pix-pix-pix VPN but NO remote access

jcowtan · ‎06-09-2004

I have configured a hub/spoke PIX (515/506) Point to point network. I can see the tunnels come up. I can ping from each pix console the peer. I can access (telnet) external devices from an internal device (split-tunnel works).

However, I am seeing 2 problems.

1. I can not ping from internal to any remote device (internal or external). I am using the follow ICMP cmds:

icmp permit any outside

icmp permit any inside

which I thought should allow icmp traffic. What an I missing?

2. I can not access remote internal devices (ICMP or Telnet). When I telnet, I see the local PIX allow the session

710001: TCP access requested from 10.3.3.11/2994 to inside:10.3.1.31/https

710002: TCP access permitted from 10.3.3.11/2994 to inside:10.3.1.31/https

but the remote pix log shows a %PIX-3-305005 error: No translation group found for protocol src ...

Explanation A packet does not match any of the outbound nat rules.

I am at a loss as to what NAT rule would apply.

I have included a subset of the config I am using at the Hub.

HUB PIX

hostname WPGFW01

domain-name xxxxx.xxx

names

name 10.2.0.0 Atlanta

name 10.3.0.0 Ottawa

access-list inside_outbound_nat0_acl permit ip 10.1.0.0 255.255.0.0 Ottawa 255.255.0.0

access-list inside_outbound_nat0_acl permit ip 10.1.0.0 255.255.0.0 Atlanta 255.255.0.0

access-list outside_cryptomap_20 permit ip 10.1.0.0 255.255.0.0 Atlanta 255.255.0.0

access-list outside_cryptomap_40 permit ip 10.1.0.0 255.255.0.0 Ottawa 255.255.0.0

pager lines 24

logging on

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 64.4.68.226 255.255.255.252

ip address inside 10.1.1.31 255.255.0.0

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 64.4.68.225 1

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 65.82.40.234

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 40 ipsec-isakmp

crypto map outside_map 40 match address outside_cryptomap_40

crypto map outside_map 40 set peer 199.243.164.234

crypto map outside_map 40 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 65.82.40.234 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address 199.243.164.234 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

..................

What am I doing wrong that is stopping remote to remote via VPN?

jgao · ‎06-10-2004

add the following to your config, see it works

isakmp policy 15 authentication pre-share

isakmp policy 15 encryption 3des

isakmp policy 15 hash md5

isakmp policy 15 group 1

isakmp policy 15 lifetime 86400

jcowtan · ‎06-10-2004

I added the coniguration but no change. I then deleted the policy 20 statements and only had the policy 15 statements...BUT again I can not access remote internal devices from other remote sites.

Any ideas?

jcowtan · ‎06-13-2004

Problem was not in the configuration. It was is the test network. It seems I had all vlans on the same layer 3 switch. The private remotes were isolated as they had no IP addresses assigned....BUT the ISP and LOCAL VLAN did have IP addresses. The router was finding routes that caused the testing to fail.

When I moved the Local VLAN to another switch, all worked.