01-20-2003 01:12 PM - edited 02-20-2020 10:30 PM
Ive got two PIX's telnetting to each other fine, but my third PIX that I just placed, I cant get to. Here's my configs:
(515e at location A, can telnet to an existing 501e (location B) without problems, but not to the newly placed 501e in location C)
515e config:
PIX 6.2(2) (515e)
access-list acl_outbound permit ip host 192.168.50.10 any
access-list acl_outbound permit ip host 192.168.50.75 any
access-list acl_outbound permit ip host 192.168.50.201 any
access-list acl_outbound permit ip host 192.168.50.202 any
access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq smtp
access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq pop3
access-list acl_inbound permit tcp any host 64.53.71.7 eq 3389
access-list acl_inbound permit icmp any any
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host 65.40.81.11
access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.52.0 255.255.255.0
icmp permit any outside
icmp permit any inside
ip address outside pppoe setroute
ip address inside 192.168.50.1 255.255.255.0
global (outside) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 192.168.50.0 255.255.255.0 0 0
static (inside,outside) tcp x.x.71.7 3389 192.168.50.75 3389 netmask 255.255.255.255 0 0
access-group acl_inbound in interface outside
access-group acl_outbound in interface inside
sysopt connection permit-ipsec
no sysopt route dnat
telnet x.x.71.8 255.255.255.255 outside
telnet 192.168.51.0 255.255.255.0 outside
telnet 192.168.52.0 255.255.255.0 outside
telnet x.x.81.11 255.255.255.255 outside
telnet 192.168.50.201 255.255.255.255 inside
telnet 192.168.50.202 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname *******
vpdn group pppoex ppp authentication pap
vpdn username ********** password *********
terminal width 80
Cryptochecksum:649c671fefa5ad2ee0709ea1aa24faea
: end
(501e at location C, cannot telnet to 515e, and 515e cannot telnet to this 501e)
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 host x.x.71.7
access-list inside_nat0_outbound permit ip host x.x.81.11 192.168.50.0 255.255.255.0
access-list acl_outbound permit ip 192.168.52.0 255.255.255.0 any
access-list acl_inbound permit ip host x.x.71.7 any
interface ethernet0 10baset
interface ethernet1 10full
ip address outside x.x.81.11 255.255.255.128
ip address inside 192.168.52.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 192.168.52.0 255.255.255.0 0 0
access-group acl_inbound in interface outside
access-group acl_outbound in interface inside
sysopt connection permit-ipsec
no sysopt route dnat
telnet 192.168.50.0 255.255.255.0 outside
telnet 64.53.71.7 255.255.255.255 outside
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:f4e78a76793783478f6e56f567e1f9cd
: end
Am I just overlooking something here? I tried to compare the existing 501e config thats working with the new one and havent seen a difference.
Thanks,
Dave
01-20-2003 02:17 PM
ok, i just saw this in the documentation:
If you are trying to telnet to the outside interface, it is only allowed through an IPSec tunnel or Secure Shell (SSH) connection. The syntax is: telnet {ip address of machine on outside interface} 255.255.255.255 outside x, where x is any additional commands to form the IPSec or SSH tunnel.
So I need to setup VPN first, so here's my current VPN config, the complication is this is my first multiple VPN setup. the 515e at the main office is VPN'd to a different 501 as well as me attempting to VPN this one to it as well.
515e:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
names
name x.x.71.8 ConstOffice
access-list acl_outbound permit ip host 192.168.50.10 any
access-list acl_outbound permit ip host 192.168.50.75 any
access-list acl_outbound permit ip host 192.168.50.201 any
access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq smtp
access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq pop3
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51
.0 255.255.255.0
access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.51.0 255.255.
255.0
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host Const
Office
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.52
.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.53
.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host 65.40
.81.11
access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 192.168.50
.0 255.255.255.0
access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.52.0 255.255.
255.0
access-list inside_nat0_outbound permit ip host x.x.81.11 192.168.50.0 255.255
.255.0
access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
icmp permit any outside
icmp permit any inside
ip address outside pppoe setroute
ip address inside 192.168.50.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
global (outside) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 192.168.50.0 255.255.255.0 0 0
static (inside,outside) tcp x.x.71.7 3389 192.168.50.75 3389 netmask 255.255.2
55.255 0 0
access-group acl_inbound in interface outside
access-group acl_outbound in interface inside
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map vpn1 10 ipsec-isakmp
crypto map vpn1 10 match address inside_nat0_outbound
crypto map vpn1 10 set pfs group2
crypto map vpn1 10 set peer ConstOffice
crypto map vpn1 10 set transform-set myset
crypto map vpn1 20 ipsec-isakmp
crypto map vpn1 20 match address 101
crypto map vpn1 20 set pfs group2
crypto map vpn1 20 set peer x.x.81.11
crypto map vpn1 20 set transform-set myset
crypto map vpn1 interface outside
isakmp enable outside
isakmp key ******** address ConstOffice netmask 255.255.255.255
isakmp key ******** address x.x.81.11 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet ConstOffice 255.255.255.255 outside
telnet 192.168.51.0 255.255.255.0 outside
telnet 192.168.52.0 255.255.255.0 outside
telnet x.x.81.11 255.255.255.255 outside
telnet 192.168.50.201 255.255.255.255 inside
telnet 192.168.50.202 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
501e:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 host x.x.71.7
access-list inside_nat0_outbound permit ip host x.x.81.11 192.168.50.0 255.255
.255.0
access-list acl_outbound permit ip 192.168.52.0 255.255.255.0 any
access-list acl_inbound permit ip host x.x.71.7 any
interface ethernet0 10baset
interface ethernet1 10full
ip address outside x.x.81.11 255.0.0.0
ip address inside 192.168.52.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.52.0 255.255.255.0 0 0
access-group acl_inbound in interface outside
access-group acl_outbound in interface inside
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map vpn1 9 ipsec-isakmp
crypto map vpn1 9 match address inside_nat0_outbound
crypto map vpn1 9 set pfs group2
crypto map vpn1 9 set peer x.x.71.7
crypto map vpn1 9 set transform-set myset
crypto map vpn1 interface outside
isakmp enable outside
isakmp key ******** address x.x.81.11 netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 192.168.50.0 255.255.255.0 outside
telnet x.x.71.7 255.255.255.255 outside
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:f4e78a76793783478f6e56f567e1f9cd
: end
So I must be missing something to get multiple VPN's up,
My debug info from the 515 is as follows:
ISAKMP (0): beginning Quick Mode exchange, M-ID of 299217336:11d5b1b8
crypto_isakmp_process_block: src x.x.81.11, dest x.x.71.7
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 299217336
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-SHA
ISAKMP: group is 2
ISAKMP (0): atts are acceptable.
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block: src x.x.81.11, dest x.x.71.7
ISAKMP (0): processing DELETE payload. message ID = 2059037963
ISAKMP (0): deleting SA: src x.x.71.7, dst x.x.81.11
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0x813d3688, conn_id = 0
ISADB: reaper checking SA 0x813d65c8, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:x.x.81.11 Ref cnt decremented to:0 Total VPN Peers:2
VPN Peer: ISAKMP: Deleted peer: ip:x.x.81.11 Total VPN peers:1
ISADB: reaper checking SA 0x813d3688, conn_id = 0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide