Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
establishing site-to-site VPN tunnels from either side
- Thread starter mingtmak
- Start date
mustaine737
ISP
What do your access-lists for the interesting traffic look like?
- Thread starter
- #3
PIX:
access-list inside_outbound_nat0_acl permit ip 10.100.103.0 255.255.255.0 any
access-list outside_cryptomap_20 permit ip 10.100.103.0 255.255.255.0 any
ASA:
access-list Inside_nat0_outbound extended permit ip 172.17.X.0 255.255.255.0 10.100.103.0 255.255.255.0
access-list Outside_cryptomap_60 extended permit ip any 10.100.103.0 255.255.255.0
This has also been applied to a 2nd site-to-site tunnel with a different PIX and its tunnels can be established from either side. Configurations are virtually the same between the pixes, besides the IPs and preshared keys.
access-list inside_outbound_nat0_acl permit ip 10.100.103.0 255.255.255.0 any
access-list outside_cryptomap_20 permit ip 10.100.103.0 255.255.255.0 any
ASA:
access-list Inside_nat0_outbound extended permit ip 172.17.X.0 255.255.255.0 10.100.103.0 255.255.255.0
access-list Outside_cryptomap_60 extended permit ip any 10.100.103.0 255.255.255.0
This has also been applied to a 2nd site-to-site tunnel with a different PIX and its tunnels can be established from either side. Configurations are virtually the same between the pixes, besides the IPs and preshared keys.
mustaine737
ISP
You should use wildcards in your access-lists -
for instance:
access-list outside_cryptomap_20 permit ip 10.100.103.0 0.0.0.255 any
for instance:
access-list outside_cryptomap_20 permit ip 10.100.103.0 0.0.0.255 any
- Thread starter
- #5
A cisco person gave me the above access-lists and they seem to be working as they should. Though the method you presented is how I originally learned to do access lists in the PIX. What's the benefit of doing it this way?
Anyways, the behavior of not being able to initiate the tunnels from a particular end is happening randomly.
Sometimes happens on the PIX side, sometimes the ASA side.
There are actually 3 tunnels set up from the ASA going to 3 different PIXes.
When I power on the PIXes and ASA (this is in a lab setup), the issue with not being able to initiate the tunnel comes up again and then later (minutes to hours later) will start acting normally without any config changes.
Anyways, the behavior of not being able to initiate the tunnels from a particular end is happening randomly.
Sometimes happens on the PIX side, sometimes the ASA side.
There are actually 3 tunnels set up from the ASA going to 3 different PIXes.
When I power on the PIXes and ASA (this is in a lab setup), the issue with not being able to initiate the tunnel comes up again and then later (minutes to hours later) will start acting normally without any config changes.
wirelesspeap
Technical User
Mingtmak,
you need to run version 7.1(2) on both the Cisco Pix and
ASA device. Furthermore, you need to setup both the Phase
I and II timeout identical on both end.
I have the same setup as yours in my lab and it is working
great.
wirelesspeap
CCSA-NG/CCSE-NG
Cisco CCIE Security
you need to run version 7.1(2) on both the Cisco Pix and
ASA device. Furthermore, you need to setup both the Phase
I and II timeout identical on both end.
I have the same setup as yours in my lab and it is working
great.
wirelesspeap
CCSA-NG/CCSE-NG
Cisco CCIE Security
- Thread starter
- #7
wirelesspeap
Technical User
on both the Pix and ASA device:
phase I:
isakmp pol 10 lifetime 86400
phase II:
crypto map cmap 10 security-association lifetime seconds 3600
good luck!!!!
wirelesspeap
phase I:
isakmp pol 10 lifetime 86400
phase II:
crypto map cmap 10 security-association lifetime seconds 3600
good luck!!!!
wirelesspeap
LarryTheCucumber
MIS
FYI:
PIX/ASA 7.1(2) Crash and reboot
Unit Crashs when HTTP inspect is enabled...PIX/ASA
7.1.2
Disabling "inspect http" from your config will cause the box not to crash from this issue, or use 7.0.4(10) until this fix is released.
PIX/ASA 7.1(2) Crash and reboot
Unit Crashs when HTTP inspect is enabled...PIX/ASA
7.1.2
Disabling "inspect http" from your config will cause the box not to crash from this issue, or use 7.0.4(10) until this fix is released.
wirelesspeap
Technical User
Hi LarryTheCucumber,
How do you manage to get the Pix to crash with "inspect http" command? I am running version 7.1(2) on the Cisco Pix 525 and when I do this, the Pix did NOT crash:
class-map test
match any
policy-map test
class test
inspect http
service-policy test interface EXTERNAL
Can you provide a sample where you can crash the pix firewall with enabling "inspect http". Thanks.
wirelesspeap
How do you manage to get the Pix to crash with "inspect http" command? I am running version 7.1(2) on the Cisco Pix 525 and when I do this, the Pix did NOT crash:
class-map test
match any
policy-map test
class test
inspect http
service-policy test interface EXTERNAL
Can you provide a sample where you can crash the pix firewall with enabling "inspect http". Thanks.
wirelesspeap
LarryTheCucumber
MIS
If the load through the http inspect is large it causes a buffer overload. I don't have the threshold that it blows, but for us it would crash after less than a minute after a reboot.
There is a bug report at Cisco on this. If you can find it.
There is a bug report at Cisco on this. If you can find it.
- Thread starter
- #12
voltron1011
MIS
-mustaine737-
PIX's and ASA's don't use wildcard statements like router do.
PIX's and ASA's don't use wildcard statements like router do.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question