Re: [fw-wiz] Problem with PIX-to-PIX VPN and more networks



Hello Petr.

I was checking your config, but you only specified from one end-point. As you know, you should have another access-list in the other pix (PIX501) like this:
access-list XX permit ip 10.1.0.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list XX permit ip 10.1.1.0 255.255.255.0 10.1.5.0 255.255.255.0

It would be helpful if you can attach the pix 501 config (vpn related)

Regards.

Petr Vyhnal wrote:

Hi all,

I have strange problem. I have two PIXes (501 and 506E) with VPN tunnel. LAN structure is like that:

LAN1 (10.1.5.0/24) - PIX506 (inside 10.1.5.254) - Inet (VPN) - PIX501 (inside 10.1.0.254/24) - LAN2 (10.1.0.0/24) - Linux router (nonat, 10.1.0.1 on PIX's side iface and 10.1.1.254 on LAN3 side iface) - LAN3 (10.1.1.0/24)

Crypto tunnel is working, but only for one network at the moment. So if ping works from 10.1.5.0/24 to 10.1.1.0/24 I can't ping from 10.1.5.0/24 to 10.1.0.0/24 and vice versa. But on both rules in acl 101 I can see growing hits when I pinging to both networks at same time. Even if only pings to one network at the moment are going to crypto tunnel and pings to second network are going directly to internet and they are rejected by gateway as unreachable. Does anybody have any idea how to fix it?

PIX506 config (VPN part):

access-list 101 permit ip 10.1.5.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list 101 permit ip 10.1.5.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list 101
sysopt connection permit-ipsec
crypto ipsec transform-set MYVPN esp-3des esp-md5-hmac
crypto map MYMAP 1 ipsec-isakmp
crypto map MYMAP 1 match address 101
crypto map MYMAP 1 set peer xxx.xxx.xxx.xxx
crypto map MYMAP 1 set transform-set MYVPN
crypto map MYMAP interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000


Thanx Rudiik
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Backup Interface using Tunnel
    ... I would need to configure a Tunnel interface. ... crypto map mymap 10 match address 110 ... isakmp policy 10 authentication pre-share ...
    (comp.dcom.sys.cisco)
  • Multiple IPsec VPNs between PIX
    ... PIX at HQ: ... crypto map MYMAP 100 match address to_branch1 ... isakmp policy 1 authentication pre-share ... IPSEC VPN Tunnels between branch1 and branch2. ...
    (comp.dcom.sys.cisco)
  • Re: Cisco VPN client access to PIX501s internal network
    ... isakmp policy 10 authentication pre-share ... fixup protocol dns maximum-length 512 ... crypto map mymap 10 match address 101 ... crypto map mymap 10 set transform-set vpnlanset ...
    (comp.dcom.sys.cisco)
  • Re: Pix-to-Pix & Internet
    ... You must configure the PIX to translate your inside-to-internet ... global 1 interface ... crypto map mymap 21 set peer ... isakmp policy 21 authentication pre-share ...
    (comp.dcom.sys.cisco)
  • Re: Site to Site VPN between 501s with Overlapping Private subnets
    ... Well, I do not have an exact example, but other than the VPN commands, ... isakmp policy 10 authentication pre-share ... Policy NAT access-list - specify conditions under which to NAT for ... crypto map mymap 20 match address vpnnat ...
    (comp.dcom.sys.cisco)