PIX VPN trouble to see other side

Hi,

I have to setup a vpn connection to one of our contractor. This is a temporary link while we test some software. On my side I have a PIX 515 ver6.0(1). On their side they have a sonic wall(don't know wich version or model)

On my side I'm able to establish a tunnel and ping one of their workstation from the PIX but not from one of my workstation. If I try to ping, or connect to one of their machine, from my workstation, I see the pix trying to establish a tunnel, but I never get an answer. I don't have access to their side of the config, but they assure me that it's my PIX Access-list fault. They won't help me with it since they don't want to break it.

Here's my config: Every address that start by xxx.xxx is mine, all yyy.yyy is theirs. The cryptomap is VPNCCI. Don't look at VPNGERS cause that work as intended.

PIX Version 6.0(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security90 enable password ******************* encrypted passwd ********************* encrypted hostname pixfirewall domain-name xxx.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 no names name 192.168.1.2 DMZ-EMAIL name 10.0.0.35 IN-EMAIL-NOV name xxx.xxx.244.2 OUT-EMAIL name 10.0.0.41 IN-LOCAL-DNS access-list vpn_list permit ip 10.0.0.0 255.0.0.0 yyy.yyy.197.0

255.255.255.0 access-list vpn_list permit ip 10.0.0.0 255.0.0.0 192.168.254.0 255.255.255.0 access-list from_out permit tcp any host xxx.xxx.244.2 eq smtp access-list from_out deny ip any any access-list from_dmz permit icmp 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0 access-list from_dmz permit udp 192.168.1.0 255.255.255.0 host 10.0.0.41 eq domain access-list from_dmz permit tcp 192.168.1.0 255.255.255.0 host 10.0.0.41 eq domain access-list from_dmz deny ip any 10.0.0.0 255.255.0.0 access-list from_dmz permit tcp 192.168.1.0 255.255.255.0 any access-list VPN-GERS permit ip host aaa.aaa.5.65 aaa.aaa.255.128 255.255.255.192 access-list VPN-GERS permit ip host aaa.aaa.5.66 aaa.aaa.255.128 255.255.255.192 access-list VPN-GERS permit ip host aaa.aaa.0.54 aaa.aaa.255.128 255.255.255.192 access-list VPN-GERS permit ip host 10.0.0.38 aaa.aaa.255.128 255.255.255.192 access-list VPNCCI permit ip 10.0.0.0 255.0.0.0 yyy.yyy.197.0 255.255.255.0 access-list VPNCCI permit ip host xxx.xxx.244.30 yyy.yyy.197.0 255.255.255.0 access-list VPNCCI permit icmp host xxx.xxx.244.30 yyy.yyy.197.0 255.255.255.0 pager lines 24 logging console notifications logging monitor debugging logging buffered notifications interface ethernet0 auto interface ethernet1 100full interface ethernet2 auto mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside xxx.xxx.244.30 255.255.255.224 ip address inside 10.0.0.101 255.255.0.0 ip address dmz 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool radius_pool 192.168.254.1-192.168.254.254 no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address dmz 0.0.0.0 pdm history enable arp timeout 14400 global (outside) 1 xxx.xxx.244.5-207.35.244.25 global (outside) 1 xxx.xxx.244.26 global (dmz) 1 192.168.1.5-192.168.1.30 nat (inside) 0 access-list vpn_list nat (inside) 1 10.0.0.32 255.255.255.255 0 0 nat (inside) 1 10.0.0.35 255.255.255.255 0 0 nat (inside) 1 10.0.0.37 255.255.255.255 0 0 nat (inside) 1 10.0.0.41 255.255.255.255 0 0 nat (inside) 1 10.0.0.49 255.255.255.255 0 0 nat (inside) 1 10.0.0.50 255.255.255.255 0 0 nat (inside) 1 10.0.0.60 255.255.255.255 0 0 nat (inside) 1 10.0.0.61 255.255.255.255 0 0 nat (inside) 1 10.0.0.62 255.255.255.255 0 0 nat (inside) 1 10.0.0.63 255.255.255.255 0 0 nat (inside) 1 10.0.0.64 255.255.255.255 0 0 nat (inside) 1 10.0.0.66 255.255.255.255 0 0 nat (inside) 1 10.0.0.67 255.255.255.255 0 0 nat (inside) 1 10.0.0.68 255.255.255.255 0 0 nat (inside) 1 10.0.0.69 255.255.255.255 0 0 nat (inside) 1 10.0.0.70 255.255.255.255 0 0 nat (inside) 1 10.0.0.170 255.255.255.255 0 0 nat (inside) 1 10.2.10.0 255.255.255.0 0 0 nat (dmz) 1 192.168.1.0 255.255.255.0 0 0 static (inside,dmz) 10.0.0.35 10.0.0.35 netmask 255.255.255.255 0 0 static (inside,dmz) 10.0.0.41 10.0.0.41 netmask 255.255.255.255 0 0 static (inside,outside) xxx.xxx.244.2 10.0.0.37 netmask 255.255.255.255 0 0 static (inside,outside) aaa.aaa.5.65 10.0.0.38 netmask 255.255.255.255 0 0 static (inside,outside) aaa.aaa.5.66 10.0.0.54 netmask 255.255.255.255 0 0 access-group from_out in interface outside access-group from_dmz in interface dmz rip inside default version 1 route outside 0.0.0.0 0.0.0.0 207.35.244.1 1 route inside 10.1.0.0 255.255.0.0 10.0.0.1 1 route inside 10.2.0.0 255.255.0.0 10.0.0.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server vpnauth protocol radius aaa-server vpnauth (inside) host 10.0.0.41 RADIUS timeout 5 snmp-server host inside 10.0.0.50 trap snmp-server host inside 10.0.0.71 poll no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt route dnat crypto ipsec transform-set radius_set esp-3des esp-md5-hmac crypto ipsec transform-set STRONG-SET esp-3des esp-sha-hmac crypto dynamic-map radius_mobile 1 set transform-set radius_set crypto map radius_map 5 ipsec-isakmp crypto map radius_map 5 match address VPNCCI crypto map radius_map 5 set peer yyy.yyy.111.140 crypto map radius_map 5 set transform-set STRONG-SET crypto map radius_map 10 ipsec-isakmp crypto map radius_map 10 match address VPN-GERS crypto map radius_map 10 set peer aaa.aaa.178.22 crypto map radius_map 10 set transform-set STRONG-SET crypto map radius_map 20 ipsec-isakmp dynamic radius_mobile crypto map radius_map client configuration address initiate crypto map radius_map client configuration address respond crypto map radius_map client authentication vpnauth crypto map radius_map interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp key ******** address aaa.aaa.178.22 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address yyy.yyy.111.140 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp client configuration address-pool local radius_pool outside isakmp policy 5 authentication pre-share isakmp policy 5 encryption 3des isakmp policy 5 hash sha isakmp policy 5 group 1 isakmp policy 5 lifetime 28800 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 isakmp policy 25 authentication rsa-sig isakmp policy 25 encryption 3des isakmp policy 25 hash sha isakmp policy 25 group 2 isakmp policy 25 lifetime 86400 vpngroup e113bsf30 address-pool radius_pool vpngroup e113bsf30 dns-server 10.0.0.41 vpngroup e113bsf30 wins-server 10.1.1.2 vpngroup e113bsf30 default-domain xxx.com vpngroup e113bsf30 idle-time 1800 vpngroup e113bsf30 password ******** telnet 10.0.0.0 255.0.0.0 inside telnet 192.168.254.0 255.255.255.0 inside telnet timeout 15 terminal width 80

Thanks in advance,

Benoit

Reply to
Benoit Desmarais
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.