Re: Using 2 PIXs to access same network

fbwomack1 · ‎01-15-2007

Here is my configuration - per-se

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security4

access-list outside_access_in permit ip any 2XX.XXX.XXX.0 255.255.255.0

access-list ITS_splitTunnelAcl permit ip 1XX.0.0.0 255.255.255.0 any

access-list inside_outbound_nat0_acl permit ip 1XX.0.0.0 255.255.255.0 ATL 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 1XX.0.0.0 255.255.255.0 1XX.0.1.0 255.255.255.XXX

access-list inside_outbound_nat0_acl permit ip 1XX.0.0.0 255.255.255.0 1XX.0.2.0 255.255.255.XXX

access-list inside_outbound_nat0_acl permit ip any LAX 255.255.255.XXX

access-list outside_cryptomap_20 permit ip 1XX.0.0.0 255.255.255.0 ATL 255.255.255.0

IP address outside 2XX.XXX.XXX.0 255.255.255.0

ip address inside 1XX.0.0.1 255.255.255.0

no ip address DMZ

ip local pool Here 1XX.0.1.1-1XX.0.1.50

ip local pool There 1XX.0.2.1-1XX.0.2.10

ip local pool LAX 1XX.201.1.1-1XX.201.1.5

global (outside) 1 2XX.XXX.XXX.XXX

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 1XX.0.0.0 255.255.255.0 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 2XX.XXX.XXX.XXX 1

: end

my dilemna is this:

1. I need to have two sets of outside (internet) IPs to be able to access the same network and servers.

2. I have 2 PIXs. My original PIX 515E and another PIX 501.

3. Presently the PIX 515E is working fine. The PIX 501 has the same configuration but a different inside IP and DHCP pool.

4. When I attempt to put a route statement on either PIX, I get a response that the route is already there.

When I attempt to use the PIX 501 I cannot access the original network or even see it, however I can access the internet.

The PIX 515E cannot access the PIX 501 or even see it.

The VPN on both PIXs work, however the PIX 501 allows you to get to the inside of the PIX but not to the network.

Collin Clark · ‎01-15-2007

Look at your crypto statisitics. I bet your only seeing one way being encypted. Post the results for us to see.

fbwomack1 · ‎01-15-2007

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5

crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-MD5

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 2XX.XXX.XXX.XXX

crypto map outside_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

The PIX 515E is the gateway that will be used. I cannot change it as the entire network will go down that is why I am trying to test with the PIX 501 to ensure that my configuration is correct for when we change ISP.

fbwomack1 · ‎01-16-2007

ddid the crypto mapping help out?

Collin Clark · ‎01-16-2007

You need to post the results of "show crypto ipsec sa"

fbwomack1 · ‎01-17-2007

I dont have that statement or results for that request