03-25-2004 03:15 PM - edited 02-21-2020 01:05 PM
Hello,
I have a PIX 515 and a PIX 506 both connected via broadband to the internet. I have setup a VPN configuration between the two but am having some trouble getting traffic from clients behind either one to the opposite side clients respectively.
The PIX 515 is also responsible for several other subnets connecting through it via ISDN lines across ISDN routers.
The PIX's can from within their console interfaces ping successfully to any client across the VPN (using "ping outside 10.128.1.x , an internal IP of the opposite subnet and getting successful responses.)
And currently these two networks are already connected via a ISDN line so they can communicate already. This will change soon, hence why I'm trying to setup a VPN between the two PIX's across broadband DSL lines.
Below are the configurations:
PIX 515: (some unrelated lines removed)
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
hostname HHPIX-1
domain-name gdc.com
fixup protocol ftp 21
....
fixup protocol skinny 2000
names
name x.x.x.98 GreenBuilding
name x.x.x.126 PalHall
access-list testonly permit ip any any
access-list vpn1 permit ip 10.128.1.0 255.255.255.0 10.128.15.0 255.255.255.0
access-list vpn1 permit ip host GreenBuilding 10.128.15.0 255.255.255.0
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside GreenBuilding 255.255.255.248
ip address inside 10.128.1.250 255.255.255.0
....
global (outside) 1 interface
nat (inside) 0 access-list vpn1
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group testonly in interface outside
access-group testonly in interface inside
static (inside,outside) x.x.6.100 10.128.1.3 netmask 255.255.255.255 0 0
static (inside,outside) x.x.6.102 10.128.1.4 netmask 255.255.255.255 0 0
static (inside,outside) x.x.6.101 10.128.1.7 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host x.x.6.100 eq citrix-ica any
conduit permit tcp any eq 3000 any
conduit permit tcp host x.x.6.102 eq citrix-ica any
conduit permit tcp host x.x.6.102 eq 3389 any
conduit permit tcp host x.x.6.100 eq 3389 any
conduit permit tcp host x.x.6.101 eq www any
conduit permit tcp host x.x.6.101 eq 3389 any
route outside 0.0.0.0 0.0.0.0 x.x.x.97 1 (this is the existing router)
route inside 10.0.0.0 255.0.0.0 10.128.1.1 1
....
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map vpn1 10 ipsec-isakmp
crypto map vpn1 10 match address vpn1
crypto map vpn1 10 set pfs
crypto map vpn1 10 set peer PalHall
crypto map vpn1 10 set transform-set myset
crypto map vpn1 interface outside
isakmp enable outside
isakmp key ******** address PalHall netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
terminal width 80
Cryptochecksum:a1d2c9463e4c7fe76d534710bb3111b6
: end
the other config to follow in the next reply due to char limits.
03-25-2004 03:16 PM
PIX 506: (some unrelated lines removed)
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
hostname PalHall
domain-name PalHall.com
fixup protocol ftp 21
....
fixup protocol http 8080
names
name x.x.x.98 GreenBuilding
name x.x.x.126 PalHall
access-list 101 permit icmp any any echo-reply
access-list 101 permit ip host GreenBuilding 10.128.15.0 255.255.255.0
access-list 101 permit ip 10.128.15.0 255.255.255.0 any
access-list 101 permit ip 10.128.1.0 255.255.255.0 any
access-list vpn1 permit ip 10.128.15.0 255.255.255.0 10.128.1.0 255.255.255.0
access-list vpn1 permit ip host PalHall 10.128.1.0 255.255.255.0
access-list vpn1 permit ip 10.128.1.0 255.255.255.0 10.128.15.0 255.255.255.0
access-list vpn1 permit ip 10.128.15.0 255.255.255.0 host GreenBuilding
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit ip host PalHall any
access-list 102 permit tcp any host PalHall
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 10.128.15.100 255.255.255.0
....
global (outside) 2 interface
nat (inside) 0 access-list vpn1
nat (inside) 2 10.128.15.0 255.255.255.0 0 0
access-group 101 in interface outside
access-group 101 in interface inside
....
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map vpn1 10 ipsec-isakmp
crypto map vpn1 10 match address vpn1
crypto map vpn1 10 set pfs
crypto map vpn1 10 set peer GreenBuilding
crypto map vpn1 10 set transform-set myset
crypto map vpn1 interface outside
isakmp enable outside
isakmp key ******** address GreenBuilding netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
....
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname phmainclub
vpdn group pppoex ppp authentication pap
vpdn username phmainclub password *********
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
It seems that the VPN is established. When I run debug crypto isakmp, i dont get anything but reaper lines, before it was established i got a ton of debug info on why the VPN wasnt working. That's not happening anymore. I can ping the opposite networks from within the PIX console over the outside interface.
It just seems that the PIX's arent allowing traffic back and forth from clients inside their networks across the established VPN.
I'm stumped how to fix this. I think my access-lists are ok, i even put that wide open access-list on the 515 to test with and still could not ping across.
Any help would be Wonderful! Thank you for your time.
Dave Singleterry
03-25-2004 04:18 PM
After Further review...(i know, im answering my own post)...I think actually the problem lies with the command in the 515 config witha route command that I somehow didnt include in the original post
route outside 0.0.0.0 0.0.0.0 x.x.x.97 1
route inside 10.0.0.0 255.0.0.0 10.128.1.1 1
Its forwarding all traffic out the outside interface to a router on .97 , I think thats whats preventing my client from going over the established VPN. I'll give it a shot tomorrow.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: