Hub/Spoke VPN Concentrator and 2 PIX 506E

Hello. I'm about to pull my hair out.

I have 3 offices, two with PIX 506Es and one with a VPN3005 concentrator. I want to use the 3005 as a hub for both PIX units. The private networks behind each PIX should be able to see each other as well as the private network behind the concentrator. Each PIX uses network extension mode. Each PIX has IOS 6.3(5). The Concentrator has the latest release as well.

Guess what: it doesn't f-ing work.

Each PIX connects fine to the 3005. IP travels fine from the 3005 private net to private nets for either PIX units. However, the private networks behind both PIX units cannot see each other.

Occasionally the PIXes will "wake up" and notice each other. But that's after rubbing a magic lamp or something. Both connect to separate Group profiles on the 3005. Each profile is set exactly the same. Reverse Route Injection is turned on for NEM.

I'm pretty fed up with the cisco equipment. This is the most basic VPN requirement anyone can have. I could do this with Linux in about 1 hour and 2 cans of diet coke.

Any ideas? PIX config is below.

Thank you!

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password ******* encrypted passwd ******** encrypted hostname myhost domain-name mydomain.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol icmp error fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list acl_out permit icmp any any access-list acl_in permit icmp any any access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq telnet access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq www access-list acl_in permit udp 192.168.70.0 255.255.255.0 any eq domain access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq domain access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq ftp-data access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq ftp access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq 8000 access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq 8080 access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq 5800 access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq 5801 access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq 5900 access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq 5901 access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq https access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq ssh access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq pop3 access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq imap4 access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq 993 access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq nntp access-list acl_in permit udp 192.168.70.0 255.255.255.0 any eq ntp access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq ldap access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq h323 pager lines 24 logging on logging trap notifications logging history notifications mtu outside 1492 mtu inside 1500 ip address outside dhcp setroute ip address inside 192.168.70.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.0.0 255.255.0.0 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group acl_out in interface outside access-group acl_in in interface inside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.0.0 255.255.0.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection tcpmss 1372 telnet 192.168.0.0 255.255.0.0 inside telnet timeout 5 ssh 192.168.0.0 255.255.0.0 inside ssh timeout 5 management-access inside console timeout 0 dhcpd address 192.168.70.50-192.168.70.150 inside dhcpd dns 123.456.789.123 dhcpd lease 172800 dhcpd ping_timeout 750 dhcpd domain mydomain.com dhcpd enable inside vpnclient server 10.1.1.1 vpnclient mode network-extension-mode vpnclient vpngroup mygroup password ******** vpnclient enable terminal width 80 Cryptochecksum:3a4d0342eca5379fb67386597fc4636b : end [OK]
Reply to
ramr
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.