Unable to tunnel site to site VPN

[speedingwolf]

Greetings all:

I've configured cisco VPN tunnel before between PIX506 and VPN concentrator without any problem. I've configured Cisco VPN client to terminate at our HQ PIX516E without any problem. But now I am having problem creating a site to site tunnel between a PIX501 to a PIX515E. For the life of me, I can't seem to find out what's the problem. I reset both pixes to default manufacturer and configured both with cli as well as asdm and still running into problem. Here is the shortcut of my configures and i'm sure with additional minds, maybe you can point out what I did wrong. Thanks in advance. The ultimate goals is configure the HQ Pix to accept VPN client and site to site with remote office.

Remote Site: 192.168.101.0

PIX501# show config
PIX Version 6.3(5)

access-list TunnelToHQ permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0

ip address outside X.X.X.X 255.255.255.128
ip address inside 192.168.101.1 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list TunnelToHQ
nat (inside) 1 192.168.101.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 X.X.X.x 1

sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map ToIHQ 10 ipsec-isakmp
crypto map ToIHQ 10 match address TunnelToHQ
crypto map ToIHQ 10 set peer Y.Y.Y.Y
crypto map ToIHQ 10 set transform-set strong
crypto map ToIHQ interface outside
isakmp enable outside
isakmp key ******** address Y.Y.Y.Y netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5

console timeout 0
dhcpd address 192.168.101.2-192.168.101.33 inside
dhcpd dns ispdsn1, ispdns2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

===========

HQ Network: 192.168.100.0

PIX515E

FW1Test# show config
: Saved
: Written by enable_15 at 19:09:15.037 UTC Sat Mar 11 2006
!
PIX Version 7.1(1)
!
hostname FW1Test

same-security-traffic permit intra-interface
access-list 110 extended permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.100.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 Y.Y.Y.y 1
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map toPIX501 10 set peer X.X.X.x
crypto map toPIX501 10 set transform-set myset
crypto map toPIX501 interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group X.X.X.x type ipsec-l2l
tunnel-group X.X.X.x ipsec-attributes
pre-shared-key *

 

[lashboy]

you dont have command "sysopt connection permit-ipsec" on pix FW1TEST
also on PIX 501 you should define seperate access list fot NONAT traffic.

 

[speedingwolf]

Thanks for your respond lashboy and sorry for the delay in responding. The PIX515E has version 7.1.1. According to Cisco, sysopt connection permit-ipsec is enable by default.

Now I have another problem. I can see the tunnel but I can't access any resources both on each side: ping or anything else. Both internal net have default gateway point to the inside PIX interface.

 

[Triplejolt]

Check your config on the 515 and see if this line is in the crypto statements:

crypto map toPIX501 10 match address 110 (or use [b]nonat[/b] as these two are identical)

This line tells the PIX to encrypt matching traffic. Without it the traffic wont go through the tunnel but rather on the outside. Thus being dropped.

A firm beleiver of the "Keep it Simple" philosophy
Cheers
/T

 

[mitmont]

I'm experiencing the same issue as Speedingwolf's last issue. The VPN Cisco 3.6.3 client from my network can connect to the client's off site network, receive the DNS server IP addresses in the network card settings and show connected however never receives the network login and is unable to connect to resources on the far domain servers.

Configuration on my side; VLAN in client office to a Cisco switch thru a pix 525 firewall with allow any any setting, to a off site network.
172.16.117.x VLAN IP, to a 172.16.2.x internal network. PIX 525 through the ISP. ISP not blocking. Off site configuration is 192.168.110.x initial, internal resources (servers with mapped drives) on 192.168.100.x

The off site network admin is not a cisco engineer. Their stance is that the cisco VPN client cannot be used in a VLAN configuration and to adjust the network to allow them to get out. Our thoughts are that their router is

Any thoughts would be great.

Thank you.

Dave

 

[speedingwolf]

I'd like to update what's going since this post. I got the tunnel up, got both networks talked to each other but with one additional PIX.

Originally, I want one PIX to do L2l and VPNClient. The tunnel work, but there is no routing between networks. I could not seem to figure it out so I used another PIX for L2L until i find out the solution. Here is the network layout:

PIX1 inside 192.168.100.1. All internal servers, workstations point to this interface as its gateway

Remote PIX inside 192.168.101.1. Clients default gateway pointed to inside PIX.

The above settings established tunnel but resources can't be used.

So, I used another PIX and points the remote PIX L2L to it.
Tunnel created.

PIX2 inside 192.168.100.2

On my MS servers, i added a static route:

route add -p 192.168.101.0 mask 255.255.255.0 192.168.100.2

On my remote PIX network, my servers has entry:

route add -p 192.168.100.0 mask 255.255.255.0 192.168.101.1

So, now i got everything up and running.

I can't remember reading somewhere that PIX does not route???

This solution works for me but not what I expected. I rather have the other PIX as a standby.