briancox86
IS-IT--Management
I have a Cisco 7200 connected to a PIX 501 using IPsec. The remote site can surf but cannot be reached from the main office.
The VPN comes up woith no problem so that is not the issue. I think it is an ACL? Basically I have 10.X addressing at the remote site and it should come across the VPN un-NATted.
Cisco 7200 Config
-------------------------------------------------------
crypto isakmp key XXX address X.X.X.148
crypto map site-vpn 890 ipsec-isakmp
set peer X.X.X.148
set transform-set defaultset
match address to-SITE
ip route 10.148.19.0 255.255.255.192 X.X.X.148
ip access-list extended to-SITE
permit ip any host X.X.X.148
permit ip any 10.148.19.0 0.0.0.63 log
-------------------------------------------------------
Cisco PIX 501 Info and Config
-------------------------------------------------------
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.0(2)
Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES: Enabled
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 50
Throughput: Limited
IKE peers: 5
-------------------------------------------------------
-------------------------------------------------------
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXX encrypted
passwd XXX encrypted
hostname XXX
domain-name XXX.XXX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list to-home permit ip host X.X.X.148 any
access-list to-home permit ip 10.148.19.0 255.255.255.192 any
access-list NoNAT permit ip 10.148.19.0 255.255.255.192 any
pager lines 24
logging on
logging timestamp
logging trap debugging
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any outside
icmp permit any inside
mtu outside 1400
mtu inside 1400
ip address outside X.X.X.148 255.255.255.128
ip address inside 10.148.19.1 255.255.255.192
ip audit info action alarm
ip audit attack action alarm
pdm location X.X.X.0 255.255.255.0 inside
pdm location X.X.X.0 255.255.0.0 inside
pdm location X.X.X.0 255.255.0.0 outside
pdm location X.X.X.0 255.255.255.192 outside
pdm location X.X.X.0 255.255.255.0 outside
pdm location X.X.X.0 255.255.255.0 outside
pdm location X.X.X.0 255.255.255.0 outside
pdm location X.X.X.0 255.255.0.0 outside
pdm location X.X.X.194 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
route outside 0.0.0.0 0.0.0.0 X.X.X.129 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http X.X.X.0 255.255.255.0 outside
http X.X.X.0 255.255.0.0 outside
http X.X.X.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt route dnat
crypto ipsec transform-set MAP esp-3des esp-md5-hmac
crypto map MAP 10 ipsec-isakmp
crypto map MAP 10 match address to-home
crypto map MAP 10 set peer X.X.X.246
crypto map MAP 10 set transform-set MAP
crypto map MAP interface outside
isakmp enable outside
isakmp key ******** address X.X.X.246 netmask 255.255.255.248
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh X.X.X.0 255.255.255.0 outside
ssh X.X.X.0 255.255.255.0 outside
ssh X.X.X.0 255.255.255.192 outside
ssh X.X.X.0 255.255.0.0 outside
ssh X.X.X.0 255.255.255.0 outside
ssh X.X.X.0 255.255.0.0 outside
ssh X.X.X.0 255.255.255.192 inside
ssh X.X.X.0 255.255.0.0 inside
ssh timeout 5
dhcpd address 10.148.19.10-10.148.19.41 inside
dhcpd dns X.X.X.10 X.X.X.21
dhcpd wins X.X.X.232
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain XXX.XXX
dhcpd auto_config outside
dhcpd enable inside
username XXX password XXX encrypted privilege 15
username XXX password XXX encrypted privilege 15
username XXX password XXX encrypted privilege 15
terminal width 80
Cryptochecksum:d7c987bbfd180a127c910d8c1acd965a
: end
-------------------------------------------------------
The VPN comes up woith no problem so that is not the issue. I think it is an ACL? Basically I have 10.X addressing at the remote site and it should come across the VPN un-NATted.
Cisco 7200 Config
-------------------------------------------------------
crypto isakmp key XXX address X.X.X.148
crypto map site-vpn 890 ipsec-isakmp
set peer X.X.X.148
set transform-set defaultset
match address to-SITE
ip route 10.148.19.0 255.255.255.192 X.X.X.148
ip access-list extended to-SITE
permit ip any host X.X.X.148
permit ip any 10.148.19.0 0.0.0.63 log
-------------------------------------------------------
Cisco PIX 501 Info and Config
-------------------------------------------------------
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.0(2)
Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES: Enabled
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 50
Throughput: Limited
IKE peers: 5
-------------------------------------------------------
-------------------------------------------------------
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXX encrypted
passwd XXX encrypted
hostname XXX
domain-name XXX.XXX
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list to-home permit ip host X.X.X.148 any
access-list to-home permit ip 10.148.19.0 255.255.255.192 any
access-list NoNAT permit ip 10.148.19.0 255.255.255.192 any
pager lines 24
logging on
logging timestamp
logging trap debugging
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any outside
icmp permit any inside
mtu outside 1400
mtu inside 1400
ip address outside X.X.X.148 255.255.255.128
ip address inside 10.148.19.1 255.255.255.192
ip audit info action alarm
ip audit attack action alarm
pdm location X.X.X.0 255.255.255.0 inside
pdm location X.X.X.0 255.255.0.0 inside
pdm location X.X.X.0 255.255.0.0 outside
pdm location X.X.X.0 255.255.255.192 outside
pdm location X.X.X.0 255.255.255.0 outside
pdm location X.X.X.0 255.255.255.0 outside
pdm location X.X.X.0 255.255.255.0 outside
pdm location X.X.X.0 255.255.0.0 outside
pdm location X.X.X.194 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
route outside 0.0.0.0 0.0.0.0 X.X.X.129 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http X.X.X.0 255.255.255.0 outside
http X.X.X.0 255.255.0.0 outside
http X.X.X.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt route dnat
crypto ipsec transform-set MAP esp-3des esp-md5-hmac
crypto map MAP 10 ipsec-isakmp
crypto map MAP 10 match address to-home
crypto map MAP 10 set peer X.X.X.246
crypto map MAP 10 set transform-set MAP
crypto map MAP interface outside
isakmp enable outside
isakmp key ******** address X.X.X.246 netmask 255.255.255.248
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh X.X.X.0 255.255.255.0 outside
ssh X.X.X.0 255.255.255.0 outside
ssh X.X.X.0 255.255.255.192 outside
ssh X.X.X.0 255.255.0.0 outside
ssh X.X.X.0 255.255.255.0 outside
ssh X.X.X.0 255.255.0.0 outside
ssh X.X.X.0 255.255.255.192 inside
ssh X.X.X.0 255.255.0.0 inside
ssh timeout 5
dhcpd address 10.148.19.10-10.148.19.41 inside
dhcpd dns X.X.X.10 X.X.X.21
dhcpd wins X.X.X.232
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain XXX.XXX
dhcpd auto_config outside
dhcpd enable inside
username XXX password XXX encrypted privilege 15
username XXX password XXX encrypted privilege 15
username XXX password XXX encrypted privilege 15
terminal width 80
Cryptochecksum:d7c987bbfd180a127c910d8c1acd965a
: end
-------------------------------------------------------
