PIX - PIX VPN problems
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2005 10:55 AM - edited 02-21-2020 02:01 PM
Hi All,
I have 2 PIXen 6.3(4) and am trying to setup a VPN. I have used PDM to set it up.
One side 172.23.x.x, The other 192.168.1.x.
I’m not doing NAT Traversal.
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
access-list inside_outbound_nat0_acl permit ip 172.23.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.23.0.0 255.255.0.0 192.168.1.0 255.255.255.0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 192.168.1.1
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 172.23.1.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
Access to the Internet is ok. When I try to ping across the VPN the log shows
No route to 192.168.1.2 from 172.23.1.1. – I’m pinging from the PIX to a box on the other side.
At times IKE and IPSec tunnels are started, but no data is being encrypted.
Right now I have an IKE tunnel and no IPSec tunnel.
All the doc’s I found don’t lead me to believe that I should put in a route. I don’t have RIP or any other routing protocol going.
I feel I’m way off base here. Can anybody give me a direction?
Thanks
Nick
- Labels:
-
Other VPN Topics
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2005 12:56 PM
You most likely forgot to apply the 'nat 0' acl to the inside interface.
Try this, 'nat (inside) 0 access-list inside_outbound_nat0_acl'.
You really should paste the entire config of both firewalls. Your problem could also be on the other side.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2005 01:59 PM
Hey,
I set these up with the PDM VPN wizard. I removed the Nat 0 thinking it was part of the NAT traversal. I added them back in.
I'm trying to attach the configs.
Thanks
Nick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2005 02:51 PM
I hate the PDM. And quite frankly, I don't even know what it looks like. I can't blame you for using the PDM if you've never worked with a PIX in the past. However, there is probably a great likelihood that you have applied the wrong information via the wizard.
The most obvious mistake is your 'crpto ACL' information. You do not encrypt traffic between the 'outside' network and the remote network's 'outside' network. You're supposed to encrypt traffic between two 'inside' networks, or networks 'behind' the PIX firewall.
I do not believe that this is an issue with the 'Wizard'. I strongly feel that you were applying the wrong information.
Make sure you read the following link prior to proceeding:
This will give you a better understanding of how you should be approaching this problem. A good understanding of ISAKMP, IPSEC and 'advanced' PIX commands should already be on your belt prior to attempting such a complex task.
Good luck.
