12-06-2004 06:50 AM - edited 02-21-2020 01:29 PM
I have two sites each with a PIX 501. I have almost zero experience with PIX stuff. I found an article on the Cisco site (along with gret help from the forums!) called "Simple site to site VPN" (or something along those lines).
At one site I can ping the other and when users login they get their mapped drives from the server at the other office. The second site can't ping and the users can't get the mapped drives at the other office.
Here's the config I did for each:
222.222.222.222 is site 2's public IP
111.111.111.111 is site 1's public IP
10.6.0.0 is site 1's private IP
10.5.0.0 is site 2's private IP
Site1:
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
isakmp key SHAREDKEY address 222.222.222.222 netmask 255.255.255.255
access-list site2_vpn_acl permit ip 10.6.0.0 255.255.0.0 10.5.0.0 255.255.0.0
crypto ipsec transform-set site2_vpn_crypto esp-des esp-sha-hmac
crypto map toSite2 10 ipsec-isakmp
crypto map toSite2 10 match address site2_vpn_acl
crypto map toSite2 10 set peer 222.222.222.222
crypto map toSite2 10 set trasnform-set site2_vpn_crypto
crypto map toSite2 interface outside
nat (inside) 0 access-list site2_vpn_acl
sysopt connection permit-ipsec
_____________________________________________________________________________
Site2:
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
isakmp key SHAREDKEY address 111.111.111.111 netmask 255.255.255.255
access-list site1_vpn_acl permit ip 10.5.0.0 255.255.0.0 10.6.0.0 255.255.0.0
crypto ipsec transform-set site1_vpn_crypto esp-des esp-sha-hmac
crypto map toSite1 10 ipsec-isakmp
crypto map toSite1 10 match address site1_vpn_acl
crypto map toSite1 10 set peer 111.111.111.111
crypto map toSite1 10 set transform-set site1_vpn_crypto
crypto map toSite1 interface outside
nat (inside) 0 access-list site1_vpn_acl
sysopt connection permit-ipsec
Any ideas as to what I'm doing wrong?
steve
12-06-2004 10:36 AM
Steve,
Are the networks specified in the ACL correct ? The server you are trying to ping from Site 2 in the network 10.6.0.0 (Site 1's network) ? If they are not you will need to add a second line on the ACL matching that traffic.
12-06-2004 10:50 AM
Those are the right networks. Is this how the ACL should be set up:
access-list
Me not good at PIX and VPN :-(
Steve
12-06-2004 01:06 PM
Steve,
The configs look alright to me. Have you tried pinging from different PCs on Site 2 and try to connect back to Site 1 ? It could be a wrong default gateway, a firewall turned on the PC (like XP firewall). Is 10.5.0.0 and 10.6.0.0 the only networks on either sides ? Do you have any other router on either sides which has other networks attached them and hope you are not trying to ping from one of these networks!!!
12-06-2004 02:04 PM
I've tried from a couple of PC's, the netware servers, and the PIX...nothing. I think I may wipe this PIX andstart up (initial config and all). I don't have any other routers or firewalls. When I did a show route I saw xxx.xxx.xxx.64, but it should be 65. But it also has .65 in the listing (I can't remember the right info). I'll check what's there and post it.
Thanks!
Steve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide