Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
731
Views
0
Helpful
13
Replies

PIX to PIX VPN Configuration

anyirongo
Beginner
Beginner

‎10-04-2006 07:58 AM

I am running a PIX to PIX IPSEC VPN. I am using two PIX 506s. The VPN configuration indicated below works fine. But I would like to change the IP address in Network B from the network 192.168.1.0 mask 255.255.255.0 to the new range 10.183.158.0 mask 255.255.255.240

When I change the IP address on the access list on PIX2 the VPN fails to work. The following Access-list works:

Access-list 101 permit ip 10.183.158.0 255.255.255.128 192.168.1.0 255.255.255.0

When I change it to this one below the VPN fails to work

Access-list 101 permit ip 10.183.158.0 255.255.255.128 10.183.158.0 255.255.240

What could be the problem?

PIX Version 6.3(3)

access-list 101 permit ip 10.183.158.0 255.255.255.128 192.168.1.0 255.255.255.

ip address outside 218.x.x.50 255.255.255.248

ip address inside 10.183.158.8 255.0.0.0

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www 10.183.158.19 www netmask 255.255.255

255 0 0

static (inside,outside) tcp interface smtp 10.183.158.7 smtp netmask 255.255.25

.255 0 0

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 218.195.34.49 1

http 10.183.158.0 255.255.255.128 inside

sysopt connection permit-ipsec

crypto ipsec transform-set lusaka esp-des esp-md5-hmac

crypto map buku 1 ipsec-isakmp

crypto map buku 1 match address 101

crypto map buku 1 set peer 218.x.35.54

crypto map buku 1 set transform-set lusaka

crypto map buku interface outside

isakmp enable outside

isakmp key ******** address 218.x.x.54 netmask 255.x.x.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

Labels:
0 Helpful
13 Replies 13

mpalardy
Participant
Participant

‎10-05-2006 09:54 AM

The mask on acl 101 looks truncated on this email. I'll suppose the ACL is

Access-list 101 permit ip 10.183.158.0 255.255.255.128 10.183.158.0 255.255.255.240

and you want 128 host on net-A to reach 15 hosts on net-B.

(IF I'm wrong do not read the following notes)

Your new ACL-101 is wrong. Both source and desination are in the same network.

You may want to add a new route outside on your pix A.

Ensure the pix B has the reflecting acl 101 you have defined on pix A.

Initiate the following commands to force a reset on the tunnel:

clear isakmp sa

clear ipsec sa

Mike

0 Helpful

anyirongo
Beginner
Beginner
In response to mpalardy

‎10-06-2006 03:06 AM

what would be the correct ACL-101 in this case.

Will it be correct if we used the following ACL:

Access-list 101 permit ip 10.183.168.0 255.255.255.128 10.183.170.0 255.255.255.128

are these two different subnets?

0 Helpful

mpalardy
Participant
Participant