Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
331
Views
0
Helpful
3
Replies

Partial Tunnel Established

m.lesnick
Level 1
Level 1

‎01-19-2005 05:15 PM - edited ‎03-09-2019 10:03 AM

Strange Problem: PIX 6.3

access-list MDC_Connect1 permit ip host 172.17.0.17 host 192.168.0.5

access-list MDC_Connect1 permit ip host 172.17.0.18 host 192.168.0.5

nat (DMZ) 0 access-list MDC_Connect1

From 192.168.0.5 I can ping 172.17.0.17 PIX DMZ Interface but can not ping to 172.17.0.18 IP. Verified gateway address on .18 is correct being the .17 PIX interface but still don't work. The tunnel is working but do not have access to the .18 host.

Any Ideals or suggestings would be appreciated.

Labels:
0 Helpful
3 Replies 3

ehirsel
Level 6
Level 6

‎01-19-2005 07:24 PM

nat and global are only for connections that originate inbound and are destined for outside hosts. When you want to start a connection from an outside host to inside host you need to use statics, as well as explicitly allowing the traffic in the acl applied to the outside interface. One note about vpn traffic - if the sysopt permit-ipsec is turned on, then you do not need to add the acl entry on the outside interface, but you still need the static.

So remove the nat (DMZ) 0 statement, and run the clear xlate local 172.17.0.17 and the clear xlate local 172.17.0.18 commands

If you are using pix 6.3.3 code you can do this:

1. Remove the MDC_Connect1 acl and replace it with these 2 acls:

access-list MDC_Connect1 permit ip host 172.17.0.17 host 192.168.0.5

access-list MDC_Connect2 permit ip host 172.17.0.18 host 192.168.0.5

2. Enter these statics:

static (dmz,outside) 172.17.0.17 access-list MDC_Connect1

static (dmz,outside) 172.17.0.18 access-list MDC_Connect2

Let me know if you are running a 6.3 code lower than 6.3.3, or if this helps.

0 Helpful

m.lesnick
Level 1
Level 1
In response to ehirsel

‎01-20-2005 05:33 AM

Code 6.3.

Question about phase1 & 2.. I'm I required to create (2) crypto / isakmp statements or is there a way to use only the one?

In the below config I'm matching address to MDC_Connect ACL is it required to create basically 2 tunnels?

crypto map MDC 10 ipsec-isakmp

crypto map MDC 10 match address MDC_Connect

crypto map MDC 10 set peer x.x.x.x

crypto map MDC 10 set transform-set MDC1

crypto map MDC interface outside

isakmp enable outside

isakmp enable inside

isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Thanks Again..

0 Helpful

ehirsel
Level 6
Level 6
In response to m.lesnick

‎01-24-2005 10:07 AM

Two tunnels means connections to two different peers with differnt destinations. So normally you would use two different acls that are referred to in two differnt crypto map seq blocks. These acls do not permit/deny traffic, they only define what is to be encrypted.

So if one partner net is 10.1.4.0/24 and they want to connect to your servers whose ip is 172.16.0.17 and .18 you would use this acl:

access-l parnter_net_01 permit ip host 172.16.0.17 10.1.4.0 255.255.255.0

access-l parnter_net_01 permit ip host 172.16.0.18 10.1.4.0 255.255.255.0

And if you had another partner whose subnet is 10.5.6.0/24 who wants to connect to the same servers you would use this acl in the same map but with a different seq no:

access-l parnter_net_01 permit ip host 172.16.0.17 10.5.460 255.255.255.0

access-l parnter_net_01 permit ip host 172.16.0.18 10.5.460 255.255.255.0

Let me know if this helps.

0 Helpful
Customers Also Viewed These Support Documents