBG) none
default-group-policy eandmmobileclient
tunnel-group eandmmobileclient ipsec-attributes
trust-point eandmvpnca
tunnel-group-map enable rules
tunnel-group-map 10 moonrazor.olivet
no vpn-addr-assign dhcp
ssh timeout 60
ssh version 1
console timeout 0
management-access inside-HBG
!
class-map class_sqlnet
match port tcp eq 1433
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class_sqlnet
inspect sqlnet
!
service-policy global_policy global
ntp server 192.6.38.127 source outside-HBG prefer
: end

---------------------------------------------------------------------------­----
Far End PIX
---------------------------------------------------------------------------­-----


PIX Version 7.0(5)
!
hostname moonrazor
domain-name haydon-mill.com
no names
name 10.6.0.0 NETWORK-TRAINING
name 10.3.0.0 NETWORK-SF
name 10.10.0.0 NETWORK-HA
name 10.1.0.0 NETWORK-HBG
name 10.254.0.0 NETWORK-SERIAL description Serial Interfaces
name 10.201.0.0 NETWORK-IPSEC-SF-POOL description IPSec SF DHCP Pool
name 172.16.0.0 NETWORK-DMZ
name 10.2.0.0 NETWORK-SF2
name 10.11.0.0 NETWORK-OLIVET
name 10.13.0.0 NETWORK-FITCH
name 10.12.0.0 NETWORK-235HBG
dns-guard
!
interface Ethernet0
nameif outside-SF
security-level 0
ip address moonrazor_o 255.255.255.192
!
interface Ethernet1
nameif inside-SF
security-level 100
ip address moonrazor_i 255.255.0.0
!
interface Ethernet2
speed 10
duplex half
nameif dmz-sf
security-level 10
no ip address
!
boot system flash:/pix705.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring


same-security-traffic permit intra-interface
object-group network NETWORK-VPN-ALL
network-object 10.1.0.0 255.255.0.0
network-object 10.2.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.6.0.0 255.255.0.0
object-group protocol VPN-PROTOCOLS
protocol-object ip
protocol-object tcp
protocol-object udp
protocol-object icmp
object-group network NETWORK-OLIVET-ALL
network-object 10.11.0.0 255.255.0.0
object-group network NETWORK-SF-VPN
network-object 10.2.0.0 255.255.0.0
network-object 10.6.0.0 255.255.0.0
object-group network NETWORK-HBG-VPN
network-object 10.10.0.0 255.255.0.0
network-object 10.1.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.13.0.0 255.255.0.0
network-object 10.11.0.0 255.255.0.0
network-object 10.12.0.0 255.255.0.0
network-object 10.254.0.0 255.255.0.0
object-group network NETWORK-SF2-VPN
network-object 10.6.0.0 255.255.0.0
object-group network NETWORK-HBG2-VPN
network-object 10.1.0.0 255.255.0.0
access-list inside_nat extended permit ip object-group NETWORK-SF-VPN
object-group NETWORK-HBG-VPN
access-list inside_nat extended permit ip object-group NETWORK-SF-VPN
object-group NETWORK-OLIVET-ALL
access-list inside_nat extended permit ip 10.6.0.0 255.255.0.0
10.1.0.0 255.255.0.0
access-list capli extended permit ip 10.1.0.0 255.255.0.0 10.6.0.0
255.255.0.0
access-list capli extended permit ip 10.6.0.0 255.255.0.0 10.1.0.0
255.255.0.0
access-list acl_outside extended permit icmp any any echo
access-list acl_outside extended permit icmp any any echo-reply
access-list acl_outside extended permit icmp any any time-exceeded
access-list acl_outside extended permit icmp any any unreachable
access-list outside-SF_nat0_outbound extended permit ip object-group
NETWORK-SF-VPN object-group NETWORK-HBG-VPN
access-list outside-SF_nat0_outbound extended permit ip object-group
NETWORK-SF-VPN object-group NETWORK-OLIVET-ALL
access-list outside-SF_nat0_outbound extended permit ip 10.6.0.0
255.255.0.0 10.1.0.0 255.255.0.0
access-list outside-SF_cryptomap_20 extended permit ip object-group
NETWORK-SF-VPN object-group NETWORK-HBG-VPN
access-list outside-SF_cryptomap_20 extended permit ip object-group
NETWORK-SF-VPN object-group NETWORK-OLIVET-ALL
access-list outside-SF_cryptomap_20 extended permit ip 10.6.0.0
255.255.0.0 10.1.0.0 255.255.0.0
access-list outside-SF_nat0_inbound extended permit ip object-group
NETWORK-SF-VPN object-group NETWORK-HBG-VPN
access-list outside-SF_nat0_inbound extended permit ip object-group
NETWORK-SF-VPN object-group NETWORK-OLIVET-ALL
access-list outside-SF_nat0_inbound extended permit ip 10.6.0.0
255.255.0.0 10.1.0.0 255.255.0.0
access-list charlie_tunnel extended permit ip object-group NETWORK-SF-
VPN object-group NETWORK-HBG-VPN
access-list charlie_tunnel extended permit ip object-group NETWORK-SF-
VPN object-group NETWORK-OLIVET-ALL
access-list charlie_tunnel extended permit ip 10.6.0.0 255.255.0.0
10.1.0.0 255.255.0.0
pager lines 55
logging enable
logging timestamp
logging list xlate-log message 202001
logging list xlate-log message 305009-305012


logging list SMTP-log message 108002
logging list startup-log message 199001-199005
logging list GRE-log message 302017-302018
logging list verifycertdn-log message 320001
logging list IDS-log message 400000-400050
logging list sa-log message 602201
logging list sa-log message 602301-602302
logging list mobilevpnclient-log message 611301-611323
logging list ISAKMP-log message 702201-702212
logging list IPSecConnect-log message 113019
logging list MISC-Log message 713900-713906
logging console warnings
logging monitor debugging
logging trap informational
logging asdm warnings
logging mail warnings
logging from-address charlie2(a)enm.com
logging device-id hostname
logging host inside-SF 10.1.0.17
logging debug-trace
logging permit-hostdown
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 609002
no logging message 609001
no logging message 302016
no logging message 302021
no logging message 302020
logging message 305012 level warnings
logging message 305011 level warnings
logging message 305010 level warnings
logging message 305009 level warnings
logging message 302013 level warnings
mtu outside-SF 1500
mtu inside-SF 1500
mtu dmz-sf 1500
ip local pool ipsecpoolsf 10.201.0.1-10.201.1.254 mask 255.255.0.0
ip verify reverse-path interface outside-SF
asdm image flash:/asdm-505.bin
asdm history enable
arp timeout 14400
nat-control
global (outside-SF) 1 75.10.255.5-75.10.255.59 netmask 255.255.255.192
global (outside-SF) 1 75.10.255.60 netmask 255.255.255.255
nat (inside-SF) 0 access-list inside_nat
nat (inside-SF) 1 10.2.0.0 255.255.0.0
nat (inside-SF) 1 10.6.0.0 255.255.0.0
nat (dmz-sf) 0 access-list dmz-sf_nat0_outbound
access-group acl_outside in interface outside-SF
route outside-SF 0.0.0.0 0.0.0.0 <router IP> 1
route inside-SF 10.6.0.0 255.255.0.0 10.2.6.1 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02


timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy DfltGrpPolicy attributes
wins-server value 10.1.0.8 10.1.0.5
dns-server value 10.1.0.5 10.1.0.9
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value haydon-mill.com
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
group-policy mobilevpnclient internal
group-policy mobilevpnclient attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
default-domain value haydon-mill.com
group-policy charlie2 internal
group-policy charlie2 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value charlie_tunnel
aaa authentication ssh console LOCAL
snmp-server location NetCenter


snmp-server contact Scott Townsend
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set mobilevpnclient_set esp-des esp-md5-hmac
crypto ipsec transform-set mobilevpnclient_set2 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set mobilevpnclient_set
mobilevpnclient_set2
crypto dynamic-map outside-SF_dyn_map 1 set transform-set
mobilevpnclient_set mobilevpnclient_set2 ESP-3DES-SHA
crypto map outside-SF_map 20 match address outside-SF_cryptomap_20
crypto map outside-SF_map 20 set peer <ip address of charlie>
crypto map outside-SF_map 20 set transform-set ESP-3DES-SHA
crypto map outside-SF_map 65535 ipsec-isakmp dynamic outside-
SF_dyn_map
crypto map outside-SF_map interface outside-SF
crypto ca trustpoint enmvpnca
crl required
enrollment retry count 20
enrollment url http://<CertSrv IP>/certsrv/mscep/mscep.dll
crl configure
crypto ca certificate chain enmvpnca
certificate 46bd5f06000800000174
quit
certificate ca 6d37e2baf0018ba644da08206ff4c15c


quit
isakmp enable outside-SF
isakmp policy 8 authentication rsa-sig
isakmp policy 8 encryption 3des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 11 authentication rsa-sig
isakmp policy 11 encryption des
isakmp policy 11 hash md5
isakmp policy 11 group 1
isakmp policy 11 lifetime 86400
isakmp policy 13 authentication rsa-sig
isakmp policy 13 encryption des
isakmp policy 13 hash md5
isakmp policy 13 group 2
isakmp policy 13 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 22 authentication pre-share
isakmp policy 22 encryption des
isakmp policy 22 hash md5
isakmp policy 22 group 2
isakmp policy 22 lifetime 86400
isakmp policy 23 authentication pre-share
isakmp policy 23 encryption 3des
isakmp policy 23 hash md5
isakmp policy 23 group 2
isakmp policy 23 lifetime 86400
isakmp policy 24 authentication pre-share
isakmp policy 24 encryption des
isakmp policy 24 hash sha
isakmp policy 24 group 2
isakmp policy 24 lifetime 86400
isakmp policy 26 authentication pre-share
isakmp policy 26 encryption 3des
isakmp policy 26 hash sha
isakmp policy 26 group 2
isakmp policy 26 lifetime 86400
isakmp policy 30 authentication rsa-sig
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha


isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal 20
isakmp ipsec-over-tcp port 10000 57268
tunnel-group DefaultL2LGroup ipsec-attributes
trust-point enmvpnca
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside-SF) none
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
trust-point enmvpnca
tunnel-group mobilevpnclient type ipsec-ra
tunnel-group mobilevpnclient general-attributes
address-pool ipsecpoolsf
authentication-server-group (outside-SF) none
default-group-policy mobilevpnclient
tunnel-group mobilevpnclient ipsec-attributes
trust-point enmvpnca
tunnel-group <IP Address of Charlie> type ipsec-l2l
tunnel-group <IP Address of Charlie> general-attributes
default-group-policy charlie2
tunnel-group <IP Address of Charlie> ipsec-attributes
pre-shared-key *
console timeout 0
management-access inside-SF
!
class-map class_sqlnet
match port tcp eq 1433
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet


inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class_sqlnet
inspect sqlnet
!
service-policy global_policy global
ntp server 192.6.38.127 source outside-SF prefer
: end
From: Artie Lange on
scooter133(a)gmail.com wrote:

> crypto ipsec transform-set mobileclient_set2 esp-3des esp-md5-hmac
> crypto ipsec transform-set mobileclient_set esp-des esp-md5-hmac
> crypto ipsec transform-set vpn-des-set esp-des esp-md5-hmac
> crypto ipsec transform-set olivet-set esp-des esp-md5-hmac
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto ipsec security-association lifetime seconds 3600
> crypto dynamic-map dynmap 10 set transform-set mobileclient_set
> mobileclient_set2
>
>
> crypto dynamic-map olivet 1 set transform-set olivet-set
> crypto dynamic-map vpn-des 2 set transform-set vpn-des-set
> crypto map my_cry_map 999 ipsec-isakmp dynamic dynmap
> crypto map vpn-des-dyn-map 21 ipsec-isakmp dynamic vpn-des
> crypto map olivet-dyn-map 20 match address outside-HBG_cryptomap_20
> crypto map olivet-dyn-map 20 set peer <remote IP of Moonrazor>
> crypto map olivet-dyn-map 20 set transform-set ESP-3DES-SHA
> crypto map olivet-dyn-map 65535 ipsec-isakmp dynamic olivet
> crypto map olivet-dyn-map interface outside-HBG
> crypto ca trustpoint enmvpnca
> crl required
> enrollment retry count 20
> enrollment url http://10.1.9.61:80//certsrv/mscep/mscep.dll
> crl configure
> crypto ca certificate map 10
> subject-name attr cn eq comet.olivet
> crypto ca certificate chain enmvpnca
> certificate 610b484e000c0000023d
> quit
> certificate ca 728f42234a1e8497433a3917b85b02a6
> quit

> ---------------------------------------------------------------------------�----
> Far End PIX
> ---------------------------------------------------------------------------�-----

> crypto ipsec transform-set mobilevpnclient_set esp-des esp-md5-hmac
> crypto ipsec transform-set mobilevpnclient_set2 esp-3des esp-md5-hmac
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto dynamic-map dynmap 10 set transform-set mobilevpnclient_set
> mobilevpnclient_set2
> crypto dynamic-map outside-SF_dyn_map 1 set transform-set
> mobilevpnclient_set mobilevpnclient_set2 ESP-3DES-SHA
> crypto map outside-SF_map 20 match address outside-SF_cryptomap_20
> crypto map outside-SF_map 20 set peer <ip address of charlie>
> crypto map outside-SF_map 20 set transform-set ESP-3DES-SHA
> crypto map outside-SF_map 65535 ipsec-isakmp dynamic outside-
> SF_dyn_map
> crypto map outside-SF_map interface outside-SF
> crypto ca trustpoint enmvpnca
> crl required
> enrollment retry count 20
> enrollment url http://<CertSrv IP>/certsrv/mscep/mscep.dll
> crl configure
> crypto ca certificate chain enmvpnca
> certificate 46bd5f06000800000174
> quit
> certificate ca 6d37e2baf0018ba644da08206ff4c15c


I do not see 'crypto ipsec security-association lifetime seconds 3600'
in the far end PIX
From: scooter133 on
On Jul 16, 11:42 am, Artie Lange <spam...(a)jamiebaillie.net> wrote:

> I do not see  'crypto ipsec security-association lifetime seconds 3600'
> in the far end PIX- Hide quoted text -
>
> - Show quoted text -

Hmmm...

I added it to moonrazor and it dumped the VPN, reconnected and it
added the following:
crypto dynamic-map dynmap 10 set security-association lifetime seconds
28800
crypto map outside-SF_map 20 set security-association lifetime seconds
28800

I do not see something similar on the HQ PIX...
SHould there be?

Thank you!