Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Question about our VPN between Pix 515 and Pix 501

Status
Not open for further replies.

thegirlofsteel

IS-IT--Management
Mar 3, 2004
110
US
Hi all,

I am having difficulty with one of my branch offices VPN'ing (is that a word) to my main branch. My other branches are similar to this one and we used the same PIX config on all of them. We plugged in the config on the branch 501 and then at our main office pix. I can go in and ping the branch outside IP (the isp static) through the pix on our end. I'm not quite sure if the branch can ping us (no one there to help me). Anyway, the whole problem is I cannot get them to see our servers - an AS/400 and our windows 2000 advanced server with exchange.

I'm baffled since everything is the same on all ends!!!

 
BTW, I was a little puzzled by the license saying its not applicable....could this be it??
 
Do you know if the PIX boxes have both successfully negotiated and established the ISAKMP/IPSec VPN Connection?

Are this branch connected to the Internet via DSL?
If so, do you know if the DSL modem is in Routed Bridge Mode? If so this could cause issues if NAT-T is not allowed in the ACL on the headend PIX.

 
BTW, I was a little puzzled by the license saying its not applicable....could this be it??"

Sorry, but what do you mean by this? on which end do you get this? Also I think that some of the lower end PIX boxes limit the number of VPN tunnels. What model are you running at your main site?

506 can do 25 VPN Tunnels
501 can do 10 VPN Tunnels

 
The branches are connected via Cable Modem (that's all they have) As far as the ISAkmp/ipsec, is there a command that you can test the connection. I believe there is because I can ping the outside ip address.

 
As far as verification commands I have listed some below. But, before we get off-track, can you SSH into the remote PIX? If so then great. You may be able to log in and debug it from both ends. I am sure you may already have a ssh client but if not.......... You stated something about a licensing message. This may be the root of the issue so if you can eloborate a little more it may (hopefully) bear some fruit.

*************************************************


Besides pumping some interesting traffic (as defined by the Crypto ACLs) between the tunnel endpoint firewalls and debugging the connection, typically the following commands verify IPSec VPNs

show crypto isakmp
You will see the source and destinations of the IKE Crypto peers and the state of Phase 1 the connection. Under normal conditions, the state should be "QM_IDLE"

show crypto ipsec sa
You will see the source and destination networks in the IPSec VPN connection as well and the state of the Security Association. Under normal conditions, the amount of encrypted and decrypted packets will be about the same. If you see encrypts but no decrypts or vice versa, this can clue us in better


show crypto map
You will see the parameters of your crypto maps as applied to the outside interface and the hit count on the crypto ACL.
 
Hi GConnect...Thanks so much for your help. I'm not sure how to ssh into the client (newbie). Anyhoo....when I was at the remote site, I pdm'd and I saw under license# that it was blank. I don't recall on the other pix's at other branches if they were blank. Can you tell me how to operate the putty???
 
Just start putty, choose ssh1 and type in the address of the branch pix (the public one) username is pix and then your password, you should get a key, accept this and you are on the pix, then do a show version to check your license features.

Network Systems Engineer
CCNA/CQS/CCSP/Infosec
Check the danish Cisco CSA Forum here :
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top