12-15-2006 03:04 PM - edited 02-21-2020 02:46 PM
Hi,
I have setup a VPN tunnel between a 515E & an 857 router. The tunnel is established via the internet and hosts on both ends can ping each other. The 515E is the hub device. All sites connect to this firewall. The 857 router is placed at a remote site.
The problem i have is that although the tunnel is established, it seems that the connectivity is not as it should be. When I run a port scan from one of the servers at the central site to a device on the remote site, the scan results tell me that none of the ports are open. For example I scanned the 857 router. Although it has telnet and http enabled, The scan result was that the host was alive but no ports are open. Because of this, I am unable to remotely administer WinXP desktops and network printers at the remote site. The pix firewall has sysopt enabled. I have not enabled the firewall feature on the router neither have i added any access lists which would cause any traffic restrictions. Can you think of any reason why this behaviour would occur?
--------------------------------------------------------
1.The 515E configuration related to the remote site is as follows.
2.access-list outside_cryptomap_40 extended permit ip 10.112.1.0 255.255.255.0 10.112.60.0 255.255.255.0
3.crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac
4.crypto map outside_map 40 set transform-set 10.112.60.0
5.access-list inside_nat0_outbound extended permit ip 10.112.1.0 255.255.255.0 10.112.60.0 255.255.255.0
6.crypto map outside_map 40 set peer 165.228.x.x
7.crypto map outside_map 40 set transform-set 165.228.x.x
8.sysopt connection permit-ipsec
-------------------------------------------------------
The VPN config on the 857 router is:
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
crypto isakmp key tritest address 218.185.x.x
!
!
crypto ipsec transform-set tritest esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to218.185.x.x
set peer 218.185.x.x
set transform-set tritest
match address 100
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 10.112.60.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.112.60.0 0.0.0.255 10.112.1.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.112.60.0 0.0.0.255 10.112.1.0 0.0.0.255
access-list 101 permit ip 10.112.60.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address 101
Thanks
12-18-2006 07:04 AM
Why do you have following command on the PIX?
crypto map outside_map 40 set transform-set 165.228.x.x
-------------------------------------------
Also you have this transform set on the PIX:
crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac
This does not match the transfor set on the router:
crypto ipsec transform-set tritest esp-3des esp-md5-hmac
---------------------------------------------
Where are you using the access-list/route-map
101 ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide