Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
377
Views
0
Helpful
2
Replies

Outside IP Change on Pix 515 Breaks PDM/VPN's

jmascaro
Level 1
Level 1

‎01-31-2005 09:14 AM - edited ‎02-21-2020 01:34 PM

After changing the outside ip address I am no longer able to establish vpn's, remote access (IPSec/PPTP) or connect to the PDM from allowed IP's. However all other Pix functions seem to be working. When I examine the logs during a tunnel setup I see the following in the Pix logs "Deny udp src outside:a.b.c.1/500 dst inside:a.b.c.2/500 by access-group "outside_access_in". Here is the listed acl:

access-list outside_access_in permit tcp any host a.b.c.3 object-group websiteaccess

access-list outside_access_in permit tcp any host a.b.c.4 object-group websiteaccess

access-list outside_access_in permit tcp any host a.b.c.5 object-group websiteaccess

access-list outside_access_in permit icmp any a.b.c.0 255.255.255.0

access-list outside_access_in permit udp any eq domain a.b.c.0 255.255.255.0

access-list outside_access_in permit tcp object-group customers host a.b.c.6 eq ftp

Why would the Pix deny udp/500? I have verified that sysopt connection permit-ipsec exists. This was a fully functional configuration that was moved. The only configuration change was the outside ip address. Also, the IPSec peers in this situation are now on the same network. Previously they were not. When I examine the logs of the vpn clients and the remote peer they both indicate the the Pix is either unreachable or did not respond.

Labels:
0 Helpful
2 Replies 2

jmia
Level 7
Level 7

‎01-31-2005 09:27 AM

Jason,

I presume after changing the outside IP address of your PIX you also changed the crypto map peer IP address and also isakmp key address accordingly on you remote peer?

Also, do you have L3 connectivity between the two firewalls (outside interfaces) a simple ping should assertain this, but make sure that you don’t have icmp denied statements applied to your firewalls.

Can you also post the debug output of:

•debug crypto ipsec – Shows if a client is negotiating the IPSec portion of the VPN connection.

•debug crypto isakmp – Shows if the peers are negotiating the ISAKMP portion of the VPN connection.

Thanks,

Jay

0 Helpful

jmascaro
Level 1
Level 1
In response to jmia

‎01-31-2005 09:49 AM

Yes, both the vpn client and remote peer configurations were changed to reflect the new ip address of the Pix. As for L3 connectivity, both the Pix and the remote peer are on the network and on same switch. I haven't actually ping'ed one from the other. I believe the following config "access-list outside_access_in permit icmp any a.b.c.0 255.255.255.0" will allow icmp. Thanks for the debug tips. I will post the output when I am able to. Searching through the discussion groups I found these statements: clear crypto ipsec sa and clear crypto isakmp - do these need to be executed after an outside ip address change? I just assumed reloading (power cycle) after the changes would be adequate.

0 Helpful
Customers Also Viewed These Support Documents