In article , Gary wrote: :Set up a VPN between a PIX 520 and a 3640 router.
:I am the 3640 end and the 520 PIX is remote - VPN comes up fine.
:For some reason I can reach all the Windows servers using their private :addresses but none of the unix boxes ???
Do you happen to have a WINS server set up? If so then *maybe* the WINS is kicking in, and you are getting a favourable translation through that mechanism.
:No firewall issues and all boxes are in the same class C
All in the same class C? Both sides of the VPN are in the same class C?? I suspect that's not what you meant ;-)
You mention private addresses. Is there NAT going on over the VPN, or are both sides set to nat-exempt the other's range?
What happens if you start from a Unix box and nmap the other end? Then if you start from a Windows box and nmap the other end? What if you set up Samba on a Unix box and point it towards the WINS server the Windows boxes are using?
Remote end is 10.25.0.0/24 [PIX] and Local end is 10.99.0.0/24 [3640 router]
nmap from 3640 to PIX end sees Unix hosts as being down i.e Nothing at all.
If I snoop traffic on the Unix servers I see the ping or nmap requests coming in no problems.
i.e for ping I see this at the remote end Using device /dev/le (promiscuous mode) 10.99.0.5 -> well.uk. ICMP Echo request 10.99.0.5 -> well.uk. ICMP Echo request 10.99.0.5 -> well.uk. ICMP Echo request 10.99.0.5 -> well.uk. ICMP Echo request
At the local end I see Ping statistics for 10.25.0.10: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
Nat is in operation at the 3640 [Single Public IP on router] end and the PIX end [Protected Public WEB Servers etc].
Now, the Windows boxes at the remote end can ping the lcoal end etc but the Unix server pings do not even reach the router as I have debugf running, so the issue seems to be the return traffic for the Unix servers at the remote end
nmap -v -sS -O 10.25.0.10 Nmap output from local to remote (Unix) Starting nmap 3.81 (
) at 2005-05-10 15:36 Eastern Daylight Time Initiating SYN Stealth Scan against 10.25.0.10 [1663 ports] at 15:36 SYN Stealth Scan Timing: About 9.02% done; ETC: 15:41 (0:05:07 remaining) The SYN Stealth Scan took 340.25s to scan 1663 total ports. Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Host 10.25.0.10 appears to be up ... good. All 1663 scanned ports on 10.25.0.10 are: filtered Too many fingerprints match this host to give specific OS details TCP/IP fingerprint: SInfo(V=3.81%P=i686-pc-windows-windows%D=5/10%Tm=42810EA9%O=-1%C=-1) T5(Resp=N) T6(Resp=N) T7(Resp=N) PU(Resp=N)
Nmap finished: 1 IP address (1 host up) scanned in 374.625 seconds Raw packets sent: 3344 (134KB) | Rcvd: 18 (1404B)