I have a PIX 515e 7.0(4) - (H) and PIX 515 7.1(2) - (S) and they are connected via IPSec Preshared Keys.
I was Passing traffic just fine, went to lunch and it was no longer working. I'm sure I must of changed something...
The VPN comes up as I can see the L2L in the Sessions. I can see outgoing traffic, though nothing coming back. the New PIX (S) can get out to the Internet too...
On the New PIX (S), I see messages on the Console saying that it is denying traffic, though I thought I had all the ACL set up... What did I Miss?
Thanks!
Old PIX (H) Inside: 10.1.0.0/16 (NETWORK-H) Outside: 192.168.1.0/24
access-list inside_nat extended permit ip NETWORK-H 255.255.0.0 NETWORK-S
255.255.0.0 access-list outside-H_cryptomap_40 extended permit ip NETWORK-H 255.255.0.0 NETWORK-S 255.255.0.0 access-list outside-H_cryptomap_40 extended permit icmp NETWORK-H 255.255.0.0 NETWORK-S 255.255.0.0 global (outside-H) 1 192.168.1.100-192.168.1.200 netmask 255.255.255.0 nat (inside-H) 0 access-list inside_nat nat (inside-H) 1 10.0.0.0 255.0.0.0crypto ipsec transform-set vpnclient_set2 esp-3des esp-md5-hmac crypto ipsec transform-set vpnclient_set esp-des esp-md5-hmac crypto ipsec transform-set vpn-des-set esp-des esp-md5-hmac crypto ipsec transform-set olivet-set esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 3600 crypto dynamic-map dynmap 10 set transform-set vpnclient_set vpnclient_set2 crypto dynamic-map olivet 1 set transform-set olivet-set crypto map my_cry_map 999 ipsec-isakmp dynamic dynmap crypto map vpn-des-dyn-map 21 ipsec-isakmp dynamic vpn-des crypto map olivet-dyn-map 40 match address outside-H_cryptomap_40 crypto map olivet-dyn-map 40 set peer 192.168.3.2 crypto map olivet-dyn-map 40 set transform-set ESP-3DES-SHA crypto map olivet-dyn-map 65535 ipsec-isakmp dynamic olivet crypto map olivet-dyn-map interface outside-H
isakmp enable outside-H isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 isakmp policy 22 authentication pre-share isakmp policy 22 encryption des isakmp policy 22 hash md5 isakmp policy 22 group 2 isakmp policy 22 lifetime 86400 isakmp policy 23 authentication pre-share isakmp policy 23 encryption 3des isakmp policy 23 hash md5 isakmp policy 23 group 2 isakmp policy 23 lifetime 86400 isakmp policy 24 authentication pre-share isakmp policy 24 encryption des isakmp policy 24 hash sha isakmp policy 24 group 2 isakmp policy 24 lifetime 86400 isakmp policy 26 authentication pre-share isakmp policy 26 encryption 3des isakmp policy 26 hash sha isakmp policy 26 group 2 isakmp policy 26 lifetime 86400 isakmp policy 65535 authentication pre-share isakmp policy 65535 encryption 3des isakmp policy 65535 hash sha isakmp policy 65535 group 2 isakmp policy 65535 lifetime 86400 isakmp nat-traversal 20
tunnel-group DefaultL2LGroup ipsec-attributes trust-point enmvpnca tunnel-group 192.168.3.2 type ipsec-l2l tunnel-group 192.168.3.2 ipsec-attributes pre-shared-key *
New PIX (S) Inside: 10.2.0.0/16 (NETWORK-S) Outside: 192.168.3.0/24
access-list inside_nat extended permit ip NETWORK-H 255.255.0.0 NETWORK-S
255.255.0.0access-list inside_nat extended permit ip NETWORK-H 255.255.0.0 NETWORK-S
255.255.0.0 access-list outside-S_cryptomap_40 extended permit ip NETWORK-S 255.255.0.0 NETWORK-H 255.255.0.0 access-list outside-S_cryptomap_40 extended permit icmp NETWORK-S 255.255.0.0 NETWORK-H 255.255.0.0global (outside-H) 1 192.168.3.100-192.168.3.200 netmask 255.255.255.0 nat (inside-S) 0 access-list inside_nat nat (inside-S) 1 10.0.0.0 255.0.0.0
crypto ipsec transform-set vpnclient_set esp-des esp-md5-hmac crypto ipsec transform-set vpnclient_set2 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map dynmap 10 set transform-set vpnclient_set vpnclient_set2 crypto dynamic-map outside-S_dyn_map 1 set transform-set vpnclient_set vpnclient_set2 ESP-3DES-SHA crypto map outside-S_map 40 match address outside-S_cryptomap_40 crypto map outside-S_map 40 set peer 192.168.1.2 crypto map outside-S_map 40 set transform-set ESP-3DES-SHA crypto map outside-S_map 65535 ipsec-isakmp dynamic outside-S_dyn_map crypto map outside-S_map interface outside-S
isakmp enable outside-S isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 isakmp policy 22 authentication pre-share isakmp policy 22 encryption des isakmp policy 22 hash md5 isakmp policy 22 group 2 isakmp policy 22 lifetime 86400 isakmp policy 23 authentication pre-share isakmp policy 23 encryption 3des isakmp policy 23 hash md5 isakmp policy 23 group 2 isakmp policy 23 lifetime 86400 isakmp policy 24 authentication pre-share isakmp policy 24 encryption des isakmp policy 24 hash sha isakmp policy 24 group 2 isakmp policy 24 lifetime 86400 isakmp policy 26 authentication pre-share isakmp policy 26 encryption 3des isakmp policy 26 hash sha isakmp policy 26 group 2 isakmp policy 26 lifetime 86400 isakmp policy 65535 authentication pre-share isakmp policy 65535 encryption 3des isakmp policy 65535 hash sha isakmp policy 65535 group 2 isakmp policy 65535 lifetime 86400 isakmp nat-traversal 20
tunnel-group DefaultL2LGroup ipsec-attributes trust-point enmvpnca tunnel-group 192.168.1.2 type ipsec-l2l tunnel-group 192.168.1.2 ipsec-attributes pre-shared-key *