Hub/Spoke VPN Concentrator and 2 PIX 506E

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Hello. I'm about to pull my hair out.

I have 3 offices, two with PIX 506Es and one with a VPN3005
concentrator. I want to use the 3005 as a hub for both PIX units. The
private networks behind each PIX should be able to see each other as
well as the private network behind the concentrator. Each PIX uses
network extension mode. Each PIX has IOS 6.3(5). The Concentrator has
the latest release as well.

Guess what: it doesn't f-ing work.

Each PIX connects fine to the 3005. IP travels fine from the 3005
private net to private nets for either PIX units. However, the private
networks behind both PIX units cannot see each other.

Occasionally the PIXes will "wake up" and notice each other. But that's
after rubbing a magic lamp or something. Both connect to separate Group
profiles on the 3005. Each profile is set exactly the same. Reverse
Route Injection is turned on for NEM.

I'm pretty fed up with the cisco equipment. This is the most basic VPN
requirement anyone can have. I could do this with Linux in about 1 hour
and 2 cans of diet coke.

Any ideas? PIX config is below.

Thank you!

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******* encrypted
passwd ******** encrypted
hostname myhost
domain-name mydomain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any
access-list acl_in permit icmp any any
access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq telnet
access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq www
access-list acl_in permit udp 192.168.70.0 255.255.255.0 any eq domain
access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq domain
access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq
ftp-data
access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq ftp
access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq 8000
access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq 8080
access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq 5800
access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq 5801
access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq 5900
access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq 5901
access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq https
access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq ssh
access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq pop3
access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq imap4
access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq 993
access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq nntp
access-list acl_in permit udp 192.168.70.0 255.255.255.0 any eq ntp
access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq ldap
access-list acl_in permit tcp 192.168.70.0 255.255.255.0 any eq h323
pager lines 24
logging on
logging trap notifications
logging history notifications
mtu outside 1492
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.70.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.0.0 255.255.0.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss 1372
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 192.168.70.50-192.168.70.150 inside
dhcpd dns 123.456.789.123
dhcpd lease 172800
dhcpd ping_timeout 750
dhcpd domain mydomain.com
dhcpd enable inside
vpnclient server 10.1.1.1
vpnclient mode network-extension-mode
vpnclient vpngroup mygroup password ********
vpnclient enable
terminal width 80
Cryptochecksum:3a4d0342eca5379fb67386597fc4636b
: end
[OK]


Site Timeline