1. Home
  2. Networking Firewalls
  3. Pix 501 -to- Pix 501 VPN

Pix 501 -to- Pix 501 VPN

Hi,

I'm missing some details on a pix-to-pix vpn with static IP's on both ends that connects two lans.

lan 1 192.168.1.x INTERNET lan 2 192.168.2.x

I'm on lan 1 and the vpn is up. Pinging a client from a pc in

192.168.1.x fails to 192.168.2.x Furthermore, I used to be able to go to the other pix at a non-public address to do admin and that has gone away.

Pinging from the inside of the Pix works though. The PDM also has two entries under ipsec VPN's. The first one, I don't really understand where it came from, the second is to be expected.

LAN 1 Config: PIX Version 6.3(3) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 2Zm.jdGQPF5tDR6m encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname lawall domain-name sci-s.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.2.0 eu-inside access-list inside_outbound_nat0_acl permit ip 192.168.1.0

255.255.255.0 eu-inside 255.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 eu-inside 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 68.121.238.21 255.255.255.248 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location eu-inside 255.255.255.0 outside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 conduit permit icmp any any echo-reply route outside 0.0.0.0 0.0.0.0 68.121.238.22 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set pfs group5 crypto map outside_map 20 set peer 193.251.10.201 crypto map outside_map 20 set transform-set ESP-AES-128-MD5 crypto map outside_map interface outside crypto map "outside_map" 20 ipsec-isakmp crypto map "outside_map" 20 set pfs ! Incomplete isakmp enable outside isakmp key ******** address LAN2 IP netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp nat-traversal 3600 isakmp policy 20 authentication pre-share isakmp policy 20 encryption aes isakmp policy 20 hash md5 isakmp policy 20 group 5 isakmp policy 20 lifetime 86400 telnet timeout 5 ssh timeout 5 management-access inside console timeout 0 dhcpd address 192.168.1.2-192.168.1.129 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside terminal width 80

Here's the output for the IPsec traffic that I believe shouldn't be there: local ident (addr/mask/prot/port): (eu-inside/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer: 193.251.10.201:0 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #pkts no sa (send) 0, #pkts invalid sa (rcv) 0 #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0 #pkts invalid prot (recv) 0, #pkts verify failed: 0 #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0 ##pkts replay failed (rcv): 0 #pkts internal err (send): 0, #pkts internal err (recv) 0 local crypto endpt.: 68.121.238.21, remote crypto endpt.:

193.251.10.201 path mtu 1500, ipsec overhead 0, media mtu 1500 current outbound spi: 0 inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas:

Here's the IPsec traffic, that I expected. Details for 192.168.1.0/255.255.255.0/0/0 eu-inside/255.255.255.0/0/0 at Thu Mar 16 18:22:18 PST 2006

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (eu-inside/255.255.255.0/0/0) current_peer: 193.251.10.201:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 9, #pkts encrypt: 9, #pkts digest 9 #pkts decaps: 124, #pkts decrypt: 124, #pkts verify 124 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #pkts no sa (send) 0, #pkts invalid sa (rcv) 0 #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0 #pkts invalid prot (recv) 0, #pkts verify failed: 0 #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0 ##pkts replay failed (rcv): 0 #pkts internal err (send): 0, #pkts internal err (recv) 0 local crypto endpt.: 68.121.238.21, remote crypto endpt.:

193.251.10.201 path mtu 1500, ipsec overhead 64, media mtu 1500 current outbound spi: 63164704 inbound esp sas: spi: 0xf1b760dd(4055326941) transform: esp-aes esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 1, crypto map: outside_map sa timing: remaining key lifetime (k/sec): (4607998/27744) IV size: 16 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x63164704(1662404356) transform: esp-aes esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2, crypto map: outside_map sa timing: remaining key lifetime (k/sec): (4607999/27744) IV size: 16 bytes replay detection support: Y outbound ah sas: outbound pcp sas:

Finally, here's the config from the second Pix PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password easz1nc08RmmoCpY encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname firewallscieu domain-name internet.sci-s.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 68.121.238.20 sci-us access-list tunnel permit ip 192.168.2.0 255.255.255.0 192.168.1.0

255.255.255.0 access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list log permit ip host 193.251.10.201 host 192.168.1.5 pager lines 24 logging on logging timestamp logging trap warnings logging facility 22 logging queue 128 logging device-id hostname logging host outside 192.168.1.5 icmp deny any echo outside icmp permit any echo-reply outside mtu outside 1500 mtu inside 1500 ip address outside pppoe setroute ip address inside 192.168.2.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool ippool 192.168.1.150-192.168.1.190 ip local pool sci-us 192.168.1.100-192.168.1.254 ip local pool sci-eu 192.168.2.150-192.168.2.190 pdm location 192.168.2.161 255.255.255.255 inside pdm location 192.168.1.0 255.255.255.0 inside pdm location 192.168.2.156 255.255.255.255 inside pdm location 192.168.2.159 255.255.255.255 inside pdm location 192.168.1.0 255.255.255.0 outside pdm location 200.9.49.66 255.255.255.255 outside pdm location 192.168.1.5 255.255.255.255 outside pdm location 192.168.1.5 255.255.255.255 inside pdm location 192.168.2.0 255.255.255.0 inside pdm logging warnings 50 pdm history enable arp timeout 14400 global (outside) 1 interface global (outside) 1 193.251.10.201 netmask 255.255.255.255 nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.1.0 255.255.255.0 inside http 192.168.2.156 255.255.255.255 inside http 192.168.2.159 255.255.255.255 inside http 192.168.2.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address tunnel crypto map outside_map 20 set pfs group5 crypto map outside_map 20 set peer 68.121.238.21 crypto map outside_map 20 set transform-set ESP-AES-128-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 68.121.238.21 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp keepalive 10 3 isakmp nat-traversal 20 isakmp policy 20 authentication pre-share isakmp policy 20 encryption aes isakmp policy 20 hash md5 isakmp policy 20 group 5 isakmp policy 20 lifetime 86400 telnet timeout 5 ssh 200.9.49.66 255.255.255.255 outside ssh timeout 60 management-access inside console timeout 0 vpdn group pppoex request dialout pppoe vpdn group pppoex localname fti/rbqqcaz vpdn group pppoex ppp authentication pap vpdn username fti/rbqqcaz password 444ac7k store-local dhcpd address 192.168.2.155-192.168.2.190 inside dhcpd dns 192.168.1.244 80.10.246.2 dhcpd wins 192.168.1.244 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd domain intranet.sci-s.com dhcpd enable inside terminal width 80

Any help is greatly appreciated.

Reply to
mp
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.