1. Home
  2. Cisco Systems
  3. Multiple VPN endpoints on one Pix

Multiple VPN endpoints on one Pix

Hi, i've got a pix with two internet connections. Im trying to move one of our site-to-site IPSEC tunnels from one of the internet connections over to the other one.

  • The pixes on both sides of the VPN tunnel are 515, running 6.3.3.
  • the isakmp & ipsec tunnels come up correctly.
  • UDP traffic passes thru the tunnel ( i can send syslog across in both directions)
  • TCP traffic does NOT pass thru the tunnel (see error below):

Oct 4 12:26:30 192.168.12.1 Oct 04 2006 15:59:05 spix : %PIX-6-106015: Deny TCP (no connection) from 10.0.0.52/22 to 192.168.10.102/57225 flags FIN ACK on interface outside

I think this is a NAT issue, but i'm not sure. any/all help is appreciated.

The sanitized config of the pix with 2 internet connections: the crypto map in question is "timewarner". ======================================================== PIX Version 6.3(3) interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 speakeasy security0 hostname centurion fixup protocol dns maximum-length 512 fixup protocol domain 53 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list outside permit icmp any any echo-reply access-list outside permit icmp any any unreachable access-list outside permit icmp any any time-exceeded access-list savvis permit ip 10.0.0.0 255.255.0.0 192.168.10.0

255.255.255.0 access-list savvis permit ip 10.0.0.0 255.255.0.0 192.168.11.0 255.255.255.0 access-list savvis permit ip 10.0.0.0 255.255.0.0 192.168.12.0 255.255.255.0 access-list savvis permit ip 10.0.0.0 255.255.0.0 192.168.13.0 255.255.255.0 access-list inside permit ip any any access-list houston permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.10.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.11.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.12.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.13.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.20.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.21.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.22.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.23.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.253.58.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.0.0.0 255.255.0.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.255.0

access-list nonat permit ip 10.0.0.0 255.255.255.0 172.16.10.0

255.255.255.0 access-list nonat permit ip 10.0.10.0 255.255.255.0 172.16.10.0 255.255.255.0 access-list att permit ip 10.0.0.0 255.255.0.0 192.168.20.0 255.255.255.0 access-list att permit ip 10.0.0.0 255.255.0.0 192.168.21.0 255.255.255.0 access-list att permit ip 10.0.0.0 255.255.0.0 192.168.22.0 255.255.255.0 access-list att permit ip 10.0.0.0 255.255.0.0 192.168.23.0 255.255.255.0 access-list att permit ip 10.0.0.0 255.255.0.0 172.16.1.0 255.255.255.0

access-list pune permit ip 10.0.10.0 255.255.255.0 10.253.58.0

255.255.255.0 access-list pune permit ip 10.0.0.0 255.255.255.0 10.253.58.0 255.255.255.0 access-list speakeasy permit icmp any any echo-reply access-list speakeasy permit icmp any any unreachable access-list speakeasy permit icmp any any time-exceeded pager lines 24 logging on logging timestamp logging trap informational logging facility 23 logging device-id hostname logging host inside 10.0.0.42 no logging message 305012 icmp deny any outside mtu outside 1500 mtu inside 1500 mtu speakeasy 1500 ip address outside 24.x.x.x 255.255.255.248 ip address inside 10.0.15.1 255.255.255.0 ip address speakeasy 66.x.x.x 255.255.255.224 ip audit info action alarm ip audit attack action alarm ip local pool vpn 10.0.15.100-10.0.15.254 pdm history enable arp timeout 14400 global (speakeasy) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 10.0.0.0 255.255.0.0 0 0 access-group outside in interface outside access-group speakeasy in interface speakeasy route speakeasy 0.0.0.0 0.0.0.0 66.x.x.x 1 route inside 10.0.0.0 255.255.255.0 10.0.15.2 1 route inside 10.0.1.0 255.255.255.0 10.0.15.2 1 route inside 10.0.10.0 255.255.255.0 10.0.15.2 1 route inside 10.0.12.0 255.255.255.0 10.0.15.2 1 *****static route sends traffic to savvis VPN thru timewarner route outside 216.x.x.x 255.255.255.255 24.x.x.x. 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp crypto ipsec transform-set kiodex esp-3des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set kiodex crypto map outside 2 ipsec-isakmp crypto map outside 2 match address houston crypto map outside 2 set peer 209.x.x.x crypto map outside 2 set transform-set kiodex crypto map outside 3 ipsec-isakmp crypto map outside 3 match address att crypto map outside 3 set peer 63.x.x.x crypto map outside 3 set transform-set kiodex crypto map outside 4 ipsec-isakmp crypto map outside 4 match address pune crypto map outside 4 set peer 59.x.x.x crypto map outside 4 set transform-set kiodex crypto map outside 10 ipsec-isakmp dynamic dynmap crypto map outside client authentication RADIUS crypto map outside interface speakeasy crypto map timewarner 1 ipsec-isakmp crypto map timewarner 1 match address savvis crypto map timewarner 1 set peer 216.x.x.x crypto map timewarner 1 set transform-set kiodex crypto map timewarner interface outside isakmp enable outside isakmp enable speakeasy isakmp key ******** address 59.x.x.x netmask 255.255.255.255 no-xauth isakmp key ******** address 63.x.x.x netmask 255.255.255.255 isakmp key ******** address 209.x.x.x netmask 255.255.255.255 isakmp key ******** address 216.x.x.x netmask 255.255.255.255 isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 28800 vpngroup 628vpn address-pool vpn vpngroup 628vpn dns-server 10.0.0.10 10.0.0.12 vpngroup 628vpn wins-server 10.0.0.10 10.0.0.12 vpngroup 628vpn default-domain kdx.int vpngroup 628vpn split-tunnel nonat vpngroup 628vpn idle-time 1800 vpngroup 628vpn password ******** telnet timeout 10 ssh 63.x.x.x 255.255.255.255 outside ssh 216.x.x.x 255.255.255.255 outside ssh 10.0.0.0 255.255.0.0 inside ssh 63.x.x.x 255.255.255.255 speakeasy ssh 216.x.x.x 255.255.255.255 speakeasy ssh timeout 30 console timeout 0 vpdn group 628pptp accept dialin pptp vpdn group 628pptp ppp authentication mschap vpdn group 628pptp ppp encryption mppe auto vpdn group 628pptp client configuration address local vpn vpdn group 628pptp client configuration dns 10.0.0.10 10.0.0.12 vpdn group 628pptp client configuration wins 10.0.0.10 10.0.0.12 vpdn group 628pptp client authentication aaa RADIUS vpdn group 628pptp pptp echo 60 vpdn enable speakeasy terminal width 80 ==================================================== and the sanitized conf of the other pix: ==================================================== PIX Version 6.3(3) interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full interface ethernet3 100full interface ethernet4 auto shutdown interface ethernet5 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 failover security20 nameif ethernet3 dmz security20 nameif ethernet4 e4 security0 nameif ethernet5 e5 security0 hostname spix domain-name exodus.kiodex.com fixup protocol dns maximum-length 512 fixup protocol domain 53 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 no fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 no fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 no names access-list soc2800 permit ip host 216.x.x.x host 65.197.254.5 access-list soc2800 permit ip host 216.x.x.x 63.108.175.0 255.255.255.0 access-list inside permit ip 192.168.0.0 255.255.0.0 host 192.168.12.1 access-list inside permit ip 192.168.0.0 255.255.0.0 host 192.168.12.2 access-list inside permit icmp any any echo access-list inside permit icmp any any unreachable access-list inside permit icmp any any source-quench access-list inside permit icmp any any time-exceeded access-list inside remark ###### allow ftp to ftp.lim.com access-list inside permit tcp 192.168.10.0 255.255.255.0 host 12.43.226.2 eq ftp access-list inside permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.255.0.0 access-list inside permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 access-list inside permit tcp host 192.168.10.157 any eq https access-list inside permit tcp host 192.168.10.156 any eq smtp access-list inside permit tcp host 192.168.10.156 any eq https access-list inside permit udp host 192.168.10.156 any eq ntp access-list inside permit udp host 192.168.10.157 any eq ntp access-list inside permit udp host 192.168.10.157 any eq domain access-list inside permit udp host 192.168.10.156 any eq domain access-list inside permit tcp host 192.168.10.157 any eq domain access-list inside permit tcp host 192.168.10.156 any eq domain access-list inside permit tcp 192.168.10.0 255.255.255.0 209.132.177.0 255.255.255.0 eq www access-list inside permit tcp 192.168.10.0 255.255.255.0 209.132.177.0 255.255.255.0 eq https access-list inside permit tcp 192.168.0.0 255.255.0.0 host 208.173.140.54 eq smtp access-list inside permit tcp host 192.168.10.185 any eq smtp access-list inside remark ##### allow all machines out to futuresource.com and xml.marketcenter.com on 4004 access-list inside permit tcp 192.168.10.0 255.255.255.0 any eq 4004 access-list inside remark ###### allow specific machines out access-list inside permit tcp host 192.168.10.185 any eq www access-list inside permit tcp host 192.168.10.185 any eq https access-list inside permit tcp host 192.168.10.200 any eq www access-list inside permit tcp host 192.168.10.201 any eq www access-list inside permit tcp host 192.168.10.200 any eq https access-list inside permit tcp host 192.168.10.201 any eq https access-list inside permit tcp host 192.168.10.200 any eq ftp access-list inside permit tcp host 192.168.10.201 any eq ftp access-list inside permit tcp host 192.168.10.204 any eq www access-list inside permit tcp host 192.168.10.204 any eq ftp access-list inside permit tcp host 192.168.10.204 any eq https access-list inside remark ###### LAN --> border network access-list inside permit tcp 192.168.10.0 255.255.255.0 216.74.163.192 255.255.255.224 eq telnet access-list inside remark #### allw VPN local pool ips access-list inside permit ip 192.168.0.0 255.255.0.0 172.16.1.0 255.255.255.0 access-list outside permit icmp any any echo-reply access-list outside permit icmp any any unreachable access-list outside permit icmp any any time-exceeded access-list outside permit tcp any host 216.74.163.204 eq https access-list outside permit tcp any host 216.74.163.204 eq www access-list outside permit tcp any host 216.74.163.209 eq www access-list outside permit tcp any host 216.74.163.209 eq https access-list outside permit tcp any host 216.74.163.205 eq www access-list outside permit tcp any host 216.74.163.205 eq https access-list outside permit tcp any host 216.74.163.203 eq www access-list outside permit tcp any host 216.74.163.203 eq https access-list outside permit tcp any host 216.74.163.201 eq www access-list outside permit tcp any host 216.74.163.201 eq https access-list outside permit tcp any host 216.74.146.250 eq www access-list outside remark ###### line 15-22 may be obsolete DSP 2.6.06 access-list outside permit tcp any host 216.74.163.202 eq 24 access-list outside remark ##### deny below added per SOC incident 19319363 access-list outside deny tcp any host 67.85.186.115 access-list outside permit udp 216.74.163.192 255.255.255.224 host 216.74.163.202 eq syslog access-list 628broadway permit ip 192.168.10.0 255.255.255.0 10.0.0.0 255.255.0.0 access-list 628broadway permit ip 192.168.11.0 255.255.255.0 10.0.0.0 255.255.0.0 access-list 628broadway permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.255.0.0 access-list 628broadway permit ip 192.168.13.0 255.255.255.0 10.0.0.0 255.255.0.0 access-list exovpn permit ip 192.168.10.0 255.255.255.0 172.16.1.0 255.255.255.0 access-list exovpn permit ip 192.168.11.0 255.255.255.0 172.16.1.0 255.255.255.0 access-list nonat permit ip 192.168.10.0 255.255.255.0 10.0.0.0 255.255.0.0 access-list nonat permit ip 192.168.11.0 255.255.255.0 10.0.0.0 255.255.0.0 access-list nonat permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.255.0.0 access-list nonat permit ip 192.168.13.0 255.255.255.0 10.0.0.0 255.255.0.0 access-list nonat permit ip 192.168.0.0 255.255.0.0 172.16.1.0 255.255.255.0 pager lines 24 logging on logging timestamp logging standby logging trap debugging logging history informational logging facility 23 logging device-id hostname logging host outside 63.x.x.x logging host inside 192.168.10.156 no logging message 302015 no logging message 302014 no logging message 302013 icmp permit any inside mtu outside 1500 mtu inside 1500 mtu failover 1500 mtu dmz 1500 mtu e4 1500 mtu e5 1500 ip address outside 216.x.x.x 255.255.255.224 ip address inside 192.168.12.1 255.255.255.0 ip address failover 192.168.14.1 255.255.255.252 ip address dmz 216.x.x.x 255.255.255.240 no ip address e4 no ip address e5 ip audit info action alarm ip audit attack action alarm ip local pool vpn 172.16.1.1-172.16.1.100 failover failover timeout 0:00:00 failover poll 15 failover ip address outside 216.x.x.x failover ip address inside 192.168.12.2 failover ip address failover 192.168.14.2 failover ip address dmz 216.x.x.x no failover ip address e4 no failover ip address e5 failover link failover no pdm history enable arp outside 216.74.163.193 0000.0c07.ac00 alias arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 192.168.10.0 255.255.255.0 0 0 nat (inside) 1 192.168.11.0 255.255.255.0 0 0 nat (inside) 1 192.168.12.0 255.255.255.0 0 0 nat (inside) 1 192.168.13.0 255.255.255.0 0 0 access-group outside in interface outside access-group inside in interface inside access-group dmz in interface dmz router ospf 100 network 192.168.12.0 255.255.255.0 area 0 log-adj-changes redistribute static subnets route outside 0.0.0.0 0.0.0.0 216.x.x.x 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server LOCAL protocol local aaa authentication telnet console TACACS+ aaa authentication ssh console TACACS+ aaa accounting include telnet inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+ aaa accounting include tcp/22 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+ aaa accounting include tcp/22 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+ aaa accounting include telnet outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+ no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set kiodex esp-3des esp-md5-hmac crypto ipsec transform-set riptech esp-3des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set kiodex crypto map outside 1 ipsec-isakmp crypto map outside 1 match address 628broadway crypto map outside 1 set peer 24.x.x.x crypto map outside 1 set transform-set kiodex crypto map outside 10 ipsec-isakmp crypto map outside 10 match address soc2800 crypto map outside 10 set peer 65.x.x.x crypto map outside 10 set transform-set riptech crypto map outside 20 ipsec-isakmp dynamic dynmap crypto map outside client authentication RADIUS crypto map outside interface outside isakmp enable outside isakmp key ******** address 65.x.x.x netmask 255.255.255.255 isakmp key ******** address 66.x.x.x netmask 255.255.255.255 isakmp key ******** address 24.x.x.x netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup exovpn address-pool vpn vpngroup exovpn dns-server 192.168.10.156 192.168.10.157 vpngroup exovpn wins-server 192.168.10.200 vpngroup exovpn default-domain kdx.int vpngroup exovpn split-tunnel exovpn vpngroup exovpn idle-time 900 vpngroup exovpn password ******** telnet timeout 10 ssh 192.168.10.0 255.255.255.0 inside ssh timeout 10 console timeout 0 terminal width 80
Reply to
dspnyc
Loading thread data ...

Reply to
dspnyc

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.