Cisco PIX 501-515 Site-to-Site VPN Issue

I'm deferring to the experts in this group to help me solve a nightmare of a PIX configuration issue.

I have a PIX 501 located in Connecticut and a PIX 515 located in New York and am trying to put together a site-to-site VPN. The remote access on the 515 works like a charm, but I've been unable to make any headway with the site-to-site. The only way that I've been able to initiate the connection, in fact, is to launch the packet tracer on the 515 to 'send' a packet from an IP on the 515's network to an IP on the 501's. Everything comes back okay, but if I try to ping or connect to any machine on either of the networks from the other one, it doesn't go through, and no useful debugging information seems to be returned. If anyone has any insight into what might be going on, your advice would be tremendously appreciated. I've copied the configurations below and have removed only the clearly-irrelevant parts.

PIX 501: Internal IP Range: 10.0.2.0/255.255.255.0 External IP: x.x.123.29

PIX 515: Internal IP Range: 10.0.0.0/255.255.255.0 Remote Access: 10.0.1.0/255.255.255.0 External IP: x.x.23.17

CISCO PIX 501 IN CONNECTICUT

PIX Version 6.3(5) access-list outside_access_in permit icmp any any access-list outside_access_in permit tcp any any object-group TCP access-list inside_outbound_nat0_acl permit ip 10.0.2.0 255.255.255.0

10.0.0.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.255.0 ip address outside x.x.123.29 255.255.255.252 ip address inside 10.0.2.1 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit info action alarm ip audit attack action alarm global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 x.x.123.30 1 sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set pfs group2 crypto map outside_map 20 set peer x.x.23.17 crypto map outside_map 20 set transform-set ESP-3DES-SHA crypto map outside_map interface outside isakmp enable outside isakmp key * address x.x.23.17 netmask 255.255.255.255 no-xauth no- config-mode isakmp identity address isakmp nat-traversal 20 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 dhcpd address 10.0.2.200-10.0.2.231 inside dhcpd enable inside

CISCO PIX 515 IN NEW YORK

PIX Version 7.2(1) same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list outside_access_in extended permit icmp any any access-list outside_cryptomap extended permit ip 10.0.0.0

255.255.255.0 10.0.2.0 255.255.255.0 access-list outside_cryptomap extended permit ip any 10.0.1.0 255.255.255.0 access-list outside_20_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0 ip local pool VPN 10.0.1.1-10.0.1.254 mask 255.255.0.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit info action alarm drop reset ip audit attack action alarm drop reset icmp permit any outside icmp permit any inside global (outside) 101 interface nat (inside) 0 access-list outside_cryptomap nat (inside) 101 0.0.0.0 0.0.0.0 dns access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 x.x.23.30 1 no eou allow clientless group-policy DfltGrpPolicy attributes banner none wins-server none dns-server value 10.0.0.2 10.0.0.3 dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 5 vpn-idle-timeout none vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain value mydomain.net split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout none ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools value VPN client-firewall none client-access-rule none sysopt connection tcpmss 0 service resetinbound interface outside service resetinbound interface inside crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA crypto map outside_map 20 match address outside_20_cryptomap crypto map outside_map 20 set pfs crypto map outside_map 20 set peer x.x.123.29 crypto map outside_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 40 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 3600 crypto isakmp nat-traversal 20 crypto isakmp ipsec-over-tcp port 10000 crypto isakmp disconnect-notify tunnel-group DefaultL2LGroup ipsec-attributes pre-shared-key * peer-id-validate nocheck tunnel-group DefaultRAGroup general-attributes address-pool VPN authorization-dn-attributes use-entire-name tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * peer-id-validate nocheck tunnel-group DefaultRAGroup ppp-attributes no authentication chap authentication ms-chap-v2 tunnel-group x.x.123.29 type ipsec-l2l tunnel-group x.x.123.29 ipsec-attributes pre-shared-key * no tunnel-group-map enable ou no tunnel-group-map enable ike-id no tunnel-group-map enable peer-ip no vpn-addr-assign aaa no vpn-addr-assign dhcp dhcpd address 10.0.0.100-10.0.0.149 inside dhcpd enable inside
Reply to
pogopoole
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.