Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
533
Views
0
Helpful
3
Replies

Site-to-site VPN only seems to be working one-way.

paul
Level 1
Level 1

‎12-02-2004 07:46 AM - edited ‎02-21-2020 01:28 PM

Having a few issues connecting a PIX501 to a Cisco 1700. The 1700 has been configured as a VPN server and has for months been working fine for remote users with the Cisco VPN Client software. I'm trying to get a "site to site" VPN working and have run into a brick wall. I'll paste the PIX config below. The network behind the 1700 is 10.10.10.x and the PIX dhcpd is giving out IPs in the 192.168.100.x range.

The tunnel "seems" ok as I can ping a host on the inside PIX interface from a host on the 1700 LAN. I can ping "some" hosts on the 1700 LAN from a host on the PIX inside interface. I can even view the PIX host's shares and transfer files across to here (behind the 1700). I can't, however, do any of that from a host on the PIX inside interface. I'm hoping it's just a silly routing issue but haven't messed much with Cisco stuff in the past so don't know too much about troubleshooting it.

ipconfig on a host on the inside PIX interface:

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.100.10

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.100.1

DHCP Server . . . . . . . . . . . : 192.168.100.1

DNS Servers . . . . . . . . . . . : 10.10.10.173

Primary WINS Server . . . . . . . : 10.10.10.163

Any ideas?

PIX config:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx encrypted

passwd xxxx encrypted

hostname xxxx

domain-name xxxx

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x(public ip on same subnet as 1700 outside ip) 255.255.255.224

ip address inside 192.168.100.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 x.x.x.x(1700 'outside' ip) 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community xxxx

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.100.10-192.168.100.20 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd option 150 ip 10.10.10.190

dhcpd enable inside

vpnclient server x.x.x.x(1700 'outside' ip)

vpnclient mode network-extension-mode

vpnclient vpngroup xxxx password xxxx

vpnclient username xxxx password xxxx

vpnclient enable

terminal width 80

Labels:
0 Helpful
3 Replies 3

thisisshanky
Level 11
Level 11

‎12-02-2004 09:35 AM

To troubleshoot further can you also paste the 1700 config ?

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

paul
Level 1
Level 1
In response to thisisshanky

‎12-02-2004 09:53 AM

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname xxxx

!

enable password xxxx

!

username xxxx password 0 xxxx

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

!

!

ip domain name xxxx

!

!

ip cef

ip audit notify log

ip audit po max-events 100

ip ssh time-out 60

ip ssh authentication-retries 2

no ftp-server write-enable

!

!

!

!

!

!

!

!

!

no voice hpi capture buffer

no voice hpi capture destination

!

!

!

!

!

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group xxxx

key 0 xxxx

dns 10.10.10.173

wins 10.10.10.163

domain xxxx

pool xxxx

!

crypto isakmp client configuration group xxxx

key 0 xxxx

dns 10.10.10.173

wins 10.10.10.163

domain xxxx

pool xxxx

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

!

interface FastEthernet0/0

ip address x.x.x.x (outside 1700 interface)

ip nat outside

speed auto

crypto map clientmap

!

interface FastEthernet0/1

no ip address

!

interface FastEthernet0/2

no ip address

shutdown

!

interface FastEthernet0/3

no ip address

shutdown

!

interface FastEthernet0/4

no ip address

shutdown

!

interface Vlan1

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip policy route-map nonat

!

ip local pool ippool 192.168.10.1 192.168.10.50

ip local pool IPPOOL1 192.168.20.0 192.168.20.50

ip default-gateway x.x.x.x

ip nat inside source list 120 interface FastEthernet0/0 overload

(snip a lot of routes that aren't connected with this)

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.x (gateway)

no ip http server

no ip http secure-server

!

!

!

ip access-list extended addr-pool

ip access-list extended default-domain

ip access-list extended firewall

ip access-list extended idletime

ip access-list extended include-local-lan

ip access-list extended key-exchange

ip access-list extended protocol

ip access-list extended save-password

ip access-list extended service

ip access-list extended timeout

ip access-list extended tunnel-password

access-list 10 permit 10.10.10.0 0.0.0.255

access-list 11 permit 10.10.10.0 0.0.0.255

access-list 120 deny ip 10.10.10.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 120 permit ip 10.10.10.0 0.0.0.255 any

snmp-server community public RO 10

snmp-server enable traps tty

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

password xxxx

transport input ssh

!

!

end

0 Helpful

paul
Level 1
Level 1
In response to thisisshanky

‎12-03-2004 08:40 AM

Some more information:

I'm confused as to why I can VNC into a host on the inside of the PIX and can transfer files from that host across teh VPN to this network but I can't initiate anything in the other direction. I'm sure it's a simple routing issue but I'm not too confident with that and don't want to break the network :)

pixfirewall# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256) alert-interval 300

access-list _vpnc_acl; 2 elements

access-list _vpnc_acl line 1 permit ip 192.168.100.0 255.255.255.0 any (hitcnt=23965)

access-list _vpnc_acl line 2 permit ip host x.x.x.x (outside PIX interface) any (hitcnt=108)

pixfirewall# show route

outside 0.0.0.0 0.0.0.0 x.x.x.x (outside 1700 interface) 1 OTHER static

outside x.x.x.x x.x.x.x (our t1 subnet) x.x.x.x (outside PIX interface) 1 CONNECT static

inside 192.168.100.0 255.255.255.0 192.168.100.1 1 CONNECT static

Just plugged a Cisco 7940 phone into the PIX and logged what was happening - was getting a lot of deny requests between the phone and CallManager (behind the 1700). syslogd is noting the phone unable to connect to CCM:

Deny TCP (no connection) from x.x.x.x/2000 (outside 1700 interface) to 192.168.100.11/51825 flags SYN ACK on interface outside

0 Helpful
Customers Also Viewed These Support Documents