Re: S2S and VPN with PIX 515

m-rasouli · ‎08-29-2005

Hi,

i configured one S2S connection, that works fine, and i want to also allow some vpn-clients to access some services in inside of my site.

The vpn-client connects to the gateway and gets an ip address from the pool but it can not get access to inside site either it can send ping to the inside interface of the pix firewall.

sysopt connection permit-ipsec

crypto ipsec transform-set pix-1 esp-3des esp-md5-hmac

crypto dynamic-map COMP_DYNMAP 20 set transform-set pix-1

crypto map DSGVMAP 10 ipsec-isakmp

crypto map COMPMAP 10 match address outside_cryptomap_10

crypto map COMPMAP 10 set peer 1.2.3.4

crypto map COMPMAP 10 set transform-set pix-1

crypto map COMPMAP 10 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map COMPMAP 20 ipsec-isakmp dynamic COMP_DYNMAP

crypto map COMPMAP interface outside

isakmp enable outside

isakmp key ##### address 1.2.3.4 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 7800

vpngroup ORACLE address-pool vpn-pool

vpngroup ORACLE idle-time 1800

vpngroup ORACLE password #####

access-list outside_cryptomap_10 line 2 permit ip 5.6.7.8 255.255.255.248 1.2.4.0 255.255.255.248

ip local pool vpn-pool 172.19.6.145-172.19.6.158 mask 255.255.255.240

jmia · ‎08-29-2005

Mohesen,

1. From what you have posted, I don't see a crypto ACL for the returning traffic from your ip local pool to your internal network?

2. Take a look at this document to verify your configuration:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

3. You might want to consider enabeling NAT Traversal, so when your users connect from behind another NAT/PAT device they'll not encounter any problems. To do this (in config mode) do:

isakmp nat-traversal

Save with - write mem

Hope this helps and if it does please rate post as it might help others too.

Thanks -

Jay

m-rasouli · ‎08-29-2005

hi Jay,

1. sorry, i forgat to send this lines :

access-list nat-in-out permit ip 5.6.7.8 255.255.255.248 172.19.6.144 255.255.255.240

nat (inside) 0 access-list nat-in-out

2. i studied several documents on cisco site in this case, im sure i make a stupid mistake some where but WHERE?

3. The line :

isakmp nat-traversal

is not needed, the client get a public address from the provider.

Mohsen

jmia · ‎08-29-2005

Mohsen,

OK, can you post your configuration (take out any sensitive info) also, provide any debug info.

Why do you have:

access-list nat-in-out permit ip 5.6.7.8 255.255.255.248 172.19.6.144 255.255.255.240 ??

why not..

access-list nat-in-out permit ip 5.6.7.0 255.255.255.248 172.19.6.0 255.255.255.240

Jay

m-rasouli · ‎08-29-2005

The ip net is a fictive net and is my comp net

access-list nat-in-out permit ip 5.6.7.8 255.255.255.248 172.19.6.144 255.255.255.240

About the config :

tell me wich part you need to control, i'll send you

Mohsen

shijogeorge · ‎08-30-2005

Hi,

Do you have a roue in place for the vpnpool? If not try adding the following command.

crypto dynamic-map COMP_DYNMAP 20 set transform-set pix-1

reverse-route

Regards,

Shijo George.