PIX 515e: more than one l2l vpn don't work.

Hello, I have this initial config with one l2l vpn with a firewall Zyxel Zywall 2plus:

: Saved : PIX Version 7.2(2) ! hostname pixfirewall domain-name mydomain.net enable password * encrypted names ! interface Ethernet0 nameif outside security-level 0 ip address 192.168.1.5 255.255.255.0 ! interface Ethernet0.2 vlan 2 nameif dmz security-level 100 ip address 192.168.100.254 255.255.255.0 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.0.254 255.255.255.0 ! passwd * encrypted ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns domain-lookup outside dns domain-lookup dmz dns domain-lookup inside dns server-group DefaultDNS name-server 208.67.220.220 name-server 208.67.222.222 domain-name mydomain.net same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list outside_access_in extended permit tcp any any eq 50080 access-list outside_access_in extended permit tcp any any eq 50000 access-list outside_access_in extended permit tcp any any eq 4002 access-list outside_access_in extended permit tcp any any eq 4004 access-list outside_access_in extended permit tcp any any eq 4003 access-list outside_access_in extended permit tcp any any eq 4001 access-list outside_access_in extended permit tcp any any eq 8080 access-list outside_access_in extended permit tcp any any eq 8085 access-list outside_access_in extended permit tcp any any eq 4000 access-list outside_access_in extended permit tcp any any eq www access-list outside_access_in extended permit tcp any any eq smtp access-list outside_access_in extended permit tcp any any eq sqlnet access-list outside_access_in extended permit tcp any any eq pop3 access-list outside_access_in extended permit tcp any any eq imap4 access-list inside_nat0_outbound extended permit ip 192.168.0.0

255.255.255.0 192.168.100.0 255.255.255.0 access-list dmz_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list dmz_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.122.0 255.255.255.0 access-list outside_cryptomap_10 extended permit ip 192.168.100.0 255.255.255.0 192.168.122.0 255.255.255.0 pager lines 24 logging enable logging buffer-size 8096 logging console emergencies logging asdm informational logging from-address snipped-for-privacy@mydomain.net logging host inside 192.168.0.201 format emblem logging permit-hostdown mtu outside 1500 mtu dmz 1500 mtu inside 1500 failover monitor-interface outside monitor-interface dmz monitor-interface inside icmp unreachable rate-limit 1 burst-size 1 asdm image flash:/asdm no asdm history enable arp timeout 14400 nat-control global (outside) 10 interface nat (dmz) 0 access-list dmz_nat0_outbound nat (dmz) 10 192.168.100.0 255.255.255.0 nat (inside) 0 access-list inside_nat0_outbound nat (inside) 10 192.168.0.0 255.255.255.0 static (inside,outside) tcp interface 50080 192.168.0.247 50080 netmask 255.255.255.255 static (inside,outside) tcp interface 50000 192.168.0.247 50000 netmask 255.255.255.255 static (inside,outside) tcp interface 8080 192.168.0.248 8080 netmask 255.255.255.255 static (inside,outside) tcp interface 4002 192.168.0.248 ssh netmask 255.255.255.255 static (inside,outside) tcp interface 4001 192.168.0.247 ssh netmask 255.255.255.255 static (inside,outside) tcp interface 8085 192.168.0.201 8085 netmask 255.255.255.255 static (inside,outside) tcp interface 4000 192.168.0.201 ssh netmask 255.255.255.255 static (dmz,outside) tcp interface www 192.168.100.100 www netmask 255.255.255.255 static (dmz,outside) tcp interface smtp 192.168.100.99 smtp netmask 255.255.255.255 static (dmz,outside) tcp interface pop3 192.168.100.99 pop3 netmask 255.255.255.255 static (dmz,outside) tcp interface imap4 192.168.100.99 imap4 netmask 255.255.255.255 static (inside,dmz) tcp interface 8010 192.168.0.248 8009 netmask 255.255.255.255 static (inside,dmz) tcp interface 8009 192.168.0.247 8009 netmask 255.255.255.255 static (inside,outside) tcp interface sqlnet 192.168.0.250 sqlnet netmask 255.255.255.255 static (inside,outside) tcp interface 4004 192.168.0.252 ssh netmask 255.255.255.255 static (inside,outside) tcp interface 4003 192.168.0.251 ssh netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 192.168.1.254 1 timeout xlate 3:00:00 timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable http 192.168.0.0 255.255.255.0 inside http 192.168.1.0 255.255.255.0 inside http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map outside_map 10 match address outside_cryptomap_10 crypto map outside_map 10 set pfs crypto map outside_map 10 set peer PEER_IP_1 crypto map outside_map 10 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 1 lifetime 86400 crypto isakmp nat-traversal 20 tunnel-group PEER_IP_1 type ipsec-l2l tunnel-group PEER_IP_1 ipsec-attributes pre-shared-key * isakmp keepalive disable tunnel-group-map default-group DefaultL2LGroup telnet timeout 5 ssh timeout 5 console timeout 0 ! ! ntp server 193.228.143.13 source outside smtp-server 192.168.100.99 prompt hostname context Cryptochecksum:787603cb70c182231dd8937b5647b898 : end asdm image flash:/asdm no asdm history enable

This configuration is mainly generated via ASDM interface. If there is only this vpn to PEERIPADDRESS_1, the tunnel goes up and traffic pass through. From DMZ i can ping the remote lan 192.168.122.0 and every thing seems to be ok.

Now, adding the following to the configuration both tunnels goes up, but no traffic pass on VPN:

access-list dmz_nat0_outbound extended permit ip 192.168.100.0

255.255.255.0 192.168.131.0 255.255.255.0 access-list outside_cryptomap_20 extended permit ip 192.168.100.0 255.255.255.0 192.168.131.0 255.255.255.0 crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set pfs crypto map outside_map 20 set peer PEER_IP_2 crypto map outside_map 20 set transform-set ESP-3DES-SHA tunnel-group PEER_IP_2 type ipsec-l2l tunnel-group PEER_IP_2 ipsec-attributes pre-shared-key * isakmp keepalive disable

Logs on pix seems to be right, but no data (ping, ssh, http, or other) comes from or goes to remote zywall.

Reply to
leuzz
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.