PIX VPN help.

Shouldn't have to if the VPN devices are on the path of your default gateways.

LAN----PIX------INTERNET/VPN------PIX-----LAN There is no routing you need to add, it is handled by your PC's default gateway's (the pix's) and the crypto maps on the Pix's. You do not add any routes to anything.

LAN-------ROUTER-----PIX-----INTERNET/VPN------PIX----LAN Again, there is no routing you need to add. PC has the router as a default gateway, router has the Pix as the default gateway, crypto maps take care of it.

As long as the VPN devices are in the path that your traffic takes to get to the internet there is no need to add any routing, the crypto maps on the Pix take care of it.

LAN------Router------Internet/VPN------Router-----LAN Exception to the above, when using routers and GRE tunnels with IPSEC encapsulation you may need to add routes pointing to the tunnel interfaces depending on your configuration.

Man, you really are NOT giving us a lot to go on...no configs, no ideas on what kind of connection you are using. I just checked the crystal ball, it said to search Cisco or Google for "troubleshooting VPN connections" or "debug VPN connections".

Yes, I'm sorry - here is some more info... The connection would look like this:

Server on LAN (192.168.10.10;192.168.100.10) -> PIX 506 -> Internet/VPN

-> Cisco VPN 3030 -> LAN

PIX config:

access-list no_nat permit ip 192.168.100.0 255.255.255.0 10.10.1.0

255.255.255.0

access-list outside_cryptomap_1 permit ip 192.168.100.0 255.255.255.0

10.10.1.0 255.255.255.0

crypto ipsec transform-set ah-sha-hmac esp-3des esp-sha-hmac

crypto map vpnmap 1 ipsec-isakmp crypto map vpnmap 1 match address outside_cryptomap_1 crypto map vpnmap 1 set pfs group2 crypto map vpnmap 1 set peer ip.ip.ip.ip crypto map vpnmap 1 set transform-set ah-sha-hmac

isakmp key ******** address ip.ip.ip.ip netmask 255.255.255.255

isakmp policy 40 authentication pre-share isakmp policy 40 encryption 3des isakmp policy 40 hash sha isakmp policy 40 group 2 isakmp policy 40 lifetime 86400

Thanks for bottom posting, makes working with you much easier. What's the 192.168.10.10 address? Thats not in your maps. Do you have sysopt connect permit-ipsec in the Pix? What do the logs on the concentrator say? Those are the easiest to read. What does a show crypto sa show on the pix? Are you sure you have to correct peramiters? Those are not standard on the

3030, they would have had to have been manually entered. Everything you need including troubleshooting should be in this config example.

No prob :) Thanks for the help.

The 10.10 is my default network - the 100.10 is the IP range that I have to use to connect to the remote host. The servers on the LAN are in the 192.168.10.x range - the IP I need to use to get into the host is the 100.10

Yes, the sysopt connect permit-ipsec is there.

The concentrator does not see the inbound requests at all.

show crypto sa shows 0 in/outbound packets

The params were confirmed with the remote site.

Do you have the static NAT statement in there nat'ing 192.168.10.X to

192.168.100.X? static (inside,outside) 192.168.100.0 192.168.10.0 netmask 255.255.255.0

The concentrator log should definatley be showing something, are you sure the peer is correct?

Post your entire pix config please. Just X out the vital stuff, don't mask any of the privates.

The static NAT is in place.

Using debug packet I can see the requests leaving my 192.168.10.x network to the remote network (10.10.1.0) however nothing from the

192.168.1.100.x.

I will post the config shortly - might take a while to X out the good stuff.

J1C wrote:

I am told the concentrator is not seeing anything on the logs from my location. When I use debug isakmp sa I see the tunnels created for all other VPNs *but* the 110 crypto. I have rebuilt it - the policies and maps have changed a bit from above but the settings are identical.

PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 6AT0WpjYku5T765F encrypted passwd T/rIC0r.S2zqXDPf encrypted hostname pixfirewall domain-name corporate.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 no names name 10.62.50.2 SNB-WEB-02 access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable access-list 100 permit tcp any host a.a.a.102 eq smtp access-list 100 permit tcp any host a.a.a.106 range 1510 1525 access-list 100 permit udp any host a.a.a.102 eq 113 access-list 100 permit tcp any host a.a.a.102 eq ident access-list 100 permit tcp any host a.a.a.109 eq www access-list 100 permit tcp any host a.a.a.108 eq www access-list 100 permit tcp any host a.a.a.110 eq www access-list 100 permit tcp any host a.a.a.110 eq https access-list 100 permit tcp any host a.a.a.112 eq www access-list 100 permit tcp any host a.a.a.111 eq www access-list 100 permit tcp any host a.a.a.113 eq www access-list 100 permit tcp any host a.a.a.114 eq https access-list 100 permit tcp any host a.a.a.114 eq www access-list 100 permit tcp any host a.a.a.109 eq pop3 access-list 100 permit tcp any host a.a.a.109 eq smtp access-list 100 permit tcp any host a.a.a.118 eq www access-list 100 permit tcp any host a.a.a.118 eq https access-list 100 permit tcp any host a.a.a.117 eq www access-list 100 permit tcp any host a.a.a.109 eq https access-list 100 permit tcp any host a.a.a.101 eq www access-list 100 permit tcp any host a.a.a.103 eq www access-list 100 permit tcp any host a.a.a.116 eq www access-list 100 permit tcp any host a.a.a.119 eq www access-list 100 permit tcp any host a.a.a.120 eq www access-list 100 permit tcp any host a.a.a.121 eq www access-list 100 permit tcp any host a.a.a.122 eq www access-list 100 permit tcp any host a.a.a.123 eq www access-list 100 permit tcp any host a.a.a.124 eq www access-list 100 permit tcp any host b.b.b.192 eq www access-list 100 permit tcp any host b.b.b.193 eq www access-list 100 permit tcp any host b.b.b.194 eq www access-list 100 permit tcp any host b.b.b.195 eq www access-list 100 permit tcp any host b.b.b.197 eq www access-list 100 permit tcp any host b.b.b.198 eq www access-list 100 permit tcp any host b.b.b.197 eq https access-list 100 permit tcp any host b.b.b.206 eq www access-list 100 permit tcp any host b.b.b.201 eq www access-list 100 permit tcp any host b.b.b.202 eq www access-list 100 permit tcp any host b.b.b.203 eq www access-list 100 permit tcp any host b.b.b.204 eq www access-list 100 permit tcp any host a.a.a.122 eq https access-list 100 permit tcp any host a.a.a.117 eq https access-list 100 permit tcp any host a.a.a.103 eq https access-list 100 permit tcp any host a.a.a.108 eq https access-list 100 permit tcp any host c.c.c.66 eq www access-list 100 permit tcp any host b.b.b.195 eq https access-list 100 permit tcp any host c.c.c.69 eq www access-list 100 permit tcp any host b.b.b.205 eq www access-list 100 permit tcp any host b.b.b.205 eq https access-list 100 permit tcp any host c.c.c.68 eq www access-list 100 permit tcp any host c.c.c.70 eq www access-list 100 permit tcp any host c.c.c.71 eq www access-list 100 permit tcp any host c.c.c.72 eq www access-list 100 permit tcp any host c.c.c.73 eq www access-list 100 permit tcp any host c.c.c.73 eq https access-list 100 permit tcp any host c.c.c.74 eq www access-list 100 permit tcp any host c.c.c.75 eq www access-list 100 permit tcp any host c.c.c.76 eq www access-list 100 permit tcp any host c.c.c.77 eq www access-list 100 permit tcp any host b.b.b.199 eq www access-list 100 permit tcp any host c.c.c.74 eq https access-list 100 permit tcp host d.d.d.134 host a.a.a.100 eq https access-list 100 permit tcp host d.d.d.134 host a.a.a.108 eq ssh access-list 100 permit tcp host d.d.d.134 host a.a.a.109 eq imap4 access-list 100 permit tcp host d.d.d.134 host a.a.a.108 eq ftp access-list 100 permit tcp host d.d.d.134 host a.a.a.110 eq ftp access-list 100 permit tcp any host b.b.b.196 eq www access-list 100 permit tcp any host c.c.c.67 eq www access-list 100 permit tcp host d.d.d.134 host a.a.a.109 eq ftp access-list 100 permit tcp any host c.c.c.65 eq www access-list 100 permit tcp host d.d.d.134 host a.a.a.117 eq ftp access-list 100 permit tcp any host c.c.c.78 eq www access-list 100 permit tcp any host b.b.b.198 eq https access-list 100 permit tcp any host b.b.b.200 eq www access-list 100 permit tcp any host c.c.c.64 eq www access-list 100 permit tcp any host a.a.a.104 eq www access-list 100 permit tcp any host a.a.a.99 eq www access-list 100 permit tcp any host a.a.a.99 eq https access-list 100 permit tcp any host e.e.e.34 eq www access-list 100 permit tcp any host e.e.e.35 eq www access-list 100 permit tcp any host a.a.a.118 eq ftp access-list 100 permit tcp any host a.a.a.101 eq https access-list 100 permit tcp host d.d.d.134 host a.a.a.109 eq 3389 access-list 100 permit tcp host d.d.d.134 host a.a.a.108 eq 3389 access-list 100 permit tcp host d.d.d.134 host a.a.a.110 eq 3389 access-list 100 permit tcp any host a.a.a.110 eq ftp access-list 100 permit tcp any host a.a.a.108 eq ssh access-list 100 permit tcp any host a.a.a.118 eq 3389 access-list 100 permit tcp any host a.a.a.102 eq 3389 access-list 100 permit tcp any host a.a.a.117 eq 3389 access-list outside_cryptomap_70 permit ip host 192.168.10.70 host

10.62.4.14 access-list outside_cryptomap_70 permit ip host 192.168.10.70 host 10.62.4.10 access-list outside_cryptomap_70 permit ip host 192.168.10.70 host 10.62.4.48 access-list no_nat permit ip 192.168.10.0 255.255.255.0 10.0.1.0 255.255.255.0 access-list no_nat permit ip host 192.168.10.70 host 10.62.4.48 access-list no_nat permit ip host 192.168.10.70 host 172.20.4.105 access-list no_nat permit ip host 192.168.10.70 host 10.62.4.14 access-list no_nat permit ip host 192.168.10.70 host 10.62.4.10 access-list no_nat permit ip host 192.168.10.70 host 10.62.50.2 access-list no_nat permit ip 192.168.100.0 255.255.255.0 10.10.1.0 255.255.255.0 access-list split_tunnel permit ip 192.168.10.0 255.255.255.0 10.0.0.0 255.255.255.0 access-list 105 permit ip host 192.168.10.70 host 172.20.4.105 access-list outside_cryptomap_110 permit ip 192.168.100.0 255.255.255.0 10.10.1.0 255.255.255.0 access-list outside_cryptomap_90 permit ip host 192.168.10.70 host 10.62.50.2 pager lines 24 logging on logging timestamp logging trap warnings logging host inside 192.168.10.32 mtu outside 1500 mtu inside 1500 ip address outside a.a.a.98 255.255.255.224 ip address inside 10.98.74.1 255.255.255.0 ip verify reverse-path interface outside ip audit name idsinfo info action alarm ip audit name idsattack attack action alarm drop reset ip audit interface outside idsinfo ip audit interface outside idsattack ip audit info action alarm ip audit attack action alarm ip local pool ip-pool 10.0.1.1-10.0.1.10 no pdm history enable arp timeout 14400 global (outside) 1 a.a.a.105 nat (inside) 0 access-list no_nat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) a.a.a.100 192.168.10.12 netmask 255.255.255.255 0 0 static (inside,outside) a.a.a.101 10.98.74.10 netmask 255.255.255.255 0 0 static (inside,outside) a.a.a.102 192.168.10.21 netmask 255.255.255.255 0 0 static (inside,outside) a.a.a.103 10.98.74.20 netmask 255.255.255.255 0 0 static (inside,outside) a.a.a.106 192.168.10.23 netmask 255.255.255.255 0 0 static (inside,outside) a.a.a.112 192.168.10.52 netmask 255.255.255.255 0 0 static (inside,outside) a.a.a.113 192.168.10.41 netmask 255.255.255.255 0 0 static (inside,outside) a.a.a.114 192.168.10.31 netmask 255.255.255.255 0 0 static (inside,outside) a.a.a.116 10.98.74.110 netmask 255.255.255.255 0 0 static (inside,outside) a.a.a.119 10.98.74.90 netmask 255.255.255.255 0 0 static (inside,outside) a.a.a.120 192.168.10.76 netmask 255.255.255.255 0 0 static (inside,outside) a.a.a.121 10.98.74.100 netmask 255.255.255.255 0 0 static (inside,outside) a.a.a.122 10.98.74.30 netmask 255.255.255.255 0 0 static (inside,outside) a.a.a.123 10.98.74.40 netmask 255.255.255.255 0 0 static (inside,outside) a.a.a.124 10.98.74.50 netmask 255.255.255.255 0 0 static (inside,outside) b.b.b.203 10.98.74.180 netmask 255.255.255.255 0 0 static (inside,outside) b.b.b.205 10.98.74.210 netmask 255.255.255.255 0 0 static (inside,outside) b.b.b.206 192.168.10.102 netmask 255.255.255.255 0 0 static (inside,outside) c.c.c.66 10.98.74.190 netmask 255.255.255.255 0 0 static (inside,outside) c.c.c.69 10.98.74.200 netmask 255.255.255.255 0 0 static (inside,outside) c.c.c.70 10.98.74.220 netmask 255.255.255.255 0 0 static (inside,outside) c.c.c.72 10.98.74.240 netmask 255.255.255.255 0 0 static (inside,outside) c.c.c.73 10.98.74.250 netmask 255.255.255.255 0 0 static (inside,outside) c.c.c.77 10.98.74.254 netmask 255.255.255.255 0 0 static (inside,outside) b.b.b.199 10.98.74.31 netmask 255.255.255.255 0 0 static (inside,outside) c.c.c.74 10.98.74.251 netmask 255.255.255.255 0 0 static (inside,outside) a.a.a.117 192.168.10.70 dns netmask 255.255.255.255 0 0 static (inside,outside) c.c.c.75 10.98.74.252 netmask 255.255.255.255 0 0 static (inside,outside) a.a.a.110 192.168.10.50 dns netmask 255.255.255.255 0 0 static (inside,outside) b.b.b.202 10.98.74.175 netmask 255.255.255.255 0 0 static (inside,outside) b.b.b.196 10.98.74.196 netmask 255.255.255.255 0 0 static (inside,outside) c.c.c.76 10.98.74.111 netmask 255.255.255.255 0 0 static (inside,outside) a.a.a.118 192.168.10.62 dns netmask 255.255.255.255 0 0 static (inside,outside) c.c.c.67 10.98.74.112 dns netmask 255.255.255.255 0 0 static (inside,outside) b.b.b.197 192.168.10.200 netmask 255.255.255.255 0 0 static (inside,outside) b.b.b.198 10.98.74.114 dns netmask 255.255.255.255 0 0 static (inside,outside) a.a.a.107 192.168.10.24 dns netmask 255.255.255.255 0 0 static (inside,outside) a.a.a.108 192.168.10.30 dns netmask 255.255.255.255 0 0 static (inside,outside) a.a.a.109 192.168.10.40 dns netmask 255.255.255.255 0 0 static (inside,outside) c.c.c.65 10.98.74.113 dns netmask 255.255.255.255 0 0 static (inside,outside) c.c.c.78 10.98.74.115 dns netmask 255.255.255.255 0 0 static (inside,outside) b.b.b.192 10.98.74.70 dns netmask 255.255.255.255 0 0 static (inside,outside) b.b.b.193 10.98.74.80 dns netmask 255.255.255.255 0 0 static (inside,outside) b.b.b.194 10.98.74.60 dns netmask 255.255.255.255 0 0 static (inside,outside) b.b.b.195 10.98.74.120 dns netmask 255.255.255.255 0 0 static (inside,outside) b.b.b.201 10.98.74.160 dns netmask 255.255.255.255 0 0 static (inside,outside) a.a.a.99 10.98.74.116 dns netmask 255.255.255.255 0 0 static (inside,outside) b.b.b.200 10.98.74.117 dns netmask 255.255.255.255 0 0 static (inside,outside) c.c.c.64 10.98.74.118 dns netmask 255.255.255.255 0 0 static (inside,outside) a.a.a.104 10.98.74.119 dns netmask 255.255.255.255 0 0 static (inside,outside) c.c.c.68 10.98.74.121 netmask 255.255.255.255 0 0 static (inside,outside) e.e.e.34 10.98.74.122 netmask 255.255.255.255 0 0 static (inside,outside) e.e.e.35 10.98.74.123 netmask 255.255.255.255 0 0 static (inside,outside) c.c.c.71 192.168.10.51 netmask 255.255.255.255 0 0 static (inside,outside) b.b.b.204 192.168.10.114 netmask 255.255.255.255 0 0 static (inside,outside) 192.168.100.0 192.168.10.0 netmask 255.255.255.0 0 0 access-group 100 in interface outside route outside 0.0.0.0 0.0.0.0 a.a.a.97 1 route inside 192.168.10.0 255.255.255.0 10.98.74.2 1 route inside 192.168.100.0 255.255.255.0 10.98.74.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.10.30 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac crypto ipsec transform-set ah-sha-hmac esp-3des esp-sha-hmac crypto dynamic-map dynmap 1000 set transform-set trmset1 crypto map vpnmap 50 ipsec-isakmp crypto map vpnmap 50 match address 105 crypto map vpnmap 50 set peer aaa.aaa.aaa.aaa crypto map vpnmap 50 set transform-set ESP-3DES-MD5 crypto map vpnmap 70 ipsec-isakmp crypto map vpnmap 70 match address outside_cryptomap_70 crypto map vpnmap 70 set peer bbb.bbb.bbb.bbb crypto map vpnmap 70 set transform-set ESP-3DES-MD5 crypto map vpnmap 90 ipsec-isakmp crypto map vpnmap 90 match address outside_cryptomap_90 crypto map vpnmap 90 set peer ccc.ccc.ccc.ccc crypto map vpnmap 90 set transform-set ESP-3DES-MD5 crypto map vpnmap 110 ipsec-isakmp crypto map vpnmap 110 match address outside_cryptomap_110 crypto map vpnmap 110 set peer ddd.ddd.ddd.ddd crypto map vpnmap 110 set transform-set ah-sha-hmac crypto map vpnmap 1000 ipsec-isakmp dynamic dynmap crypto map vpnmap interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp key ******** address aaa.aaa.aaa.aaa netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address bbb.bbb.bbb.bbb netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address ccc.ccc.ccc.ccc netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address ddd.ddd.ddd.ddd netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp nat-traversal 10 isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash md5 isakmp policy 1 group 2 isakmp policy 1 lifetime 86400 isakmp policy 2 authentication pre-share isakmp policy 2 encryption aes-256 isakmp policy 2 hash sha isakmp policy 2 group 1 isakmp policy 2 lifetime 86400 isakmp policy 3 authentication rsa-sig isakmp policy 3 encryption des isakmp policy 3 hash sha isakmp policy 3 group 1 isakmp policy 3 lifetime 86400 isakmp policy 4 authentication pre-share isakmp policy 4 encryption 3des isakmp policy 4 hash sha isakmp policy 4 group 2 isakmp policy 4 lifetime 28800 vpngroup corporatevpn address-pool ip-pool vpngroup corporatevpn dns-server 192.168.10.20 vpngroup corporatevpn wins-server 192.168.10.10 vpngroup corporatevpn split-tunnel split_tunnel vpngroup corporatevpn idle-time 1800 vpngroup corporatevpn user-idle-timeout 1800 vpngroup corporatevpn password ******** telnet 192.168.10.10 255.255.255.255 inside telnet timeout 5 ssh d.d.d.134 255.255.255.255 outside ssh timeout 15 console timeout 0 terminal width 80 ***************************************

Your config looks perfect, I see nothing wrong with it. If they are not seeing anything in their logs they have something upstream blocking the VPN connection. Perhaps another firewall. Even if he had the peer mis-configured your requests would be showing up in his logs. Are you 100%, make that 110% certain you have the correct peer IP for them?

Thanks, I will double check everything :) Maybe try their backup peer too.

Was this necessary?

I didn't even look at the routes, only at the VPN stuff and looked for an inside ACL....no, that definatley should not be there. The Pix already knows who .100 is via it's static statements. Does 10.98.74.2 know to get to the 10.10.1.X subnet go to the Pix? If it's DG in the Pix, then yes it already does, if it's DG is something else then that device needs to know how to get there...via DG is fine.

Yanked that out.

Sorry, I am not sure about your second question. How could I confirm that?

Also - does the 192.168.100.xxx IP have to live on a separate NIC? Does it even have to exist as there is the static NAT in place? When I do a ping to the remote network the origin traffic is from 192.168.10.xxx not 192.168.100.xxx

You should not have anything on the server reflecting the .100 subnet, that is what the NAT statement in the pix is doing, it is converting .10 to .100.

What is the device 10.98.74.2? I'm guessing it's a router or a layer 3 switch. Does that also have the 192.168.10.X's subnet on it?

The 192.168.10.X subnet has a default gateway, whatever that device is needs to have a route for the 10.10.1.X subnet OR a default route pointing to the Pix.

The 10.98.74.2 is a load balancer that just passes traffic through.