cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1370
Views
5
Helpful
2
Replies

How to test Site to Site VPN

brianj
Level 1
Level 1

I have setup a site to site vpn using pix 501 ver 6.3 using IPSEC. I have configured the devices remotely using SSH. My question is this. Is there a way to test the vpn remotely? It seems as though since I am connected to the devices via SSH that when I issue a ping to the remote network it is not seen as interesting traffic (the acl counter never increments). I assume this is because it is not sourced from the inside interface of the pix. I added a second ACE (access-list XX permit icmp any any). When I issue a ping from either pix the tunnel establishes successfully but I am still unable to ping the remote pix inside interface.

Below are the configs:

SITE 1

PIX Version 6.3(4)

hostname site1

access-list 80 permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list 80 permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.0.2.254 255.255.255.0

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 80

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-des esp-sha-hmac

crypto map 70street 10 ipsec-isakmp

crypto map 70street 10 match address 80

crypto map 70street 10 set peer 24.153.111.111

crypto map 70street 10 set transform-set strong

crypto map 70street interface outside

isakmp enable outside

isakmp key ******** address 24.153.111.111 netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal 20

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption des

isakmp policy 8 hash sha

isakmp policy 8 group 1

isakmp policy 8 lifetime 86400

SITE 2

PIX Version 6.3(4)

hostname site2

access-list 90 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

access-list 90 permit icmp any any

ip address outside 24.153.x.x.x.255.252

ip address inside 10.0.1.254 255.255.255.0

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 90

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 24.153.172.113 0

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-des esp-sha-hmac

crypto map 70street 10 ipsec-isakmp

crypto map 70street 10 match address 90

crypto map 70street 10 set peer 70.178.222.222

crypto map 70street 10 set transform-set strong

crypto map 70street interface outside

isakmp enable outside

isakmp key ******** address 70.178.222.222 netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal 20

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption des

isakmp policy 8 hash sha

isakmp policy 8 group 1

isakmp policy 8 lifetime 86400

Thanks in advance,

Brian

2 Replies 2

mostiguy
Level 6
Level 6

You generally cannot ping/access the far side of a router/routing firewall's interfaces. So, pinging the inside interface of a remote pix is not going to work out of the box. But, the management-access command was introduced for people who wanted to do that, and similar things (manage it by inside interface/ip)

check this out:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ab.html#wp1137951

Thanks so much! That worked.

Brian