Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
425
Views
10
Helpful
9
Replies

VPN tunnel between two location-PIX 520

ciscomoon
Level 1
Level 1

‎11-29-2006 08:48 PM

Hi

I am trying to create vpn tunnel between two pix 520. Please see my attched config. If any commands missing or error in commands please guide me.

Please note i am new to pix firewall. i have configure both pix by referring notes.

Thanks

Labels:
Preview file
8 KB
Preview file
6 KB
0 Helpful
9 Replies 9

zubairjalal
Level 1
Level 1

‎11-29-2006 11:49 PM

Your configuration seems good to go.What do you see when you issue

show crypto isakmp sa

0 Helpful

ciscomoon
Level 1
Level 1
In response to zubairjalal

‎11-30-2006 01:01 AM

Thanks for replying jalal.

ON LOCATION B

=============

Result of firewall command: "show crypto isakmp sa"

Total : 0

Embryonic : 0

dst src state pending created

=============================================LOCATION A

===========

Result of firewall command: "show crypto isakmp sa"

Total : 0

Embryonic : 0

dst src state pending created

=============================================

One more problem is for some strange reason i am unable to browse internet in LOCATION A

there are 5 pcs and tried to browse internet

bot no browsing. Page cannot displayed.

=============================================

LOCATION A SHOW ROUTE:

Result of firewall command: "sh route"

outside 0.0.0.0 0.0.0.0 61.95.xx.xx 1 OTHER static

outside 61.95.xx.xx 255.255.255.248 61.95.xx.xx 1 CONNECT static

inside 192.168.2.0 255.255.255.0 192.168.2.1 1 CONNECT static

LOCATION B SHOW ROUTE:

========================

Result of firewall command: "sh route"

outside 0.0.0.0 0.0.0.0 58.107.xx.xx 1 OTHER static

outside 58.107.xx.xx 255.255.255.0 58.107.xx.xx 1 CONNECT static

inside 192.168.0.0 255.255.255.0 192.168.xx.xx 1 CONNECT static

=============================================

I am able to open location A and B PDM page from other network.

Thanks

0 Helpful

zubairjalal
Level 1
Level 1
In response to ciscomoon

‎11-30-2006 01:29 AM

Hi.

The only difference between Location A and Location B is that you have an ACL binded on the inside interface of Location A. This might be causing problems. Just trying doing the below command and then try.

no access-group inside_access_in in interface inside

--Pls rate if it helps--

ciscomoon
Level 1
Level 1
In response to zubairjalal

‎11-30-2006 03:53 PM

Hi Jalal

I am able to browse on LOCATION A afer removing the command no access-group inside_access_in in interface inside.

can you please let me know what is the purpose or role of the below command

access-group inside_access_in in interface inside?

But vpn tunnel is not created between A and B.

Any suggestions

Thanks

0 Helpful

ajagadee
Cisco Employee
Cisco Employee
In response to ciscomoon

‎11-30-2006 09:33 PM

Hi,

You use the access-list and access-group commands to permit access based on source or destination IP address, or by the protocol port number. Use the access-list command to create a single access list entry, and use the access-group command to bind one or more access list entries to a specific interface. Only specify one access-group command for each interface.

In your configuration, "access-group inside_access_in in interface inside" command refers the access-list entries named "inside_access_in" when traffic is coming into the inside interface.

"access-list inside_access_in permit tcp any any"

Based on the above access-list entry, only TCP Traffic from any source to any destination is permitted. All other traffic will be denied.

As far as the VPN Tunnel, could you do a deb cryp isa and deb cryp ipsec and post the outputs and this should help us to see whats going on.

Regards,

Arul

** Please rate all helpful posts **

ciscomoon
Level 1
Level 1
In response to ajagadee

‎12-01-2006 12:21 AM

LOCATION A

===========

Result of firewall command: "show deb cryp ipsec"

no debug crypto ipsec

Result of firewall command: "deb cryp ipsec"

The command has been sent to the firewall

Result of firewall command: "show deb cryp ipsec"

debug crypto ipsec 1

Result of firewall command: "deb cryp isa"

The command has been sent to the firewall

Result of firewall command: "show deb cryp isa"

debug crypto isakmp 1

============================================

LOCATION B

==========

Result of firewall command: "deb cryp ipsec"

The command has been sent to the firewall

Result of firewall command: "show deb cryp ipsec"

debug crypto ipsec 1

Result of firewall command: "deb cryp isa"

The command has been sent to the firewall

Result of firewall command: "show deb cryp isa"

debug crypto isakmp 1

===========================================

Thanks for reply

0 Helpful

ciscomoon
Level 1
Level 1
In response to ciscomoon

‎12-04-2006 03:03 PM

Any Idea whats the actual problem.

0 Helpful

ajagadee
Cisco Employee
Cisco Employee
In response to ciscomoon

‎12-04-2006 09:32 PM

Hi,

Its kind of hard to say what is happening without any debugs.

Could you turn on logging on the pix and capture the outputs from "deb cry isakmp" and "deb cry ipsec" when you try to bring up the VPN Tunnel.

Make sure that you generate some kind of traffic (ICMP, TCP,) to bring up the tunnel between the two pixes. The source and destination IP Addresses should match the access-list defined in the match address command.

Regards,

Arul

** Please rate all helpful posts **

0 Helpful

ciscomoon
Level 1
Level 1
In response to ajagadee

‎12-05-2006 03:56 PM

Thanks for replying

I have entered the command "logging on" in the pix. How do i capture "deb cry isakmp" and "deb cry ipsec"?

Please check my first attached post for PIX configuration.

The source and destination IP Addresses are matching the access-list defined in the match address command.

Thanks

0 Helpful
Customers Also Viewed These Support Documents