01-19-2005 05:15 PM - edited 03-09-2019 10:03 AM
Strange Problem: PIX 6.3
access-list MDC_Connect1 permit ip host 172.17.0.17 host 192.168.0.5
access-list MDC_Connect1 permit ip host 172.17.0.18 host 192.168.0.5
nat (DMZ) 0 access-list MDC_Connect1
From 192.168.0.5 I can ping 172.17.0.17 PIX DMZ Interface but can not ping to 172.17.0.18 IP. Verified gateway address on .18 is correct being the .17 PIX interface but still don't work. The tunnel is working but do not have access to the .18 host.
Any Ideals or suggestings would be appreciated.
01-19-2005 07:24 PM
nat and global are only for connections that originate inbound and are destined for outside hosts. When you want to start a connection from an outside host to inside host you need to use statics, as well as explicitly allowing the traffic in the acl applied to the outside interface. One note about vpn traffic - if the sysopt permit-ipsec is turned on, then you do not need to add the acl entry on the outside interface, but you still need the static.
So remove the nat (DMZ) 0 statement, and run the clear xlate local 172.17.0.17 and the clear xlate local 172.17.0.18 commands
If you are using pix 6.3.3 code you can do this:
1. Remove the MDC_Connect1 acl and replace it with these 2 acls:
access-list MDC_Connect1 permit ip host 172.17.0.17 host 192.168.0.5
access-list MDC_Connect2 permit ip host 172.17.0.18 host 192.168.0.5
2. Enter these statics:
static (dmz,outside) 172.17.0.17 access-list MDC_Connect1
static (dmz,outside) 172.17.0.18 access-list MDC_Connect2
Let me know if you are running a 6.3 code lower than 6.3.3, or if this helps.
01-20-2005 05:33 AM
Code 6.3.
Question about phase1 & 2.. I'm I required to create (2) crypto / isakmp statements or is there a way to use only the one?
In the below config I'm matching address to MDC_Connect ACL is it required to create basically 2 tunnels?
crypto map MDC 10 ipsec-isakmp
crypto map MDC 10 match address MDC_Connect
crypto map MDC 10 set peer x.x.x.x
crypto map MDC 10 set transform-set MDC1
crypto map MDC interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
Thanks Again..
01-24-2005 10:07 AM
Two tunnels means connections to two different peers with differnt destinations. So normally you would use two different acls that are referred to in two differnt crypto map seq blocks. These acls do not permit/deny traffic, they only define what is to be encrypted.
So if one partner net is 10.1.4.0/24 and they want to connect to your servers whose ip is 172.16.0.17 and .18 you would use this acl:
access-l parnter_net_01 permit ip host 172.16.0.17 10.1.4.0 255.255.255.0
access-l parnter_net_01 permit ip host 172.16.0.18 10.1.4.0 255.255.255.0
And if you had another partner whose subnet is 10.5.6.0/24 who wants to connect to the same servers you would use this acl in the same map but with a different seq no:
access-l parnter_net_01 permit ip host 172.16.0.17 10.5.460 255.255.255.0
access-l parnter_net_01 permit ip host 172.16.0.18 10.5.460 255.255.255.0
Let me know if this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide