Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
550
Views
0
Helpful
1
Replies

VPN tunnel does not allow all traffic to pass through

adilmasani
Level 1
Level 1

‎12-15-2006 03:04 PM - edited ‎02-21-2020 02:46 PM

Hi,

I have setup a VPN tunnel between a 515E & an 857 router. The tunnel is established via the internet and hosts on both ends can ping each other. The 515E is the hub device. All sites connect to this firewall. The 857 router is placed at a remote site.

The problem i have is that although the tunnel is established, it seems that the connectivity is not as it should be. When I run a port scan from one of the servers at the central site to a device on the remote site, the scan results tell me that none of the ports are open. For example I scanned the 857 router. Although it has telnet and http enabled, The scan result was that the host was alive but no ports are open. Because of this, I am unable to remotely administer WinXP desktops and network printers at the remote site. The pix firewall has sysopt enabled. I have not enabled the firewall feature on the router neither have i added any access lists which would cause any traffic restrictions. Can you think of any reason why this behaviour would occur?

--------------------------------------------------------

1.The 515E configuration related to the remote site is as follows.

2.access-list outside_cryptomap_40 extended permit ip 10.112.1.0 255.255.255.0 10.112.60.0 255.255.255.0

3.crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac

4.crypto map outside_map 40 set transform-set 10.112.60.0

5.access-list inside_nat0_outbound extended permit ip 10.112.1.0 255.255.255.0 10.112.60.0 255.255.255.0

6.crypto map outside_map 40 set peer 165.228.x.x

7.crypto map outside_map 40 set transform-set 165.228.x.x

8.sysopt connection permit-ipsec

-------------------------------------------------------

The VPN config on the 857 router is:

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 2

crypto isakmp key tritest address 218.185.x.x

!

!

crypto ipsec transform-set tritest esp-3des esp-md5-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to218.185.x.x

set peer 218.185.x.x

set transform-set tritest

match address 100

ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload

!

access-list 1 remark SDM_ACL Category=16

access-list 1 permit 10.112.60.0 0.0.0.255

access-list 100 remark SDM_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.112.60.0 0.0.0.255 10.112.1.0 0.0.0.255

access-list 101 remark SDM_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny ip 10.112.60.0 0.0.0.255 10.112.1.0 0.0.0.255

access-list 101 permit ip 10.112.60.0 0.0.0.255 any

route-map SDM_RMAP_1 permit 1

match ip address 101

Thanks

Labels:
0 Helpful
1 Reply 1

scottosan
Level 1
Level 1

‎12-18-2006 07:04 AM

Why do you have following command on the PIX?

crypto map outside_map 40 set transform-set 165.228.x.x

-------------------------------------------

Also you have this transform set on the PIX:

crypto ipsec transform-set 10.112.60.0 esp-aes-256 esp-sha-hmac

This does not match the transfor set on the router:

crypto ipsec transform-set tritest esp-3des esp-md5-hmac

---------------------------------------------

Where are you using the access-list/route-map

101 ?

0 Helpful
Customers Also Viewed These Support Documents