1. Home
  2. Cisco Systems
  3. VPN Pix to 3640 ROuter

VPN Pix to 3640 ROuter

Set up a VPN between a PIX 520 and a 3640 router.

I am the 3640 end and the 520 PIX is remote - VPN comes up fine.

For some reason I can reach all the Windows servers using their private addresses but none of the unix boxes ???

No firewall issues and all boxes are in the same class C

Bit theoreitcal but maybee someone can theorise.

Do windows boxes have routes that unix boxes do not ?

Gary

Reply to
Gary
Loading thread data ...

In article , Gary wrote: :Set up a VPN between a PIX 520 and a 3640 router.

:I am the 3640 end and the 520 PIX is remote - VPN comes up fine.

:For some reason I can reach all the Windows servers using their private :addresses but none of the unix boxes ???

Do you happen to have a WINS server set up? If so then *maybe* the WINS is kicking in, and you are getting a favourable translation through that mechanism.

:No firewall issues and all boxes are in the same class C

All in the same class C? Both sides of the VPN are in the same class C?? I suspect that's not what you meant ;-)

You mention private addresses. Is there NAT going on over the VPN, or are both sides set to nat-exempt the other's range?

What happens if you start from a Unix box and nmap the other end? Then if you start from a Windows box and nmap the other end? What if you set up Samba on a Unix box and point it towards the WINS server the Windows boxes are using?

Reply to
Walter Roberson

Remote end is 10.25.0.0/24 [PIX] and Local end is 10.99.0.0/24 [3640 router]

nmap from 3640 to PIX end sees Unix hosts as being down i.e Nothing at all.

If I snoop traffic on the Unix servers I see the ping or nmap requests coming in no problems.

i.e for ping I see this at the remote end Using device /dev/le (promiscuous mode) 10.99.0.5 -> well.uk. ICMP Echo request 10.99.0.5 -> well.uk. ICMP Echo request 10.99.0.5 -> well.uk. ICMP Echo request 10.99.0.5 -> well.uk. ICMP Echo request

At the local end I see Ping statistics for 10.25.0.10: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms

Nat is in operation at the 3640 [Single Public IP on router] end and the PIX end [Protected Public WEB Servers etc].

Now, the Windows boxes at the remote end can ping the lcoal end etc but the Unix server pings do not even reach the router as I have debugf running, so the issue seems to be the return traffic for the Unix servers at the remote end

nmap -v -sS -O 10.25.0.10 Nmap output from local to remote (Unix) Starting nmap 3.81 (

formatting link
) at 2005-05-10 15:36 Eastern Daylight Time Initiating SYN Stealth Scan against 10.25.0.10 [1663 ports] at 15:36 SYN Stealth Scan Timing: About 9.02% done; ETC: 15:41 (0:05:07 remaining) The SYN Stealth Scan took 340.25s to scan 1663 total ports. Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Host 10.25.0.10 appears to be up ... good. All 1663 scanned ports on 10.25.0.10 are: filtered Too many fingerprints match this host to give specific OS details TCP/IP fingerprint: SInfo(V=3.81%P=i686-pc-windows-windows%D=5/10%Tm=42810EA9%O=-1%C=-1) T5(Resp=N) T6(Resp=N) T7(Resp=N) PU(Resp=N)

Nmap finished: 1 IP address (1 host up) scanned in 374.625 seconds Raw packets sent: 3344 (134KB) | Rcvd: 18 (1404B)

Gary

Reply to
Gary

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.