1. The VPN session is established, but no traffic, or just one-way traffic, is passing between
the Boston firewall and Los Angeles firewall. Ellen starts debugging the problem using
debug icmp trace. She pings the other end of the VPN node and gets the following results:
LOCAL-PIX(config)#
609001: Built local-host inside:10.10.2.21
106014: Deny inbound icmp src outside:10.10.10.31 dst
inside:10.10.2.21 (type 8, code 0)106014: Deny inbound icmp src
outside:10.10.10.31 dst
inside:10.10.2.21 (type 8, code 0)
106014: Deny inbound icmp src outside:10.10.10.31 dst
inside:10.10.2.21 (type 8, code 0)
106014: Deny inbound icmp src outside:10.10.10.31 dst
inside:10.10.2.21 (type 8., code 0)
106014: Deny inbound icmp src outside:10.10.10.31 dst
inside:10.10.2.21 (type 8, code 0)
609002: Teardown local-host inside:10.10.2.21duration 0:00:15
What do these results indicate and what could be causing this problem? How would you
help Ellen resolve this issue?
2. Eric cannot get the VPN tunnel to work from HQ to the Atlanta branch office. He starts
a debug and gets the following results:
crypto-isakmp-process-block: src 10.10.10.40, dest 10.10.3.34
VPN Peer: ISAKMP: Added new peer: ip:10.10.10.40 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:10.10.10.40 Ref cnt incremented to:1
Total VPN Peers:1
OAK-MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 2400
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID-IPV4
-ADDR
NOTE The questions should be answered in order, and the later questions assume that
the configuration changes needed to correct previous problems have already been applied.
For instance, question 4 assumes that the configuration changes needed to resolve
questions 1 though 3 have been applied to the configurations listed in the chapter when
considering the answer to question 4.
What Is Wrong with This Picture? 657
return status is IKMP-NO-ERROR
crypto-isakmp-process-block: src 10.10.10.40, dest 10.10.3.34
OAK-MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
return status is IKMP-NO-ERROR
crypto-isakmp-process-block: src 10.10.10.40, dest 10.10.3.34
OAK-MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP-NO-ERROR
crypto-isakmp-process-block: src 10.10.10.40, dest 10.10.3.34
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 2457631438
ISAKMP (0): processing notify INITIAL-CONTACTIPSEC(key-engine): got a queue
event...
IPSEC(key-engine-delete-sas): rec’d delete notify from ISAKMP
IPSEC(key-engine-delete-sas): delete all SAs shared with 10.10.10.40
return status is IKMP-NO-ERR-NO-TRANS
crypto-isakmp-process-block: src 10.10.10.40, dest 10.10.3.34
OAK-QM exchange
oakley-process-quick-mode:
OAK-QM-IDLE
ISAKMP (0): processing SA payload. message ID = 133935992
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP-DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5
IPSEC(validate-proposal): invalid local address 10.10.3.34
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP-ERR-NO-RETRANS
crypto-isakmp-process-block: src 10.10.10.40, dest 10.10.3.34
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
658 Chapter 20: Case Study and Sample Configuration
What could be the cause of this problem?
3. Bruce is having problems establishing a VPN session to the Atlanta office. He gets the
following debug results:
IPSEC(crypto-map-check): crypto map BranchVPN 20 incomplete. No peer or
access-list specified. Packet discarded
What is causing this problem, and how would you help Bruce successfully establish a
VPN tunnel to the Atlanta office?
4. The web administrator in Los Angeles needs to maintain the web servers in the DMZ
from the internal network using Terminal Services (Transmission Control Protocol
[TCP] port 3389). Is the firewall in Los Angeles configured to allow this access? Explain
your answer.
5. The web administrator in Los Angeles also needs to administer the web servers in Boston
and Atlanta. Are the three firewalls configured to allow this access? Explain your answer.
6. The web server 172.16.1.13 needs to access an Oracle database server that sits on a
segment connected to the internal network at 10.10.11.221. The web server initiates the
connection on TCP port 1521 and retrieves inventory data. Can this connection be
completed? Explain your answer.
7. The web server 172.16.1.13 needs to access an Oracle database server on the DMZ in
Boston using the address 172.16.2.11. The web server initiates the connection on TCP
port 1521 to retrieve financial data. Can this connection be completed? Explain your
answer.
8. Is the configuration solution to question 7 a good idea? Explain your answer.
9. The company has installed an FTP server on the DMZ segment in Los Angeles that
customers can access to download updates. The FTP server address is 172.16.1.9. Can
all external users access this FTP server? Explain your answer.
10. The exchange server is installed on the DMZ segment in Los Angeles using the address
172.16.1.14. The firewall is configured to allow Simple Mail Transfer Protocol (SMTP)
access for inbound mail and Secure Sockets Layer (SSL) access for users who want to
connect using Outlook Web Access over an HTTP over SSL (HTTPS) connection. Will
any users be able to receive their mail with this configuration? Explain your answer.
11. What needs to be done in Los Angeles to allow access to the mail server?