08-21-2006 09:08 PM - edited 02-21-2020 01:07 AM
I have central office pix and remote sites that use dhcp from isp. central has static. I am attemping to setup tunnels that allow access between sites. tunnels appear setup, however, i am unable to connect to any thing at the remote sites. I can use remote client but only to central office. Im missing something obvious, im sure. thanks in advance. here are the configs.
central office:
access-list 120 permit ip 192.168.100.0 255.255.x.x.168.88.0 255.255.255.0
access-list outside_access_in permit tcp any any eq www
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 25.x.x.25 255.x.255.255
ip address inside 192.168.100.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclient 192.168.1.215-192.168.1.225
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 120
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.100.250 www netmask 255.x.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.x.x.25.25.24 1
floodguard enable
fragment chain 45 inside
fragment timeout 10 inside
sysopt connection permit-ipsec
crypto ipsec transform-set tset esp-des esp-md5-hmac
crypto dynamic-map dynmap 1 set transform-set tset
crypto map dyn-map 10 ipsec-isakmp dynamic dynmap
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp keepalive 10 5
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup FCIvpnclient idle-time 1800
vpngroup cisco address-pool fcivpnclient
vpngroup cisco dns-server 192.168.100.250
vpngroup cisco wins-server 192.168.100.250
vpngroup cisco default-domain domain.local
vpngroup cisco split-tunnel 120
vpngroup cisco idle-time 1800
vpngroup cisco password ********
vpngroup fcivpnclient idle-time 1800
management-access inside
<<<REMOTE>>>
access-list 120 permit ip 192.168.18.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 120 permit ip 192.168.88.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list acl_in deny udp any any eq 1863
access-list acl_in deny tcp any any eq 1863
access-list acl_in permit ip any any
pager lines 24
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.88.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
global (outside) 1 interface
nat (inside) 0 access-list 120
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_in in interface inside
sysopt connection permit-ipsec
crypto ipsec transform-set tset esp-des esp-md5-hmac
crypto map ffmap 10 ipsec-isakmp
crypto map ffmap 10 match address 120
crypto map ffmap 10 set peer 25.25.25.25
crypto map ffmap 10 set transform-set tset
crypto map ffmap interface outside
isakmp enable outside
isakmp key ******** address 25.x.25.25 netmask 255.x.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpdn group pppox request dialout pppoe
vpdn group pppox localname user@isp.net
vpdn group pppox ppp authentication pap
vpdn username user@isp.net password *********
08-22-2006 12:38 AM
Try to create separate policy for site-to-site vpn. The existing policy (isakmp policy 10) in central is used by the vpn client.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
Rgds,
AK
08-22-2006 06:03 AM
Ok. How can I get the remote pix to use one policy and the client to use another. the link provided is ver ver 7.x these pix use 6.3. Thanks for the response.
08-22-2006 09:36 PM
BTW, do you use your remote PIX to connect your remote access client@vpn client, and from there, you use the same PIX to connect to Central PIX? Or Central PIX handle both remote access vpn client and remote pix?
Rgds,
AK
08-23-2006 12:06 AM
your phase1 config looks ok (provided pre-shared keys match) and is ok for clients & L2L to use the same policy.
on phase 2 your ACLS should be mirrors of each other and are not - remote has 2 lines, central has one. Nevertheless it should still work for that one line in common.
crypto map looks ok.
I believe "isakmp key ******** address 0.0.0.0 netmask 0.0.0.0" would be used only by L2L (not clients, they'd use "vpngroup cisco password ********") and you may need to turn off mode config & uauth off for L2L:
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
otherwise:
show cry isa sa
show cry map
show cry ips sa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide