Re: VPN working one way only

sruzila · ‎12-06-2004

I have two sites each with a PIX 501. I have almost zero experience with PIX stuff. I found an article on the Cisco site (along with gret help from the forums!) called "Simple site to site VPN" (or something along those lines).

At one site I can ping the other and when users login they get their mapped drives from the server at the other office. The second site can't ping and the users can't get the mapped drives at the other office.

Here's the config I did for each:

222.222.222.222 is site 2's public IP

111.111.111.111 is site 1's public IP

10.6.0.0 is site 1's private IP

10.5.0.0 is site 2's private IP

Site1:

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

isakmp key SHAREDKEY address 222.222.222.222 netmask 255.255.255.255

access-list site2_vpn_acl permit ip 10.6.0.0 255.255.0.0 10.5.0.0 255.255.0.0

crypto ipsec transform-set site2_vpn_crypto esp-des esp-sha-hmac

crypto map toSite2 10 ipsec-isakmp

crypto map toSite2 10 match address site2_vpn_acl

crypto map toSite2 10 set peer 222.222.222.222

crypto map toSite2 10 set trasnform-set site2_vpn_crypto

crypto map toSite2 interface outside

nat (inside) 0 access-list site2_vpn_acl

sysopt connection permit-ipsec

_____________________________________________________________________________

Site2:

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

isakmp key SHAREDKEY address 111.111.111.111 netmask 255.255.255.255

access-list site1_vpn_acl permit ip 10.5.0.0 255.255.0.0 10.6.0.0 255.255.0.0

crypto ipsec transform-set site1_vpn_crypto esp-des esp-sha-hmac

crypto map toSite1 10 ipsec-isakmp

crypto map toSite1 10 match address site1_vpn_acl

crypto map toSite1 10 set peer 111.111.111.111

crypto map toSite1 10 set transform-set site1_vpn_crypto

crypto map toSite1 interface outside

nat (inside) 0 access-list site1_vpn_acl

sysopt connection permit-ipsec

Any ideas as to what I'm doing wrong?

steve

thisisshanky · ‎12-06-2004

Steve,

Are the networks specified in the ACL correct ? The server you are trying to ping from Site 2 in the network 10.6.0.0 (Site 1's network) ? If they are not you will need to add a second line on the ACL matching that traffic.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

sruzila · ‎12-06-2004

Those are the right networks. Is this how the ACL should be set up:

access-list permit ip

Me not good at PIX and VPN :-(

Steve

thisisshanky · ‎12-06-2004

Steve,

The configs look alright to me. Have you tried pinging from different PCs on Site 2 and try to connect back to Site 1 ? It could be a wrong default gateway, a firewall turned on the PC (like XP firewall). Is 10.5.0.0 and 10.6.0.0 the only networks on either sides ? Do you have any other router on either sides which has other networks attached them and hope you are not trying to ping from one of these networks!!!

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

sruzila · ‎12-06-2004

I've tried from a couple of PC's, the netware servers, and the PIX...nothing. I think I may wipe this PIX andstart up (initial config and all). I don't have any other routers or firewalls. When I did a show route I saw xxx.xxx.xxx.64, but it should be 65. But it also has .65 in the listing (I can't remember the right info). I'll check what's there and post it.

Thanks!

Steve