01-28-2008 11:02 AM - edited 02-21-2020 03:30 PM
I recently setup a VPN IPsec tunnel between two PIX devices. I ran into a problem with the remote PIX device when trying to route anything for a 10.x.x.x across the VPN tunnel. Here is the sample config that I was using.
interface Ethernet0
speed 10
duplex full
nameif outside
security-level 0
ip address 213.x.x.1 255.255.255.224
no shut
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.43.1.1 255.255.255.0
no shut
!
access-list inside extended permit icmp any any
access-list inside extended permit ip 10.43.1.0 255.255.255.0 any
access-list Outside_cryptomap_20 extended permit ip 10.43.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list NONAT extended permit ip 10.43.1.0 255.255.255.0 10.0.0.0 255.0.0.0
!
nat-control
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 10.43.1.0 255.255.255.0
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 216.1.1.30 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map Outside_map 20 match address Outside_cryptomap_20
crypto map Outside_map 20 set peer A.B.C.D
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
!
management-access inside
dhcpd address 10.43.1.20-10.43.1.199 inside
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd option 3 ip 10.43.1.1
dhcpd enable inside
!
tunnel-group A.B.C.D type ipsec-l2l
tunnel-group A.B.C.D ipsec-attributes
pre-shared-key test
The only way I could get it to work was to replace the following commands
access-list Outside_cryptomap_20 extended permit ip 10.43.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list NONAT extended permit ip 10.43.1.0 255.255.255.0 10.0.0.0 255.0.0.0
with specific routes for 10.x.x.x
access-list Outside_cryptomap_20 extended permit ip 10.43.1.0 255.255.255.0 10.11.0.0 255.255.0.0
access-list Outside_cryptomap_20 extended permit ip 10.43.1.0 255.255.255.0 10.21.0.0 255.255.0.0
access-list Outside_cryptomap_20 extended permit ip 10.43.1.0 255.255.255.0 10.51.0.0 255.255.0.0
access-list Outside_cryptomap_20 extended permit ip 10.43.1.0 255.255.255.0 10.53.0.0 255.255.0.0
access-list NONAT extended permit ip 10.43.1.0 255.255.255.0 10.11.0.0 255.255.0.0
access-list NONAT extended permit ip 10.43.1.0 255.255.255.0 10.21.0.0 255.255.0.0
access-list NONAT extended permit ip 10.43.1.0 255.255.255.0 10.51.0.0 255.255.0.0
access-list NONAT extended permit ip 10.43.1.0 255.255.255.0 10.53.0.0 255.255.0.0
Can anyone explain why I couldn't use the permit ip 10.43.1.0 255.255.255.0 10.0.0.0 255.0.0.0 route instead of putting specific routes for 10 dot?
01-28-2008 11:25 AM
One of the reason could be, that the remote side was configured with 4 ACL Entries for the IPSEC Traffic. Keep in mind, the Crypto ACL have to be mirror images of each other for the tunnel to come up and work properly.
Do you have a copy of the remote pix.
Let me know if it helps.
Regards,
Arul
** Please rate if it helps **
01-28-2008 12:24 PM
Here is the VPN device that the remote side communicates with.
!
PIX Version 7.2(2)
interface Ethernet0
speed 100
duplex full
nameif Outside
security-level 0
ip address 212.1.1.1 255.255.255.0
!
interface Ethernet1
speed 100
duplex full
nameif Inside
security-level 100
ip address 10.11.75.12 255.255.255.0
!
access-list Outside_cryptomap_20 extended permit ip 10.0.0.0 255.0.0.0 10.43.1.0 255.255.255.0
access-list Inside extended permit ip any any
access-list Inside extended permit tcp any any
access-list Inside extended permit udp any any
access-list Inside extended permit icmp any any
access-list Inside extended permit tcp any any eq telnet
access-list Inside extended permit tcp any any eq ssh
access-list NONAT extended permit ip 10.0.0.0 255.0.0.0 10.43.1.0 255.255.255.0
!
nat (Inside) 0 access-list NONAT
nat (Inside) 0 0.0.0.0 0.0.0.0
access-group Inside in interface Inside
route Outside 213.1.1.1 255.255.255.255 212.1.1.30 1
route Outside 10.43.1.0 255.255.255.0 212.1.1.30 1
route Inside 0.0.0.0 0.0.0.0 10.11.75.1 1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map Outside_map 20 match address Outside_cryptomap_20
crypto map Outside_map 20 set peer E.F.G.H
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group E.F.G.H type ipsec-l2l
tunnel-group E.F.G.H ipsec-attributes
pre-shared-key test
01-28-2008 02:35 PM
I see couple of things, Default Route on the Pix pointing to the inside interface and the ISAKMP Lifetime not matching but that should not affect your tunnel from working with ACL of 10.0.0.0 255.0.0.0.
Is it possible for you to go back to the ACL with single entry, try to bring up the tunnel and post the outputs of:
1. Deb cry is
2. Deb cry ips
3. Sh cry is sa
4. Sh cry ips sa
5. Sh run from the pix after you make the changes
6. Sh route
Regards,
Arul
** Please rate all helpful posts **
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide