cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
360
Views
0
Helpful
2
Replies

PIX to PIX VPN problems

dsingleterry
Level 1
Level 1

Hello,

I have a PIX 515 and a PIX 506 both connected via broadband to the internet. I have setup a VPN configuration between the two but am having some trouble getting traffic from clients behind either one to the opposite side clients respectively.

The PIX 515 is also responsible for several other subnets connecting through it via ISDN lines across ISDN routers.

The PIX's can from within their console interfaces ping successfully to any client across the VPN (using "ping outside 10.128.1.x , an internal IP of the opposite subnet and getting successful responses.)

And currently these two networks are already connected via a ISDN line so they can communicate already. This will change soon, hence why I'm trying to setup a VPN between the two PIX's across broadband DSL lines.

Below are the configurations:

PIX 515: (some unrelated lines removed)

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxx encrypted

passwd xxxxxxxxxx encrypted

hostname HHPIX-1

domain-name gdc.com

fixup protocol ftp 21

....

fixup protocol skinny 2000

names

name x.x.x.98 GreenBuilding

name x.x.x.126 PalHall

access-list testonly permit ip any any

access-list vpn1 permit ip 10.128.1.0 255.255.255.0 10.128.15.0 255.255.255.0

access-list vpn1 permit ip host GreenBuilding 10.128.15.0 255.255.255.0

pager lines 24

logging on

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside GreenBuilding 255.255.255.248

ip address inside 10.128.1.250 255.255.255.0

....

global (outside) 1 interface

nat (inside) 0 access-list vpn1

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group testonly in interface outside

access-group testonly in interface inside

static (inside,outside) x.x.6.100 10.128.1.3 netmask 255.255.255.255 0 0

static (inside,outside) x.x.6.102 10.128.1.4 netmask 255.255.255.255 0 0

static (inside,outside) x.x.6.101 10.128.1.7 netmask 255.255.255.255 0 0

conduit permit icmp any any

conduit permit tcp host x.x.6.100 eq citrix-ica any

conduit permit tcp any eq 3000 any

conduit permit tcp host x.x.6.102 eq citrix-ica any

conduit permit tcp host x.x.6.102 eq 3389 any

conduit permit tcp host x.x.6.100 eq 3389 any

conduit permit tcp host x.x.6.101 eq www any

conduit permit tcp host x.x.6.101 eq 3389 any

route outside 0.0.0.0 0.0.0.0 x.x.x.97 1 (this is the existing router)

route inside 10.0.0.0 255.0.0.0 10.128.1.1 1

....

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address vpn1

crypto map vpn1 10 set pfs

crypto map vpn1 10 set peer PalHall

crypto map vpn1 10 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address PalHall netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

terminal width 80

Cryptochecksum:a1d2c9463e4c7fe76d534710bb3111b6

: end

the other config to follow in the next reply due to char limits.

2 Replies 2

dsingleterry
Level 1
Level 1

PIX 506: (some unrelated lines removed)

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxx encrypted

hostname PalHall

domain-name PalHall.com

fixup protocol ftp 21

....

fixup protocol http 8080

names

name x.x.x.98 GreenBuilding

name x.x.x.126 PalHall

access-list 101 permit icmp any any echo-reply

access-list 101 permit ip host GreenBuilding 10.128.15.0 255.255.255.0

access-list 101 permit ip 10.128.15.0 255.255.255.0 any

access-list 101 permit ip 10.128.1.0 255.255.255.0 any

access-list vpn1 permit ip 10.128.15.0 255.255.255.0 10.128.1.0 255.255.255.0

access-list vpn1 permit ip host PalHall 10.128.1.0 255.255.255.0

access-list vpn1 permit ip 10.128.1.0 255.255.255.0 10.128.15.0 255.255.255.0

access-list vpn1 permit ip 10.128.15.0 255.255.255.0 host GreenBuilding

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any unreachable

access-list 102 permit ip host PalHall any

access-list 102 permit tcp any host PalHall

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 10.128.15.100 255.255.255.0

....

global (outside) 2 interface

nat (inside) 0 access-list vpn1

nat (inside) 2 10.128.15.0 255.255.255.0 0 0

access-group 101 in interface outside

access-group 101 in interface inside

....

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address vpn1

crypto map vpn1 10 set pfs

crypto map vpn1 10 set peer GreenBuilding

crypto map vpn1 10 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address GreenBuilding netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

....

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname phmainclub

vpdn group pppoex ppp authentication pap

vpdn username phmainclub password *********

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

It seems that the VPN is established. When I run debug crypto isakmp, i dont get anything but reaper lines, before it was established i got a ton of debug info on why the VPN wasnt working. That's not happening anymore. I can ping the opposite networks from within the PIX console over the outside interface.

It just seems that the PIX's arent allowing traffic back and forth from clients inside their networks across the established VPN.

I'm stumped how to fix this. I think my access-lists are ok, i even put that wide open access-list on the 515 to test with and still could not ping across.

Any help would be Wonderful! Thank you for your time.

Dave Singleterry

After Further review...(i know, im answering my own post)...I think actually the problem lies with the command in the 515 config witha route command that I somehow didnt include in the original post

route outside 0.0.0.0 0.0.0.0 x.x.x.97 1

route inside 10.0.0.0 255.0.0.0 10.128.1.1 1

Its forwarding all traffic out the outside interface to a router on .97 , I think thats whats preventing my client from going over the established VPN. I'll give it a shot tomorrow.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: