Site to Site connection problem

hparareda · Jul 27, 2003

Hi there,

I have this configuration:

INTERNET
|
|
|
|
|
------- Router (213.4.44.152)
|
|
|
|(213.4.44.153) Outside Interface
|
----------PIX----------------------------------------DMZ Interface
|Inside (192.6.65.14) |
| |
| SAPROUTER 192.168.6.3 - 213.4.44.154)
|
|
|
------------------------------------ Private LAN 192.6.65.x

This are relevant lines of pix config:

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
access-list salida permit ip 192.6.65.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list salida permit ip 192.6.67.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list entrada2 permit tcp any host 192.168.6.2 eq https
access-list entrada2 permit tcp any host 192.168.6.2 eq www
access-list entrada2 permit tcp any host 192.168.6.10 eq www
access-list entrada2 permit tcp any host 192.168.6.10 eq https
access-list entrada2 permit tcp any host 192.168.6.10 eq smtp
access-list entrada2 permit tcp any host 192.168.6.10 eq pop3
access-list entrada2 permit tcp host 192.168.5.100 eq telnet host 192.168.6.3
access-list entrada2 permit tcp host 194.117.106.129 host 192.168.6.3 eq 3299
access-list entrada2 permit tcp host 194.117.106.129 host 192.168.6.3 gt 1023
access-list entrada2 permit icmp host 194.117.106.129 host 192.168.6.3
access-list entrada2 permit ip 10.0.0.0 255.255.0.0 192.6.0.0 255.255.0.0
access-list entrada2 permit ip 10.0.0.0 255.255.0.0 192.168.6.0 255.255.255.0
access-list dmz-in permit tcp host 192.168.6.10 host 192.6.67.2 eq smtp
access-list dmz-in permit tcp host 192.168.6.3 host 192.6.67.2 eq domain
access-list dmz-in permit udp host 192.168.6.3 host 192.6.67.2 eq domain
access-list dmz-in permit tcp host 192.168.6.3 host 192.6.67.2 eq www
access-list dmz-in permit tcp host 192.168.6.3 host 192.6.67.2 eq 135
access-list dmz-in permit tcp host 192.168.6.3 host 192.6.67.2 eq 88
access-list dmz-in permit udp host 192.168.6.3 host 192.6.67.2 eq 88
access-list dmz-in permit tcp host 192.168.6.3 host 192.6.67.2 eq ldap
access-list dmz-in permit tcp host 192.168.6.3 host 192.6.67.2 eq 445
access-list dmz-in permit tcp host 192.168.6.3 host 192.6.67.2 eq 3268
access-list dmz-in permit tcp host 192.168.6.3 host 192.6.67.2 gt 1023
access-list dmz-in deny ip 192.168.6.0 255.255.255.0 192.6.0.0 255.255.0.0
access-list dmz-in permit ip any any
access-list sapvpn permit ip host 192.168.6.3 host 194.117.106.129
ip address outside 213.4.44.153 255.255.255.0
ip address inside 192.6.65.14 255.255.255.0
ip address dmz 192.168.6.1 255.255.255.0
global (outside) 1 interface
global (outside) 1000 213.4.44.155
global (outside) 1001 213.4.44.154
nat (inside) 0 access-list salida
nat (inside) 1 192.6.0.0 255.255.0.0 0 0
nat (dmz) 1001 192.168.6.3 255.255.255.255 0 0
nat (dmz) 1000 192.168.6.10 255.255.255.255 0 0
static (dmz,outside) 213.4.44.156 192.168.6.10 netmask 255.255.255.255 0 0
static (dmz,outside) 213.4.44.157 192.168.6.2 netmask 255.255.255.255 0 0
static (inside,dmz) 192.6.65.0 192.6.65.0 netmask 255.255.255.0 0 0
static (inside,dmz) 192.6.67.0 192.6.67.0 netmask 255.255.255.0 0 0
static (inside,outside) 213.4.44.158 192.6.65.30 netmask 255.255.255.255 0 0
static (dmz,outside) 213.4.44.154 192.168.6.3 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 213.4.44.152 1
route inside 192.6.67.0 255.255.255.0 192.6.65.10 1
sysopt connection permit-ipsec
crypto ipsec transform-set sapset esp-3des esp-md5-hmac
crypto ipsec transform-set cliset esp-aes esp-md5-hmac
crypto dynamic-map climap 10 set transform-set cliset
crypto map mapa 5 ipsec-isakmp
crypto map mapa 5 match address sapvpn
crypto map mapa 5 set peer 194.39.131.165
crypto map mapa 5 set transform-set sapset
crypto map mapa 10 ipsec-isakmp dynamic climap
crypto map mapa client configuration address initiate
crypto map mapa interface outside
isakmp enable outside
isakmp key ******** address 194.39.131.165 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 2
isakmp policy 5 lifetime 7200
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

I have to make a site to site connection to peer 194.39.131.165, but i'm not able.

From saprouter machine, i can ping any machine in Internet, for example, 194.39.131.164, but i can't ping 194.39.131.165. If

i make a ping from another Pc connected to internet with a modem, i can ping peer 194.39.131.165.

I have enabled:

.- debug crypto ipsec and also debug crypto isakmp, i don't see anything.
.- debug iccmp trace. I see outbound request, but not the reply.

I think that is a nat problem, but i can't understand, why the nat is done fine for other Public IP's except for the one that

i need to stablish the tunnel.

Any ideas ?

Thanks in advance.

Best regards,
Hugo.

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Site to Site connection problem

hparareda

Technical User

Similar threads

Part and Inventory Search

Sponsor