05-31-2012 07:50 AM
I have the following VPN site-2-site configuration.
The trouble I'm having is host 172.168.88.3 in site A is not able to ping 172.168.200.3 in site B and visa versa. Think I have added the static routes and ACLs correctly on the 3560 switches (acting as gateways) and both PIX's to access the internal networks. Host 172.168.9.3 can ping 172.168.200.3 fine. Any advice is appreciated.
Many thanks.
My configs are as follows:
PIX A
PIX Version 8.0(3)
!
hostname PIX-A
enable password u18hqwudty78klk9s encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address x.x.x.250 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.168.9.1 255.255.255.0
!
passwd uh78mklh78yMs encrypted
banner login This is a private network. Unauthorised access is prohibited!
banner motd This is a private network. Unauthorised access is prohibited!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BST recurring 1 Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group Ext_DNS
name-server 82.72.6.57
name-server 63.73.82.242
object-group network LOCAL_LAN
network-object 172.168.9.0 255.255.255.0
network-object 172.168.88.0 255.255.255.0
object-group service Internet_Services tcp
port-object eq www
port-object eq domain
port-object eq https
port-object eq ftp
port-object eq 8080
port-object eq ssh
port-object eq telnet
object-group network WAN_Network
network-object 172.168.200.0 255.255.255.0
access-list ACLOUT extended permit udp object-group LOCAL_LAN any eq domain log
access-list ACLOUT extended permit icmp object-group LOCAL_LAN any log
access-list ACLOUT extended permit tcp object-group LOCAL_LAN any object-group Internet_Services log
access-list ACLOUT extended permit ip 172.168.88.0 255.255.255.0 172.168.200.0 255.255.255.0 log
access-list ACLIN extended permit icmp any any echo-reply log
access-list ACLIN extended permit icmp any any unreachable log
access-list ACLIN extended permit icmp any any time-exceeded log
access-list ACLIN extended permit ip 172.168.200.0 255.255.255.0 172.168.9.0 255.255.255.0 log
access-list split_tunnel_list standard permit 172.168.9.0 255.255.255.0
access-list split_tunnel_list remark LOCAL_LAN log
access-list NONAT extended permit ip object-group LOCAL_LAN 172.168.100.0 255.255.255.0 log
access-list inside_nat0_outbound extended permit ip 172.168.9.0 255.255.255.0 172.168.200.0 255.255.255.0 log
access-list outside_cryptomap_20 extended permit ip 172.168.9.0 255.255.255.0 172.168.200.0 255.255.255.0 log
pager lines 24
logging enable
logging buffered informational
logging trap informational
logging host inside 172.168.88.3
mtu outside 1500
mtu inside 1500
ip local pool testvpn 172.168.100.1-192.168.100.99
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/pdm
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ACLIN in interface outside
access-group ACLOUT in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.45 1
route inside 172.168.88.0 255.255.255.0 172.168.88.254 1
route inside 172.168.199.0 255.255.255.0 172.168.199.254 1
route outside 172.168.200.0 255.255.255.0 172.168.9.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.168.9.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Set_1 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 1 set transform-set Set_1
crypto dynamic-map outside_dyn_map 1 set reverse-route
crypto map outside_map 1 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.253
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
ntp server 130.88.203.12 source outside prefer
group-policy testvpn internal
group-policy testvpn attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_list
username Viv password ZdlkjGlOTGf7dqdb encrypted
tunnel-group testvpn type remote-access
tunnel-group testvpn general-attributes
address-pool testvpn
default-group-policy testvpn
tunnel-group testvpn ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.253 type ipsec-l2l
tunnel-group x.x.x.253 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bb6ead3350227b3745c14b9ba340b84a
: end
PIX B
PIX Version 8.0(3)
!
hostname PIX-B
enable password ul;jk89A89hNC0Ms encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address x.x.x.253 255.255.255.240
!
interface Ethernet1
nameif inside
security-level 100
ip address 172.168.200.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd 2ljio897hFB.88fU encrypted
banner motd This is a private network. Unauthorised access is prohibited!
ftp mode passive
dns domain-lookup outside
dns server-group Ext_DNS
name-server x.x.x.57
name-server x.x.x.242
object-group network LOCAL_LAN
network-object 172.168.200.0 255.255.255.0
object-group service Internet_Services tcp
port-object eq www
port-object eq domain
port-object eq https
port-object eq ftp
port-object eq 8080
object-group network WAN_Network
description WAN networks
network-object 172.168.88.0 255.255.255.0
access-list ACLOUT extended permit udp object-group LOCAL_LAN any eq domain
access-list ACLOUT extended permit icmp object-group LOCAL_LAN any
access-list ACLOUT extended permit tcp object-group LOCAL_LAN any object-group Internet_Services
access-list ACLIN extended permit icmp any any unreachable
access-list ACLIN extended permit icmp any any time-exceeded
access-list ACLIN extended permit icmp any any echo-reply
access-list ACLIN extended permit ip 172.168.88.0 255.255.255.0 172.168.200.0 255.255.255.0
access-list ACLIN extended permit ip 172.168.9.0 255.255.255.0 172.168.200.0 255.255.255.0
access-list ACLIN extended permit ip 172.168.199.0 255.255.255.0 172.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.168.200.0 255.255.255.0 172.168.9.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 172.168.200.0 255.255.255.0 172.168.9.0 255.255.255.0
pager lines 24
logging enable
logging monitor debugging
logging buffered debugging
logging trap informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ACLIN in interface outside
access-group ACLOUT in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.253 1
route outside 172.168.88.0 255.255.255.0 172.168.200.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.250
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
tunnel-group x.x.x.250 type ipsec-l2l
tunnel-group x.x.x.250 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ccb8392ce529a21c071b85d9afcfdb30
: end
3560 G/W
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 3560_GW
!
enable secret 5 $1$cOB4$Uklj8978/jgWv?Tssp
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
description uplink to Cisco_ASA
switchport access vlan 9
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
switchport access vlan 88
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/24
switchport access vlan 9
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/25
description trunk to A_2950_88 port 1
switchport trunk encapsulation dot1q
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
description trunk to A_2950_112 port 1
switchport trunk encapsulation dot1q
shutdown
!
interface GigabitEthernet0/28
!
interface Vlan1
no ip address
shutdown
!
interface Vlan9
ip address 172.168.9.2 255.255.255.0
!
interface Vlan88
ip address 172.168.88.254 255.255.255.0
!
interface Vlan199
ip address 172.168.199.254 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.168.9.1
ip route 172.168.88.0 255.255.255.0 172.168.9.1
ip route 172.168.100.0 255.255.255.0 172.168.9.1
ip route 172.168.200.0 255.255.255.0 172.168.9.1
ip http server
!
!
control-plane
!
banner motd ^C This is a private network.^C
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
end
Solved! Go to Solution.
05-31-2012 12:05 PM
Hi Robert,
I went through the configuration on both the PIX firewalls and I see that the traffic is not defined for 172.168.88.0/24-->172.168.200.0/24.
If you check the crypto map configuration on the PIX A, it says:
crypto map outside_map 20 match address outside_cryptomap_20 <--This acl defines interesting traffic
and the acl outside_cryptomap_20 says:
access-list outside_cryptomap_20 extended permit ip 172.168.9.0 255.255.255.0 172.168.200.0 255.255.255.0 log
Same is the case on the PIX B:
crypto map outside_map 20 match address outside_cryptomap_20
access-list outside_cryptomap_20 extended permit ip 172.168.200.0 255.255.255.0 172.168.9.0 255.255.255.0
To allow users to talk to each other, apply these commands:
On the PIX A:
access-list outside_cryptomap_20 extended permit ip 172.168.88.0 255.255.255.0 172.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.168.88.0 255.255.255.0 172.168.200.0 255.255.255.0
and on PIX B:
access-list outside_cryptomap_20 extended permit ip 172.168.200.0 255.255.255.0 172.168.88.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.168.200.0 255.255.255.0 172.168.88.0 255.255.255.0
Let me know if this helps.
Thanks,
Vishnu Sharma
05-31-2012 12:05 PM
Hi Robert,
I went through the configuration on both the PIX firewalls and I see that the traffic is not defined for 172.168.88.0/24-->172.168.200.0/24.
If you check the crypto map configuration on the PIX A, it says:
crypto map outside_map 20 match address outside_cryptomap_20 <--This acl defines interesting traffic
and the acl outside_cryptomap_20 says:
access-list outside_cryptomap_20 extended permit ip 172.168.9.0 255.255.255.0 172.168.200.0 255.255.255.0 log
Same is the case on the PIX B:
crypto map outside_map 20 match address outside_cryptomap_20
access-list outside_cryptomap_20 extended permit ip 172.168.200.0 255.255.255.0 172.168.9.0 255.255.255.0
To allow users to talk to each other, apply these commands:
On the PIX A:
access-list outside_cryptomap_20 extended permit ip 172.168.88.0 255.255.255.0 172.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.168.88.0 255.255.255.0 172.168.200.0 255.255.255.0
and on PIX B:
access-list outside_cryptomap_20 extended permit ip 172.168.200.0 255.255.255.0 172.168.88.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.168.200.0 255.255.255.0 172.168.88.0 255.255.255.0
Let me know if this helps.
Thanks,
Vishnu Sharma
06-11-2012 07:05 AM
Hi Vishnu,
Thank you for your reply to my post.
I now have the 172.168.88.0 network talking to the 172.168.200.0 network after applying your suggested commands.
I also tried with the following commands on each PIX and the networks can still talk to each other.
access-list outside_cryptomap_20 extended permit ip object-group LOCAL_LAN object-group WAN_Network
access-list inside_nat0_outbound extended permit ip object-group LOCAL_LAN object-group WAN_Network
Very grateful for your help.
Best Regards,
Robert
06-21-2012 03:01 AM
Hi Vishnu,
I had nat (inside) 0 access-list NONAT for an access list I use for the remote VPN access on PIX A. But it seems that when I added the line nat (inside) 0 access-list inside_nat0_outbound to enable my internal networks to communicate over the site-2-site connection, it cancels out nat (inside) 0 access-list NONAT. Would you know the reason why please?
Many thanks,
Rob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide