Pix 501 to Pix 501 VPN Issue

Hey all,

I have a strange question. We are trying to use 2 Pix 501's to secure traffic between 2 wireless access points. There is no router between the 2 access points. I currently have a lab setup with the 2 Pix's connecting them with a crossover cable to each of their outside interfaces.

I can get the tunnel to come up with no problem, but no traffic will pass between the 2 inside interfaces. I have a computer connected to each inside interface of each Pix with the default gateway set to the inside interface of each computer's corresponding Pix.

Here is the config from the Pix1:

: Saved : Written by enable_15 at 11:49:28.125 UTC Wed Dec 28 2005 PIX Version 6.3(5) interface ethernet0 100full interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password passwd hostname Pix1 domain-name something.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 80 permit ip 10.16.0.0 255.255.0.0 10.16.2.0 255.255.255.0 pager lines 24 icmp permit any echo outside icmp permit any echo inside mtu outside 1500 mtu inside 1500 ip address outside 10.16.1.2 255.255.255.0 ip address inside 10.16.0.221 255.255.0.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 nat (inside) 0 access-list 80 route outside 0.0.0.0 0.0.0.0 10.16.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set vpnset esp-aes esp-sha-hmac crypto map toRemotePix 10 ipsec-isakmp crypto map toRemotePix 10 match address 80 crypto map toRemotePix 10 set peer 10.16.1.1 crypto map toRemotePix 10 set transform-set vpnset crypto map toRemotePix interface outside isakmp enable outside isakmp key atmconnection address 10.16.1.1 netmask 255.255.255.255 isakmp policy 9 authentication pre-share isakmp policy 9 encryption aes isakmp policy 9 hash sha isakmp policy 9 group 1 isakmp policy 9 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80 Cryptochecksum:0de231c6c91acbf0282ffbf1d1ca209e : end

The other Pix is exactly the same just reverse the src and dst IP addresses in the access list and the IP's are different of course.

Any help would be greatly appreciated.

Reply to
jamesdeva
Loading thread data ...

In article , wrote: :I have a strange question. We are trying to use 2 Pix 501's to secure :traffic between 2 wireless access points.

:I can get the tunnel to come up with no problem, but no traffic will :pass between the 2 inside interfaces.

:PIX Version 6.3(5)

:access-list 80 permit ip 10.16.0.0 255.255.0.0 10.16.2.0 255.255.255.0

:ip address outside 10.16.1.2 255.255.255.0 :ip address inside 10.16.0.221 255.255.0.0

Your inside network is 10.16/16 and your outside network is

10.16.1/24 which is a subnet of your inside network. You should not expect that to work.

:nat (inside) 0 access-list 80

Your inside network is 10.16/16 and your nat 0 access-list implies that you will be attempting to communicate with 10.16.2/24 . You should not expect that to work.

:sysopt connection permit-ipsec

Okay, that explains why you don't have any outside access lists.

:crypto map toRemotePix 10 match address 80 :crypto map toRemotePix 10 set peer 10.16.1.1

There are not many situations on the PIX in which you can safely reuse an access list. You should copy the contents of the access list under a different name and use that as ACL for "match address" purposes. PIX 6.x software may internally modify ACLs for its own purposes. Some of the instances of that are documented, but others are not.

Small note: on the PIX, you do not need to use numbers as the ACL labels, you can use names such as "tunnel_acl" instead.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.