Re: PIX to PIX VPN Configuration

anyirongo · ‎10-04-2006

I am running a PIX to PIX IPSEC VPN. I am using two PIX 506s. The VPN configuration indicated below works fine. But I would like to change the IP address in Network B from the network 192.168.1.0 mask 255.255.255.0 to the new range 10.183.158.0 mask 255.255.255.240

When I change the IP address on the access list on PIX2 the VPN fails to work. The following Access-list works:

Access-list 101 permit ip 10.183.158.0 255.255.255.128 192.168.1.0 255.255.255.0

When I change it to this one below the VPN fails to work

Access-list 101 permit ip 10.183.158.0 255.255.255.128 10.183.158.0 255.255.240

What could be the problem?

PIX Version 6.3(3)

access-list 101 permit ip 10.183.158.0 255.255.255.128 192.168.1.0 255.255.255.

ip address outside 218.x.x.50 255.255.255.248

ip address inside 10.183.158.8 255.0.0.0

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface www 10.183.158.19 www netmask 255.255.255

255 0 0

static (inside,outside) tcp interface smtp 10.183.158.7 smtp netmask 255.255.25

.255 0 0

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 218.195.34.49 1

http 10.183.158.0 255.255.255.128 inside

sysopt connection permit-ipsec

crypto ipsec transform-set lusaka esp-des esp-md5-hmac

crypto map buku 1 ipsec-isakmp

crypto map buku 1 match address 101

crypto map buku 1 set peer 218.x.35.54

crypto map buku 1 set transform-set lusaka

crypto map buku interface outside

isakmp enable outside

isakmp key ******** address 218.x.x.54 netmask 255.x.x.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

mpalardy · ‎10-05-2006

The mask on acl 101 looks truncated on this email. I'll suppose the ACL is

Access-list 101 permit ip 10.183.158.0 255.255.255.128 10.183.158.0 255.255.255.240

and you want 128 host on net-A to reach 15 hosts on net-B.

(IF I'm wrong do not read the following notes)

Your new ACL-101 is wrong. Both source and desination are in the same network.

You may want to add a new route outside on your pix A.

Ensure the pix B has the reflecting acl 101 you have defined on pix A.

Initiate the following commands to force a reset on the tunnel:

clear isakmp sa

clear ipsec sa

Mike

anyirongo · ‎10-06-2006

what would be the correct ACL-101 in this case.

Will it be correct if we used the following ACL:

Access-list 101 permit ip 10.183.168.0 255.255.255.128 10.183.170.0 255.255.255.128

are these two different subnets?

mpalardy · ‎10-06-2006

Last ACL is correct. This will encrypt traffic from net-A range 10.183.168.0-127 to net-B 10.183.170.0-127

May I suggest this link referring to subnet calculation:

http://www.cisco.com/cgi-bin/Support/IpSubnet/subnets.pl

or the complete tables:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/subnets.htm#wp1003601

anyirongo · ‎10-06-2006

just to help my understanding. is this ACL correct?

access-list 101 permit ip 10.183.158.0 255.255.255.128 10.183.158.128 255.255.255.128

mpalardy · ‎10-06-2006

ACL is correct.

You will also have add this route to your pix config:

route outside 10.183.158.128 255.255.255.128

otherwise your route inside 10.183.0.0/16 will take precedence.

anyirongo · ‎10-07-2006

This will mean having two routes. Is this ok?

1. route outside 0.0.0.0 218.193.34.49 1

2. route outside 10.183.158.128 255.255.255

.128 e1

Secondly, What IP addresses are available in each subnet? and which IP address in each subnet should be allocated to the internal interface of each PIX. Can we use any IP address is the range available?

charan_jeetsingh · ‎10-08-2006

hi, the problem is that you are tyrin to make vpn work with 2 subnets having the same ip range.... thts all..

to really make a vpn work, you shud have seperate subnets at both end..

Cj

anyirongo · ‎10-08-2006

hi CJ

I want to use the following subnets:

Subnet A - 10.183.158.0 255.255.255.128 (IP addresses available 10.183.158.1-127)

Subnet B - 10.183.158.128 255.255.255.128 (IP addresses available 10.183.158.129-254)

Are you saying that If I used these two subnets the VPN wont work? What is your counter proposal?

charan_jeetsingh · ‎10-08-2006

Hi,

see this :

>>ip address inside 10.183.158.8 255.0.0.0

It says all the 10.X.X.X network is towards ur inside interface.

if that is the only small subnet you are using, give appropriate ip to ur interface like :

ip address inside 10.183.158.0 255.255.255.128

if this is the case, You wont be able to make it work with this setup.

Also, if you can make the above change, the ACL needs to be changed from

>>Access-list 101 permit ip 10.183.158.0 255.255.255.128 10.183.158.0 255.255.240

to

access-list 101 permit ip 10.183.158.0 255.255.255.128 10.183.158.128 255.255.255.128

charan_jeetsingh · ‎10-08-2006

Just change the '0' with ip of your choice...

ip address inside 10.183.158.0 255.255.255.128

anyirongo · ‎10-09-2006

ok will try these suggestions. I am using CISCO PIX 506 OS 6.3(3). Do all these configurations apply to Operating System 6.3 (3)

anyirongo · ‎10-18-2006

Thanks. I implemented the suggestions and the VPN worked fine

charan_jeetsingh · ‎10-18-2006

Congrats....