06-19-2003 11:57 PM - edited 02-21-2020 12:37 PM
Hello everybody,
I've got a connecting two sites using PIX 506E and PIX 501. The one on central site (WATBCINX1 - PIX 506E) sends packet correctly and the one on remote site (CTXPOINX1 - PIX 501) receives them (checked out using debug icmp trace on both PIX). The problem is that PIX 501 on remote site doesn't send back the packets. I have to say that both PIX hace a 3com 812 OfficeConnect ADSL router acting as a Internet gateway. If anybody could help me I would appreciate it so much. THANK YOU!
PIX 506E Configuration (central site):
WATBCINX1# sh conf
: Saved
: Written by enable_15 at 08:36:50.090 CEDT Fri Jun 20 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password qU51Wrx8ggFHLusK encrypted
passwd qU51Wrx8ggFHLusK encrypted
hostname WATBCINX1
domain-name NEOKEM.LAN
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no names
name 80.37.246.195 POLINYA
access-list outside_access_in permit gre any host 10.0.0.10
access-list outside_access_in permit tcp any host 10.0.0.10 eq 1723
access-list outside_access_in permit tcp any host 10.0.0.10 eq smtp
access-list outside_access_in permit tcp any host 10.0.0.10 eq pop3
access-list outside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list inside_access_in permit tcp any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit udp any any
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.11.0 255.255.255.0
pager lines 24
logging on
interface ethernet0 10full
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.3 255.0.0.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.100 255.255.255.255 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 192.168.0.128 255.255.255.255 inside
pdm location 192.168.0.135 255.255.255.255 inside
pdm location 192.168.11.0 255.255.255.0 outside
pdm location 192.168.11.0 255.255.255.0 inside
pdm location 80.37.246.195 255.255.255.255 outside
pdm location 192.168.0.254 255.255.255.255 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.0.0.10 192.168.0.100 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.0.0.2 1
timeout xlate 0:05:00
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00
sip_media 0:02:00
timeout uauth 0:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp authenticate
ntp server 192.43.244.18 source outside
ntp server 128.118.25.3 source outside prefer
http server enable
http 192.168.0.100 255.255.255.255 inside
http 192.168.0.128 255.255.255.255 inside
http 192.168.0.135 255.255.255.255 inside
http 192.168.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set COMUN_BCN esp-des esp-md5-hmac
crypto map polinya 1 ipsec-isakmp
crypto map polinya 1 match address 101
crypto map polinya 1 set peer 80.37.246.195
crypto map polinya 1 set transform-set COMUN_BCN
crypto map polinya interface outside
isakmp enable outside
isakmp key ******** address 80.37.246.195 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet 192.168.0.128 255.255.255.255 inside
telnet 192.168.0.135 255.255.255.255 inside
telnet 192.168.11.0 255.255.255.0 inside
telnet timeout 10
ssh timeout 5
username QSECOFR password ELFfg8t/K5UMO89z encrypted privilege 15
terminal width 80
Cryptochecksum:74cd0cf16ef2c35804dffaeee924efdf
WATBCINX1#
PIX 501 Configuration (remote site):
CTXPOINX1# sh conf
: Saved
: Written by enable_15 at 09:27:14.439 CEDT Fri Jun 20 2003
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password qU51Wrx8ggFHLusK encrypted
passwd qU51Wrx8ggFHLusK encrypted
hostname CTXPOINX1
domain-name NEOKEM.LAN
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no names
name 80.32.132.188 BCN
access-list inside_access_in permit tcp any any
access-list inside_access_in permit udp any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list outside_access_in permit icmp any any
access-list 101 permit ip 192.168.11.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging on
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.1 255.0.0.0
ip address inside 192.168.11.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 192.168.11.0 255.255.255.255 inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.0.0.2 1
timeout xlate 0:05:00
timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00
sip_media 0:02:00
timeout uauth 0:00:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp authenticate
ntp server 192.5.41.209 source outside prefer
http server enable
http 80.32.132.188 255.255.255.255 outside
http 192.168.0.0 255.255.0.0 inside
http 192.168.11.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set COMUN esp-des esp-md5-hmac
crypto map bcn 1 ipsec-isakmp
crypto map bcn 1 set peer 80.32.132.188
crypto map bcn 1 set transform-set COMUN
crypto map bcn interface outside
isakmp enable outside
isakmp key ******** address 80.32.132.188 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet 80.32.132.188 255.255.255.255 outside
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 10
ssh timeout 5
username QSECOFR password ELFfg8t/K5UMO89z encrypted privilege 15
terminal width 80
Cryptochecksum:dc8d08655d07886b74d867228e84f70f
CTXPOINX1#
Solved! Go to Solution.
06-20-2003 12:09 PM
Hi,
You left the match address out of your 501 VPN config.....put this in....
crypto map bcn 1 match address 101
Hope that helps....
06-20-2003 12:09 PM
Hi,
You left the match address out of your 501 VPN config.....put this in....
crypto map bcn 1 match address 101
Hope that helps....
06-22-2003 10:18 PM
Thank you Mike-greene I forgot to assign the crypto map to match address in access-list 101. Now it works ok! I appreciate it!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide