Cisco PIX 501-515 Site-to-Site VPN Issue

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

I'm deferring to the experts in this group to help me solve a
nightmare of a PIX configuration issue.

I have a PIX 501 located in Connecticut and a PIX 515 located in New
York and am trying to put together a site-to-site VPN.  The remote
access on the 515 works like a charm, but I've been unable to make any
headway with the site-to-site.  The only way that I've been able to
initiate the connection, in fact, is to launch the packet tracer on
the 515 to 'send' a packet from an IP on the 515's network to an IP on
the 501's.  Everything comes back okay, but if I try to ping or
connect to any machine on either of the networks from the other one,
it doesn't go through, and no useful debugging information seems to be
returned.  If anyone has any insight into what might be going on, your
advice would be tremendously appreciated.  I've copied the
configurations below and have removed only the clearly-irrelevant
parts.

PIX 501:
  Internal IP Range:  10.0.2.0/255.255.255.0
  External IP:        x.x.123.29

PIX 515:
  Internal IP Range:  10.0.0.0/255.255.255.0
  Remote Access:      10.0.1.0/255.255.255.0
  External IP:        x.x.23.17


CISCO PIX 501 IN CONNECTICUT

PIX Version 6.3(5)
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any any object-group TCP
access-list inside_outbound_nat0_acl permit ip 10.0.2.0 255.255.255.0
10.0.0.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.0.2.0 255.255.255.0
10.0.0.0 255.255.255.0
ip address outside x.x.123.29 255.255.255.252
ip address inside 10.0.2.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.123.30 1
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer x.x.23.17
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key * address x.x.23.17 netmask 255.255.255.255 no-xauth no-
config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
dhcpd address 10.0.2.200-10.0.2.231 inside
dhcpd enable inside


CISCO PIX 515 IN NEW YORK

PIX Version 7.2(1)
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any
access-list outside_cryptomap extended permit ip 10.0.0.0
255.255.255.0 10.0.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip any 10.0.1.0
255.255.255.0
access-list outside_20_cryptomap extended permit ip 10.0.0.0
255.255.255.0 10.0.2.0 255.255.255.0
ip local pool VPN 10.0.1.1-10.0.1.254 mask 255.255.0.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
icmp permit any outside
icmp permit any inside
global (outside) 101 interface
nat (inside) 0 access-list outside_cryptomap
nat (inside) 101 0.0.0.0 0.0.0.0 dns
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.23.30 1
no eou allow clientless
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server value 10.0.0.2 10.0.0.3
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 5
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain value mydomain.net
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout none
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools value VPN
 client-firewall none
 client-access-rule none
sysopt connection tcpmss 0
service resetinbound interface outside
service resetinbound interface inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set
TRANS_ESP_3DES_SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer x.x.123.29
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 40 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 3600
crypto isakmp nat-traversal  20
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN
 authorization-dn-attributes use-entire-name
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
tunnel-group x.x.123.29 type ipsec-l2l
tunnel-group x.x.123.29 ipsec-attributes
 pre-shared-key *
no tunnel-group-map enable ou
no tunnel-group-map enable ike-id
no tunnel-group-map enable peer-ip
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
dhcpd address 10.0.0.100-10.0.0.149 inside
dhcpd enable inside


Site Timeline