08-21-2006 09:08 PM - edited 02-21-2020 01:07 AM
I have central office pix and remote sites that use dhcp from isp. central has static. I am attemping to setup tunnels that allow access between sites. tunnels appear setup, however, i am unable to connect to any thing at the remote sites. I can use remote client but only to central office. Im missing something obvious, im sure. thanks in advance. here are the configs.
central office:
access-list 120 permit ip 192.168.100.0 255.255.x.x.168.88.0 255.255.255.0
access-list outside_access_in permit tcp any any eq www
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 25.x.x.25 255.x.255.255
ip address inside 192.168.100.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclient 192.168.1.215-192.168.1.225
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 120
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.100.250 www netmask 255.x.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.x.x.25.25.24 1
floodguard enable
fragment chain 45 inside
fragment timeout 10 inside
sysopt connection permit-ipsec
crypto ipsec transform-set tset esp-des esp-md5-hmac
crypto dynamic-map dynmap 1 set transform-set tset
crypto map dyn-map 10 ipsec-isakmp dynamic dynmap
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp keepalive 10 5
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup FCIvpnclient idle-time 1800
vpngroup cisco address-pool fcivpnclient
vpngroup cisco dns-server 192.168.100.250
vpngroup cisco wins-server 192.168.100.250
vpngroup cisco default-domain domain.local
vpngroup cisco split-tunnel 120
vpngroup cisco idle-time 1800
vpngroup cisco password ********
vpngroup fcivpnclient idle-time 1800
management-access inside
<<<REMOTE>>>
access-list 120 permit ip 192.168.18.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 120 permit ip 192.168.88.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list acl_in deny udp any any eq 1863
access-list acl_in deny tcp any any eq 1863
access-list acl_in permit ip any any
pager lines 24
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.88.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
global (outside) 1 interface
nat (inside) 0 access-list 120
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_in in interface inside
sysopt connection permit-ipsec
crypto ipsec transform-set tset esp-des esp-md5-hmac
crypto map ffmap 10 ipsec-isakmp
crypto map ffmap 10 match address 120
crypto map ffmap 10 set peer 25.25.25.25
crypto map ffmap 10 set transform-set tset
crypto map ffmap interface outside
isakmp enable outside
isakmp key ******** address 25.x.25.25 netmask 255.x.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpdn group pppox request dialout pppoe
vpdn group pppox localname user@isp.net
vpdn group pppox ppp authentication pap
vpdn username user@isp.net password *********
08-22-2006 12:38 AM
Try to create separate policy for site-to-site vpn. The existing policy (isakmp policy 10) in central is used by the vpn client.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
Rgds,
AK
08-22-2006 06:03 AM
Ok. How can I get the remote pix to use one policy and the client to use another. the link provided is ver ver 7.x these pix use 6.3. Thanks for the response.
08-22-2006 09:36 PM
BTW, do you use your remote PIX to connect your remote access client@vpn client, and from there, you use the same PIX to connect to Central PIX? Or Central PIX handle both remote access vpn client and remote pix?
Rgds,
AK
08-23-2006 12:06 AM
your phase1 config looks ok (provided pre-shared keys match) and is ok for clients & L2L to use the same policy.
on phase 2 your ACLS should be mirrors of each other and are not - remote has 2 lines, central has one. Nevertheless it should still work for that one line in common.
crypto map looks ok.
I believe "isakmp key ******** address 0.0.0.0 netmask 0.0.0.0" would be used only by L2L (not clients, they'd use "vpngroup cisco password ********") and you may need to turn off mode config & uauth off for L2L:
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
otherwise:
show cry isa sa
show cry map
show cry ips sa
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: