PIX VPN no end in sight 1

[iiiiss]

HI !

Again I have a problem using the PIX with vpn...
I have the PIX working fine...check
I have a VPN client working ok...check


Now I want to connect from inside one PIX to the inside of another PIX over VPN and need help.

It looks like this

Workstation
|
|
Internet
/ / PIX1 PIX2
/ / net1 net2

Normal:
All connections work fine !

VPN: Workstation to PIX1....OK
Workstation to PIX2....OK

Workstation to NET....OK
Workstation to NET....OK

Now I need to connect from net1 to net2 over VPN ...... is that possible ? I am using PAT for clients to access the outside ......

On the PIX I get the error message:
Deny inbound (No xlate) udp src outside:X.X.X.X dst outside:Interface

ANd the client says ... peer is not responding...

Any suggestionsm, tips .....??

Thanks in advance

 

[sunyasee]

Not quite sure what you are trying to do here? Are you trying to connect to PIX1 using the VPN client and then connect through another tunnel to PIX2? If so, then this won't work, as you'll need a VPN concentrator.

Or are you trying to connect from behind PIX1 to PIX2 using the VPN client? If so then you'll need to open up esp, plus udp port 500 on PIX1 and PIX2 to allow isakmp traffic through. ----

Sunyasee

 

[iiiiss]

Thank you very much !

I´m trying version 2 *G*.... I´ll try your advices.

THank you again !

 

[iiiiss]

HI again..

I just enabled the esp and udp port 500 .... and now I don´t get any errors in the log but the client says "remote peer is not responding".

1. I just want to establish a tunnel from behind pix 1 to pix 2 and not from behind pix 2 to pix 1 --> to I need to enable esp and udp port 500 for pix 2 too ? I don´t think so .

Any other suggestions ?
When I try to connect from any outside host to pix 2 over VPN there are no problems ..

Do you need my config ?

Best regards

 

[sunyasee]

What happens if you do a debug on PIX2 and try and connect to it from behind PIX1? Do you see any information appear in the log to show that the VPN is trying to connect? If not then there could be some restrictions on the router connected to PIX1 which could be blocking the connection?

You could also try setting up a static for the VPN client device that is behind PIX1, this may help...?

----

Sunyasee

 

[iiiiss]

When i debug with debug crypto isa and debug crypto ipsec I see that the VPN client tries to connect to PIX 2 but then the client gets the "peer is not responding message" .

No log messages on PIX 2 but on PIX 1 I get the " Deny ..(no xlate) ..."



Thanks for the help

 

[sunyasee]

Did you try setting up a static for the client machine behind PIX1? ----

Sunyasee

 

[iiiiss]

Yes I tried setting up a static and with this entry I can establish the vpn tunnel BUT I can´t do ANYTHING ! I can´t ping anything on the other side of the tunnel !
I don´t see anything in the logs !

What could I´ve done wrong ? any suggestions ?

The tunnel can be established and I´don´t see anything in the logs !

Thanks in advance and best regards

 

[iiiiss]

Could that happen because I use several IP-pools (for each VPN client another pool) ??

THanks

 

[sunyasee]

Post your config here... ----

Sunyasee

 

[iiiiss]

I got it. Thanks to microsoft ! I needed SP1 and several security updates for XP and now it works !
(only with the static command)

Is it possible to vpn out of the PIX withouth using static ???

Thanks to everybody