12-02-2005 04:13 PM - edited 02-21-2020 12:34 AM
I have a n2h2 server at headquarters. I want remote offices to query this server when making web requests. HQ has PIX 515e and remote office 501. Works no problem in HQ but remote offices log 110001. No route. Each of the remote office have VPN tunnel back to HQ. I can browse to the n2h2 to/from remote office. Connect to the port, ping, etc. So I know I can get from a <-> b.
global (outside) 1 interface
nat (inside) 0 access-list 120
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 22.22.22.22 1
URL Server Status:
------------------
10.10.10.10 DOWN
Log indicates No route {n2h2 IP} from {pix inside IP}
I am just missing something obvious. I have tried configuring the url-server on the inside and outside. same result.
Any info is greatly appreciated.
12-03-2005 09:23 PM
it seems to me that you need to define the interesting traffic for vpn connectivity for the URL server IP address.
interesting traffic should source from pix and destine to URL server.
can you ping the URL server from the remote pix? i guess not, due to the fact that interesting traffic is between LANs and not from PIX to LAn
thanks
Nadeem
12-04-2005 02:12 AM
as mentioned from the previous post, i guess the remote pix 501 needs to be included as part of the crypto traffic.
e.g. the existing acl should look like
access-list no_nat permit ip
access-list vpnl2l permit ip
on the remote office pix, add:
access-list vpnl2l permit ip host
on the head office pix, add:
access-list vpnl2l permit ip host
12-04-2005 07:31 AM
Replied by: nkhawaja - CCIE - Dec 3, 2005, 9:23pm PST
Yes, I can ping the server. I can also browse to it and telnet to the port. All traffic from remote office has no issues getting from the remote subnet to the HQ thru normal means, such as mapped drives, browsing etc.
Replied by: jackko - Security and Network Consultant, Trilogy Computer Systems Pty Ltd, Australia - Dec 4, 2005, 2:12am PST
Yes, there is a tunnel setup between the remote and HQ. I have tried setting the url-server both inside and outside, same error.
No route to {websense server IP in HQ} from {inside IP of remote PIX}
Remote office is configured as a split tunnel. It appears to be a routing issue but just not sure what line would correct it since I can get to the server by simply browing, telneting to the port the app uses, etc.
I know this. The web request is never making it outside the pix to HQ from the remote since i do not see any connections from pix but I do see a connection when i telnet to the port. So i know i can get from server (remote) to server (hq).
Current Access-list(remote)
access-list 120 permit ip 192.168.0.0 255.255.0.0 10.10.0.0 255.255.0.0
conduit permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.0.0
Current Access-list (HQ)
access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0
12-04-2005 07:57 AM
yes we understand you can ping from network to network. what we want to know is that you can ping the server from the remote PIX?
12-04-2005 08:49 AM
No reponse received
I went ahead and added icmp permit any {interfaces}
no change.
icmp trace log.
22: ICMP echo request (len 32 id 9233 seq 0) pix-public-IP > HQserver-IP
HQserver-IP NO response received -- 1000ms
send a ping from HQ pix and remote pix logs:
36: ICMP echo-request from outside:vpn-interface-IP to remote-pix-inside-ip ID=4388 seq=2 length=40
12-04-2005 08:55 AM
you need to Modify your interesting traffic on HQ and remote PIX so that remote PIX can ping to the server.
see the earlier email on a sample config
12-04-2005 11:01 AM
I have used this example:
e.g. the existing acl should look like
access-list no_nat permit ip
access-list vpnl2l permit ip
on the remote office pix, add:
access-list vpnl2l permit ip host
on the head office pix, add:
access-list vpnl2l permit ip host
..but still unable to get a ping.
Log:
No route to url-server-ip from inside-pix-ip
12-04-2005 01:45 PM
please post the config with public ip masked.
12-04-2005 02:56 PM
I really appreciate your assistance and advice with this. Here are the configs prior to any changes. Thanks.
<<<<<
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 vpn security75
access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0
mtu outside 1500
mtu inside 1500
mtu vpn 1500
ip address outside public-ip 255.255.255.224
ip address inside 10.10.10.2 255.255.255.0
ip address vpn 192.168.1.1 255.255.255.0
ip local pool vpn_pool 172.16.254.1-172.16.254.250
arp timeout 14400
global (outside) 1 interface
global (vpn) 1 192.168.1.254
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (vpn) 0 access-list nonat
static (inside,outside) public-ip 10.10.10.20 netmask 255.255.255.255 1000 500
conduit permit icmp any any
conduit permit ip 10.36.0.0 255.255.0.0 192.168.0.0 255.255.0.0
route outside 0.0.0.0 0.0.0.0 public-ip 1
route inside 10.0.0.0 255.0.0.0 10.10.10.1 1
route vpn 192.168.0.0 255.255.0.0 192.168.1.2 1
url-server (inside) vendor n2h2 host n2h2-inside-ip port 4005 timeout 10 protocol TCP
url-cache src_dst 128KB
filter url http host-ip 255.255.255.255 0.0.0.0 0.0.0.0 allow
floodguard enable
isakmp identity address
url-block block 128
<<<<<
access-list 120 permit ip 192.168.15.0 255.255.255.0 10.36.0.0 255.255.0.0
access-list 120 permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging on
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside public-ip.26 255.255.255.248
ip address inside 192.168.15.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 120
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any
conduit permit esp any any
conduit permit ip 10.36.0.0 255.255.0.0 192.168.15.0 255.255.255.0
conduit permit ip 192.168.1.0 255.255.255.0 192.168.15.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 public-ip.25 1
url-server (inside) vendor n2h2 host n2h2-inside-ip port 4005 timeout 10 protocol TCP
filter url http host-ip 255.255.255.255 0.0.0.0 0.0.0.0 allow
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set name esp-des esp-md5-hmac
crypto map name 10 ipsec-isakmp
crypto map name 10 match address 120
crypto map name 10 set peer public-concentrator-ip
crypto map name 10 set transform-set name
crypto map name 10 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map name interface outside
isakmp enable outside
isakmp key * address public-concentrator-ip netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 5
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 14400
url-block block 128
12-04-2005 03:16 PM
on the hq pix,
access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0
access-list nonat permit ip 10.0.0.0 255.0.0.0 host public-ip.26
on the remote pix,
access-list 120 permit ip 192.168.15.0 255.255.255.0 10.36.0.0 255.255.0.0
access-list 120 permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 120 permit ip host public-ip.26 10.36.0.0 255.255.0.0
access-list 120 permit ip host public-ip.26 192.168.1.0 255.255.255.0
further, the "url-server" command on the remote pix should be "url-server (outside)" rather than "url-server (inside)".
12-04-2005 06:40 PM
I have tried these settings and it still doesnt work. I had tried setting the url-server "inside" and "outside" but same result.
304008: LEAVING ALLOW mode, URL Server is up
110001: No route to 10.36.81.9 from 192.168.15.1
304006: URL Server 10.36.81.9 not responding
304006: URL Server 10.36.81.9 not responding
110001: No route to 10.36.81.9 from 192.168.15.1
12-05-2005 12:29 PM
Further log.
I see this event in the concentrator.
2207 12/05/2005 14:02:54.940 SEV=5 IKE/34 RPT=5872 public-ip.26
Group [public-ip.26]
Received local IP Proxy Subnet data in ID Payload:
Address 10.36.0.0, Mask 255.255.0.0, Protocol 0, Port 0
22210 12/05/2005 14:02:54.940 SEV=4 IKE/61 RPT=18700 public-ip.26
Group [public-ip.26]
Tunnel rejected: Policy not found for Src:public-ip.26, Dst: 10.36.0.0!
22212 12/05/2005 14:02:54.940 SEV=4 IKEDBG/97 RPT=44758 public-ip.26
Group [public-ip.26]
QM FSM error (P2 struct &0x1d5c3ec, mess id 0x7a2386f9)!
12-21-2005 09:02 AM
Hello Jakko. Thanks for the response. I had all the access-list in correctly. The resolve was simply setting up management interface inside.
pix> man i
and setting the "url-server" back to inside.
Thanks for the response.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide