01-17-2003 02:44 PM - edited 03-09-2019 01:44 AM
I have configured a vpn 3000 concentrator to pix 501. Initially I have configured both ends to allow allow an octet of my IP address pool in both locations to pass through the tunnel. Unfortunately, recently I need to allow the entire subnet access through the IPSEC tunnel from both ends. Before I attempted any modifications this worked without any trouble.
On the PIX to allow this I added more statements to my existing access-list to allow these additional subnets from that location.
On the VPN3K end I am a bit confused. I open the LAN-LAN IPSEC connection properties and add the new local address and mask and also for the remote end address and mask.
Unfortunately, when I add this to the VPN3k I am unable to establish the IPSEC tunnel. When I read the log I see the initiator attempting to start the tunnel between, but it is rejected. Phase 1 completes successfully, but phase 2 does not seem to be initiating properly.
If I reset those two address pools back to my original entry the tunnel establishes successfully. This almost seems like a bug in the VPN software. I am not sure. My VPN code is vpn3000-3.5.2.Rel-k9.bin.
01-17-2003 10:35 PM
If you have more than one line in your crypto ACL on the PIX, then you can't just add in the Locla and remote networks inot the L2L screen on the 3000 anymore, since you can only have one set of IP addresses in here.
Let's say you have the following on the PIX:
> access-list crypto permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
> access-list crypto permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
On the 3000 go to Config - Policy Mgmt - Traffic Mgmt - Network Lists and create a list. Call it anything you like, and add the following to the large box on this screen:
10.2.2.0/0.0.0.255
10.3.3.0/0.0.0.255
Save this list. Now go to the L2L screen and modify the L2L tunnel fo rthe PIX. In the Local Networks section, select your newly added Network List from the drop down box, leave the IP Address/Wilcard Mask boxes blank. In the Remote Network section, put 10.1.1.0 and 0.0.0.255 as you had previously. Save this.
That's all you should need to do. Always remember, your crypto ACL's on both sides of a VPN tunnel HAVE TO BE THE EXACT OPPOSITE OF EACH OTHER. If you have tow lines in your PIX crypto ACL, then you need two networks in your VPN3000 L2L setup, and to accomplish that you have to use a Network List with 2 networks in it.
01-20-2003 10:16 AM
I see what you're saying, but there are several networks on both ends. Actually it is one network with a /21 mask on it. Could I specify an access-list mask with 255.255.248.0? If that is possible on the VPN end of the tunnel can I use 172.16.0.0 0.0.7.255?
subnet ID
VPN LAN 172.16.0.0 255.255.248.0
PIX LAN 172.16.15.0 255.255.248.0
I want to allow all hosts for now. Later I will filter out unwanted hosts.
01-21-2003 08:17 PM
You cna certainly have something like:
> access-list crypto permit ip 172.16.16.0 255.255.248.0 172.16.0.0 255.255.248.0
as long as you then have the opposite on the 3000 (specify 172.16.0.0/21 as the Local Network and 172.16.16.0/21 as the Remote Network).
Note that I've said 172.16.16.0, not 172.16.15.0 as you have written.
01-22-2003 09:55 AM
Ok I have done this and it works, somewhat. I can ping or tracert, but I cannot open http, ftp, termserv, etc ports through the tunnel. I checked the VPN L2L rules and there isn't any changes to the allowed protocols and such.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide