Solved: Re: PIX VPN to multiple subnets

gcrouch · ‎09-30-2004

we have two remote sites and a frame to our parent company

the tunnel works fine between us and our remote offices but they can not connect to internet and oracle app server at parent site accross frame

I have routes on our internal router for the remoted site and routes on our 520 pix for the frame address . How do you set up routing for internal frame ? 520 PIX can ping frame network and servers

set up PIX version 6.3(3)

|Oracle App server and Intranet 173.1.2.X|

|

|Parent| 173.1.2.0 net

|

|frame

|

|Internal router |192.170.1.x

|

|PIX 520 our company|192.170.1.0 net

|

|External router |x.x.x.x

| |

|VPN|

| |

|PIX 501 remote sites| 192.170.2.0 and 192.170.3.0

501 sh IPSEC sa shows 0 for all counters

SH IPSEC SA from 520

local ident (addr/mask/prot/port): (DI/255.255.255.0/0/0) DI= FRAME

remote ident (addr/mask/prot/port): (192.170.2.0/255.255.255.0/0/0)

current_peer: X.X.X.X:0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 101, #recv errors 0

local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

from 520 logs shows sa key request

702303: sa_request, (key eng. msg.) src= X.X.X.X, dest= X.X.X.X, sr

c_proxy= DI/255.255.255.0/0/0 (type=4), dest_proxy= 192.170.2.0/255.255.255.0/0

/0 (type=4), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 28800s an

d 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004

Patrick Iseli · ‎10-01-2004

This is definitly an access-list issue, I will look at this Monday. Could you please give me a printout of the

nat (inside) 0 access-list your-ACL-name

access-list your-ACL-name .......

sincerely

Patrick

View solution in original post

Patrick Iseli · ‎10-01-2004

The oracle server should have a default route to his internal router, sometimes servers needs more specific routes.

Next is to be sure that the internal router knows how to reach the 192.170.2.0 192.170.3.0 and 192.170.1.0 networks so you have to add another route with gateway as the PIX.

PIX needs route in direction of internal and external router with all networks behind.

And again the remote router also needs to know all networks 173.1.2.0 and 192.170.1.0 with gateway PIX.

To test that, open temporarly ping requests and traceroute features for your PC.

sincerely

Patrick

gcrouch · ‎10-01-2004

all the routes are set up

when we traceroute a pc on the remote network from our parents router it make it to our internal router and cause the sh ipsec sa sent errors for the 173.1.2.0 192.170.2.0 SA to incress all counters on the remote office pix sh 0s for this SA

looks like 520 is trying to pass this network but the 501 is not doing anything with it.

a trace from the pc at the remote office show everything droped

creates this sa request in the logs when trafic from the parent tries to make it to remote office remote pix does not sh any thing in the logs when traffic attempts to make it to parent

702303: sa_request, (key eng. msg.) src= X.X.X.X, dest= X.X.X.X, sr

c_proxy= 173.1.2.0/255.255.255.0/0/0 (type=4), dest_proxy= 192.170.2.0/255.255.255.0/0

/0 (type=4), protocol= ESP, transform= esp-des esp-md5-hmac , lifedur= 28800s an

d 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004

attached SH IPSec SA

Patrick Iseli · ‎10-01-2004

This looks like that your access-list in the crypto map or the nonat access-list has the other networks not defined.

This access-list, in my example named VPN, defines which traffic will be encrypted. All other traffic passes trought the Internet.

access-list VPN permit ip Internalnet ISubnet Externalnet Esubnet

crypto map REMOTE 10 match address VPN

NONAT configuration

access-list NONAT permit ip Internalnet ISubnet Externalnet Esubnet

nat (inside) 0 access-list NONAT

sincerely

Patrick

gcrouch · ‎10-01-2004

sh acess list pix 520 our office

access-list 101 line 1 permit ip 192.170.1.0 255.255.255.0 192.70.2.0 255.255.255.0 (hitcnt=6578)

access-list 101 line 2 permit ip 173.1.2.0 255.255.255.0 192.170.2.0 255.255.255.0 (hitcnt=1025)

crypto map transam 1 match address 101

sh access from remote pix

access-list 101 line 1 permit ip 192.170.2.0 255.255.255.0 192.170.1.0 255.255.255.0 (hitcnt=1407745)

access-list 101 line 2 permit ip 173.1.2.0 255.255.255.0 192.170.1.0 255.255.255.0 (hitcnt=0)

line 2 shows no hits

I have a route for 173 network pointing to the inside interface also tried changing line to

access-list 101 permit ip 173.1.2.0 255.255.255.0 192.170.2.0 255.255.255.0 also changed nat access-list

now I am getting hits on this access list when sending ping from parent router also getting lots of recieve errors in logs on remote pix

402101: decaps: rec'd IPSEC packet has invalid spi for destaddr=X.X.X.X, prot=esp, spi=0xb2e64ee(187589870)

looks like we are getting closer what am I missing?

Patrick Iseli · ‎10-01-2004

This is definitly an access-list issue, I will look at this Monday. Could you please give me a printout of the

nat (inside) 0 access-list your-ACL-name

access-list your-ACL-name .......

sincerely

Patrick

gcrouch · ‎10-03-2004

thanks I had the networks in the wrong order switched them around and everything is working