lan to lan vpn problem

[picnmix]

Hi
this is the setup office in manchester office in birmingham. both have a cisco 501 connected to each other with ipsec. I can ping each pix and a workstation on each network.
today I found out that I can only ping one workstation (this is the workstation I setup the pix on) in the birmingham office from manchester. if I change another pc in the birmingham office and change it to the same IP address 192.168.10.90 I can ping it. I can then change it back to 192.168.10.60 and it carries on working! why is this I have done this on a number of machines and they all carry on working. to my knowledge I haven't set anything in the config of the pix's about the MAC address.

any ideas??

 

[fdurham]

picnmix-

Can you post the configs for both of the routers and we can get this resolved..

Frank

 

[picnmix]

Hi Frank,

I can only get one of the configs at the moment. I have added it at the bottom of this message. This is the Birmingham office config. The PIX is a 501. There maybe something else going on here. When I tried to RDP some machines in Manchester from Birmingham I get the background of the XP machine but no login box and then the connection fails this happened on more than one machine. I have tested the RDP locally and it works fine. I seems to be when they go over the VPN, weird?!

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password zAjAOARq.Uq39ZG0 encrypted
passwd zAjAOARq.Uq39ZG0 encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list acl_out permit tcp any host 30.30.30.29 eq smtp
access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list 102 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

pager lines 24
logging on
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside 30.30.30.30 255.255.255.248
ip address inside 192.168.10.5 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 192.168.50.200-192.168.50.250
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 30.30.30.29 192.168.10.10 netmask 255.255.255.255
0 0

access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 30.30.30.31 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set crytran esp-des esp-md5-hmac
crypto map crymap 1 ipsec-isakmp
crypto map crymap 1 match address 102
crypto map crymap 1 set peer 34.34.34.34
crypto map crymap 1 set transform-set crytran
crypto map crymap interface outside
isakmp enable outside
isakmp key ******** address 34.34.34.34 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 40
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username username password *********
vpdn username username password *********
vpdn username username password *********
vpdn username username password *********
vpdn enable outside
terminal width 80
Cryptochecksum:950c0a20e359fc452916a3a5417f4815
: end

Cheers Russ

 

[picnmix]

Hi Frank here is the manchester one. I have changed the ip addresses for security but they are pointed at the correct addresses

Cheers Russ
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password /KdlUT4PxDGqLp/J encrypted
passwd /KdlUT4PxDGqLp/J encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list smtp permit tcp any host 34.34.34.33 eq smtp
access-list 101 permit ip 192.168.20.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 102 permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 34.34.34.34 255.255.255.248
ip address inside 192.168.20.6 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 172.16.1.200-172.16.1.250
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.20.51 smtp netmask 255.255.255.255 0 0
access-group smtp in interface outside
route outside 0.0.0.0 0.0.0.0 34.34.34.35 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set crytran esp-des esp-md5-hmac
crypto map crymap 1 ipsec-isakmp
crypto map crymap 1 match address 102
crypto map crymap 1 set peer 30.30.30.30
crypto map crymap 1 set transform-set crytran
crypto map crymap interface outside
isakmp enable outside
isakmp key ******** address 30.30.30.30 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
telnet 192.168.20.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe auto
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username username password *********
vpdn username username password *********
vpdn enable outside
terminal width 80
Cryptochecksum:b31bfaec093cd4796fa2a0d34cbb1707
: end
[OK]
pixfirewall#
pixfirewall#