Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Site to Site VPN w/515E

Status
Not open for further replies.
CripTiK

CripTiK

IS-IT--Management
Feb 6, 2002
11
0
0
US
Ok, I have two PIX 515E and I am trying to create a site to site VPN. I seem to have the VPN connection up and running and I can even ping hosts on the other side. The problem that I have is thats all I can do. I figured if I could ping them I should be able to connect to them but I can't. I tried to terminal service to one of my servers and it won't make a connection.

Here is the config that I put in...what am I doing wrong?

PIX 1

isakmp enable outside
isakmp policy 9 authentication pre-share
isakmp policy 9 encrypt 3des
crypto isakmp key xxxxxx address 66.xxx.xxx.5
crypto ipsec transform-set strong esp-3des esp-sha-hmac
access-list 90 permit ip 10.25.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 90 permit ip 172.25.0.0 255.255.254.0 192.168.0.0 255.255.255.0
access-list 90 permit ip 172.16.88.0 255.255.254.0 192.168.0.0 255.255.255.0
access-list 90 permit ip 172.25.2.0 255.255.254.0 192.168.0.0 255.255.255.0
nat 0 access-list 90
crypto map PIX 2 20 ipsec-isakmp
crypto map PIX 2 20 match address 90
crypto map PIX 2 20 set transform-set strong
crypto map PIX 2 20 set peer 66.xxx.xxx.5
crypto map PIX 2 interface outside
sysopt connection permit-ipsec

PIX 2

isakmp enable outside
isakmp policy 9 authentication pre-share
isakmp policy 9 encrypt 3des
crypto isakmp key xxxxxx address 63.xxx.xxx.77
crypto ipsec transform-set strong esp-3des esp-sha-hmac
access-list 90 permit ip 192.168.0.0 255.255.255.0 10.25.0.0 255.255.0.0
access-list 90 permit ip 192.168.0.0 255.255.255.0 172.25.0.0 255.255.254.0
access-list 90 permit ip 192.168.0.0 255.255.255.0 172.25.2.0 255.255.254.0
nat 0 access-list 90
crypto map PIX 1 20 ipsec-isakmp
crypto map PIX 1 20 match address 90
crypto map PIX 1 20 set transform-set strong
crypto map PIX 1 20 set peer 63.xxx.xxx.77
crypto map PIX 1 interface outside
sysopt connection permit-ipsec

so far this allows me to ping from the 192. network to the 172.25's, and the 10. network. But I am unable to terminal service to a server in the 172.25 network.

why??????
 
Sort by date Sort by votes
Here is all the rest of the configs on PIX 1 & PIX 2:

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
hostname PIX 1
domain-name xxxxxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl-out permit gre host 63.xxx.xxx.66 host 63.xxx.xxx.78
access-list 90 permit ip 10.25.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 90 permit ip 172.25.0.0 255.255.254.0 192.168.0.0 255.255.255.0
access-list 90 permit ip 172.16.88.0 255.255.254.0 192.168.0.0 255.255.255.0
access-list 90 permit ip 172.25.2.0 255.255.254.0 192.168.0.0 255.255.255.0
pager lines 24
interface ethernet0 10full
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 63.xxx.xxx.77 255.255.255.224
ip address inside 10.25.0.1 255.255.0.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 63.xxx.xxx.79
nat (inside) 0 access-list 90
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 63.xxx.xxx.78 192.168.0.128 netmask 255.255.255.255 0 0
access-group acl-out in interface outside
route outside 0.0.0.0 0.0.0.0 63.xxx.xxx.65 1
route inside 172.16.88.0 255.255.254.0 10.25.0.2 1
route inside 172.25.0.0 255.255.254.0 10.25.0.1 1
route inside 172.25.2.0 255.255.254.0 10.25.0.1 1
route inside 192.168.0.0 255.255.255.0 10.25.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map PIX 2 20 ipsec-isakmp
crypto map PIX 2 20 match address 90
crypto map PIX 2 20 set peer 66.xxx.xxx.5
crypto map PIX 2 20 set transform-set strong
crypto map PIX 2 interface outside
isakmp enable outside
isakmp key ******** address 66.xxx.xxx.5 netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 192.168.0.133 255.255.255.255 inside
telnet 192.168.0.128 255.255.255.255 inside
telnet timeout 30
ssh timeout 5
vpdn enable outside
terminal width 80
Cryptochecksum:03877a41d6f79f01b9b5f448d206368d
: end
[OK]


PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 7Xq13kik6OSXu6Yo encrypted
passwd NeKE72pMibAdUu7x encrypted
hostname PIX 2
domain-name xxxxxx.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 90 permit ip 192.168.0.0 255.255.255.0 10.25.0.0 255.255.0.0
access-list 90 permit ip 192.168.0.0 255.255.255.0 172.25.0.0 255.255.254.0
access-list 90 permit ip 192.168.0.0 255.255.255.0 172.25.2.0 255.255.254.0
pager lines 24
interface ethernet0 10full
interface ethernet1 100full
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 66.xxx.xxx.5 255.255.255.224
ip address inside 192.168.0.131 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 66.xxx.xxx.6
nat (inside) 0 access-list 90
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 66.xxx.xxx.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt security fragguard
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map PIX 1 20 ipsec-isakmp
crypto map PIX 1 20 match address 90
crypto map PIX 1 20 set peer 63.xxx.xxx.77
crypto map PIX 1 20 set transform-set strong
crypto map PIX 1 interface outside
isakmp enable outside
isakmp key ******** address 63.xxx.xxx.77 netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 192.168.0.133 255.255.255.255 inside
telnet 192.168.0.128 255.255.255.255 inside
telnet 10.25.0.1 255.255.255.255 inside
telnet 10.25.0.1 255.255.255.255 intf2
telnet timeout 30
ssh timeout 5
terminal width 80
Cryptochecksum:8466ad2fb556d4271b05a229ecff0b8c
: end
[OK]
 
Upvote 0 Downvote
HI.

* You should enable syslog messages and see if you get any related info from them.

* Try other TCP protocols like HTTP,FTP, and TELNET for the test. What do you get?

* What type is the link to ISP (ADSL,Leased, etc) at each side?

* Try to play with MTU settings on the terminal server and/or client, it might be related to the problem.

* Is any router along the path filtering traffic?

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
146
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
146
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
150
intel233
intel233
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
175
Shmid
Shmid
wrighbr1
  • Locked
  • Question
Cisco ASA 5505 site to site VPN problem
Replies
0
Views
37
wrighbr1
wrighbr1

Part and Inventory Search

Sponsor

Back
Top