12-27-2004 12:07 PM
I have setup a site to site vpn using pix 501 ver 6.3 using IPSEC. I have configured the devices remotely using SSH. My question is this. Is there a way to test the vpn remotely? It seems as though since I am connected to the devices via SSH that when I issue a ping to the remote network it is not seen as interesting traffic (the acl counter never increments). I assume this is because it is not sourced from the inside interface of the pix. I added a second ACE (access-list XX permit icmp any any). When I issue a ping from either pix the tunnel establishes successfully but I am still unable to ping the remote pix inside interface.
Below are the configs:
SITE 1
PIX Version 6.3(4)
hostname site1
access-list 80 permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list 80 permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.2.254 255.255.255.0
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 80
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map 70street 10 ipsec-isakmp
crypto map 70street 10 match address 80
crypto map 70street 10 set peer 24.153.111.111
crypto map 70street 10 set transform-set strong
crypto map 70street interface outside
isakmp enable outside
isakmp key ******** address 24.153.111.111 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash sha
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400
SITE 2
PIX Version 6.3(4)
hostname site2
access-list 90 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 90 permit icmp any any
ip address outside 24.153.x.x.x.255.252
ip address inside 10.0.1.254 255.255.255.0
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 90
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 24.153.172.113 0
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto map 70street 10 ipsec-isakmp
crypto map 70street 10 match address 90
crypto map 70street 10 set peer 70.178.222.222
crypto map 70street 10 set transform-set strong
crypto map 70street interface outside
isakmp enable outside
isakmp key ******** address 70.178.222.222 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash sha
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400
Thanks in advance,
Brian
12-27-2004 01:39 PM
You generally cannot ping/access the far side of a router/routing firewall's interfaces. So, pinging the inside interface of a remote pix is not going to work out of the box. But, the management-access command was introduced for people who wanted to do that, and similar things (manage it by inside interface/ip)
check this out:
12-27-2004 01:53 PM
Thanks so much! That worked.
Brian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide