Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Urgent Routing problem... 1

Status
Not open for further replies.

gscheepers

IS-IT--Management
Jan 21, 2002
150
US
I'm not sure if I'm raising the problem in the correct forum, but I'm asking anyway...

I'm doing inter vlan routing (with Cisco 3750's)at our sites to split our data away from our voice traffic. We're able to ping and connect to the various VOIP telephony switches at each site, but when we try to reach the telephony switches from our head office, it fails.

Is this going to be a configuration issue on our PIX firewalls or is there a setting to be changed on the 3750's to enable us to connect to the VOIP switches?

We connect from 172.16.0.0 to 192.168.5.0 - from here we inter vlan route to 192.168.15.0

I'd be grateful for any advice an assistance!

Thanks,

Gerhard
 
So are you saing that you can reach telephony switches one remote site to another, but not from the central office? Or are you saying that each site can access its own telephony switch, but cannot reach any others?

Probably the first thing I would do is a traceroute from the central office. See how many hops you get before timing out. Wherever it starts to time out, that's where you want to start looking for the problem. I'd also try to traceroute to several different IPs, and not just the telephony switch, just to make sure the problem is not isolated to only the switch.

I'd also do this in reverse, i.e. from a remote office to the central office.
 
Each site's able to reach it's own telephony switch, but I need to access the other telephony switch from our central office.

When did a traceroute from the central office (172.16.x.x) to the 192.168.15.230 address it went looking for the address on the public domain (which it won't find). Tracerouting to the 192.168.5.x address range is fine from the central office (obviously since we're connected site-to-site VPN).
 
At the central office site, is the 192 network being routed into your vpn tunnel?
 
Here's the PIX config from our central office:

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
interface ethernet6 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
nameif ethernet6 intf6 security12
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service OWA tcp
port-object eq www
port-object eq https
port-object eq imap4
port-object range 3389 3389
access-list compiled
access-list outside-in permit esp any any
access-list outside-in permit icmp any any echo-reply
access-list outside-in permit icmp any any time-exceeded
access-list outside-in permit icmp any any unreachable
access-list outside-in permit tcp any host 194.193.xx.xx eq www
access-list outside-in permit tcp any host 194.193.xx.xx eq www
access-list outside-in permit tcp any host 193.114.xx.xx eq www
access-list outside-in permit tcp any host 194.193.xx.xx eq www
access-list outside-in permit tcp any host 194.193.xx.xx eq ftp
access-list outside-in permit tcp any host 193.114.xx.xx eq www
access-list outside-in permit tcp any host 193.114.xx.xx eq www
access-list outside-in permit tcp any host 194.193.xx.xx eq smtp
access-list outside-in permit tcp any any eq ssh
access-list outside-in permit udp any any eq isakmp
access-list outside-in deny tcp any any eq 135
access-list outside-in deny udp any any eq 135
access-list outside-in permit tcp any interface outside object-group OWA
access-list outside-in permit tcp any host 194.193.xx.xx eq www
access-list outside-in deny tcp any host 65.54.xx.xx eq www
access-list outside-in deny tcp any host 207.46.xx.xx
access-list outside-in deny tcp any host 213.160.xx.xx
access-list outside-in deny tcp any host 65.54.xx.xx
access-list outside-in deny tcp any host 213.160.xx.xx
access-list outside-in deny tcp any any eq 1863
access-list outside-in deny tcp any host 213.186.xx.xx
access-list inside-out deny tcp any any eq 135
access-list inside-out deny tcp any any eq 137
access-list inside-out deny tcp any any eq 138
access-list inside-out deny tcp any any eq netbios-ssn
access-list inside-out deny udp any any eq 135
access-list inside-out deny udp any any eq netbios-ns
access-list inside-out deny udp any any eq netbios-dgm
access-list inside-out deny udp any any eq 139
access-list inside-out permit ip any any
access-list inside-out permit udp any any eq isakmp
access-list inside-out deny tcp any any eq 1863
access-list inside-out deny tcp any any eq 6901
access-list inside-out deny udp any any eq 1863
access-list inside-out deny udp any any eq 5190
access-list inside-out deny udp any any eq 6901
access-list inside-out deny tcp any host 65.54.xx.xx eq www
access-list inside-out deny tcp any host 64.4.15.61
access-list inside-out deny tcp any host 207.46.xx.xx
access-list inside-out deny tcp any any eq 4531
access-list inside-out deny udp any any eq 4531
access-list inside-out deny tcp any host 213.160.xx.xx
access-list inside-out deny tcp any host 65.54.xx.xx
access-list inside-out deny tcp any host 213.160.xx.xx
access-list inside-out deny tcp any host 207.46.xx.xx
access-list inside-out deny tcp any host 213.186.xx.xx
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 172.16.253.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 192.168.5.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 192.168.6.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list 101 permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list 102 permit ip 172.16.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list 103 permit ip 172.16.0.0 255.255.0.0 192.168.3.0 255.255.255.0
access-list 105 permit ip 172.16.0.0 255.255.0.0 192.168.5.0 255.255.255.0
access-list 106 permit ip 172.16.0.0 255.255.0.0 192.168.6.0 255.255.255.0
access-list outside_cryptomap_40 permit ip 172.16.0.0 255.255.0.0 192.168.5.0 255.255.255.0
access-list outside_cryptomap_50 permit ip 172.16.0.0 255.255.0.0 192.168.6.0 255.255.255.0
access-list outside_cryptomap_60 permit ip 172.16.0.0 255.255.0.0 192.168.10.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging console warnings
logging buffered debugging
logging trap debugging
logging device-id hostname
icmp permit any outside
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
mtu intf6 1500
ip address outside 194.193.xx.xx 255.255.255.0
ip address inside 172.16.254.1 255.255.0.0
ip address intf2 127.0.0.1 255.255.255.255
no ip address intf3
no ip address intf4
no ip address intf5
no ip address intf6
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 172.16.253.1-172.16.253.30
ip local pool VPN(2) 172.16.254.31-172.16.254.100
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
no failover ip address intf6
pdm location 172.16.0.0 255.255.0.0 outside
pdm location 172.16.1.235 255.255.255.255 inside
pdm location 172.16.196.101 255.255.255.255 inside
pdm location 172.16.196.104 255.255.255.255 inside
pdm location 172.16.196.112 255.255.255.255 inside
pdm location 172.16.196.113 255.255.255.255 inside
pdm location 172.16.196.114 255.255.255.255 inside
pdm location 172.16.196.121 255.255.255.255 inside
pdm location 80.225.xx.xx 255.255.255.255 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.2.0 255.255.255.0 outside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location 172.16.253.0 255.255.255.224 outside
pdm location 192.168.6.0 255.255.255.0 outside
pdm location 193.114.xx.xx 255.255.255.255 outside
pdm location 172.16.1.237 255.255.255.255 inside
pdm location 193.114.xx.xx 255.255.255.255 outside
pdm location 172.16.1.100 255.255.255.255 inside
pdm location 172.16.1.101 255.255.255.255 inside
pdm location 172.16.1.102 255.255.255.255 inside
pdm location 172.16.1.103 255.255.255.255 inside
pdm location 172.16.1.104 255.255.255.255 inside
pdm location 172.16.1.105 255.255.255.255 inside
pdm location 192.168.5.0 255.255.255.0 outside
pdm location 172.16.1.103 255.255.255.255 outside
pdm location 172.16.1.108 255.255.255.255 inside
pdm location 172.16.1.108 255.255.255.255 outside
pdm location 81.153.xx.xx 255.255.255.255 outside
pdm location 192.168.10.0 255.255.255.0 outside
pdm location 64.4.xx.xx 255.255.255.255 outside
pdm location 65.54.xx.xx 255.255.255.255 outside
pdm location 65.54.xx.xx 255.255.255.255 outside
pdm location 207.46.xx.xx 255.255.255.255 outside
pdm location 207.46.xx.xx 255.255.255.255 outside
pdm location 213.160.xx.xx 255.255.255.255 outside
pdm location 213.160.xx.xx 255.255.255.255 outside
pdm location 172.16.1.236 255.255.255.255 inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 172.16.0.0 255.255.0.0 0 0
static (inside,outside) tcp interface smtp 172.16.1.236 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp interface https 172.16.1.237 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface imap4 172.16.1.237 imap4 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 172.16.1.237 3389 netmask 255.255.255.255 0 0
static (inside,outside) 194.193.xx.xx 172.16.1.100 netmask 255.255.255.255 0 0
static (inside,outside) 194.193.xx.xx 172.16.1.101 netmask 255.255.255.255 0 0
static (inside,outside) 193.114.xx.xx 172.16.1.102 netmask 255.255.255.255 0 0
static (inside,outside) 194.193.xx.xx 172.16.1.104 netmask 255.255.255.255 0 0
static (inside,outside) 193.114.xx.xx 172.16.1.105 netmask 255.255.255.255 0 0
static (inside,outside) 194.193.xx.xx 172.16.1.103 netmask 255.255.255.255 0 0
static (inside,outside) 193.114.xx.xx 172.16.1.108 netmask 255.255.255.255 0 0
access-group outside-in in interface outside
access-group inside-out in interface inside
conduit deny ip any host 213.186.xx.xx
route outside 0.0.0.0 0.0.0.0 194.193.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 195.13.1.153 source outside
http server enable
http 172.16.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt ipsec pl-compatible
crypto ipsec transform-set traffic esp-des esp-md5-hmac
crypto map ethnicmap 10 ipsec-isakmp
crypto map ethnicmap 10 match address 101
crypto map ethnicmap 10 set peer 81.5.xx.xx
crypto map ethnicmap 10 set transform-set traffic
crypto map ethnicmap 20 ipsec-isakmp
crypto map ethnicmap 20 match address 103
crypto map ethnicmap 20 set peer 82.151.xx.xx
crypto map ethnicmap 20 set peer 255.255.255.255
crypto map ethnicmap 20 set transform-set traffic
crypto map ethnicmap 30 ipsec-isakmp
crypto map ethnicmap 30 match address 102
crypto map ethnicmap 30 set peer 217.204.xx.xx
crypto map ethnicmap 30 set peer 255.255.255.255
crypto map ethnicmap 30 set transform-set traffic
crypto map ethnicmap 40 ipsec-isakmp
crypto map ethnicmap 40 match address outside_cryptomap_40
crypto map ethnicmap 40 set peer 195.153.xx.xx
crypto map ethnicmap 40 set transform-set traffic
crypto map ethnicmap 50 ipsec-isakmp
crypto map ethnicmap 50 match address outside_cryptomap_50
crypto map ethnicmap 50 set peer 213.120.xx.xx
crypto map ethnicmap 50 set transform-set traffic
crypto map ethnicmap 60 ipsec-isakmp
crypto map ethnicmap 60 match address outside_cryptomap_60
crypto map ethnicmap 60 set peer 217.46.xx.xx
crypto map ethnicmap 60 set transform-set traffic
crypto map ethnicmap interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address 217.204.xx.xx netmask 255.255.255.0
isakmp key ******** address 82.151.xx.xx netmask 255.255.255.0
isakmp key ******** address 81.5.xx.xx netmask 255.255.255.255
isakmp key ******** address 195.153.xx.xx netmask 255.255.255.224
isakmp key ******** address 217.46.xx.xx netmask 255.255.255.255
isakmp key ******** address 213.120.xx.xx netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 2
isakmp policy 21 lifetime 86400
telnet 172.16.0.0 255.255.0.0 inside
telnet 172.16.0.0 255.255.0.0 intf2
telnet 172.16.0.0 255.255.0.0 intf3
telnet 172.16.0.0 255.255.0.0 intf4
telnet 172.16.0.0 255.255.0.0 intf5
telnet 172.16.0.0 255.255.0.0 intf6
telnet timeout 5
ssh 80.225.xx.xx 255.255.255.255 outside
ssh timeout 5
management-access outside
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40
vpdn group PPTP-VPDN-GROUP client configuration address local VPN
vpdn group PPTP-VPDN-GROUP client configuration dns 172.16.1.1 172.16.1.2
vpdn group PPTP-VPDN-GROUP client configuration wins 172.16.1.1 172.16.1.2
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username xxxxxxxx password *********
vpdn enable outside
username xxxxxx password xxxxxx encrypted privilege 15
vpnclient server 172.16.254.1
vpnclient mode client-mode
vpnclient vpngroup VPN password ********
terminal width 80
 
I don't see 192.168.15 listed in this config.
Better check the other side as well.
 
You're correct by saying 192.168.15.0 is not listed. This is where I'm struggling to make sense of what to do...

How would I establish a VPN tunnel to the 192.168.15.0 range with the same external address when I've already have an established connection on the 192.168.5.0 range?

Is this possible? I've never tried this before or should I be doing something else in the PIX's config on both ends?
 
you allready have the tunnel established to you need to tell tell the tunnel that routes to 192.168.50 about additional ip addresses to use

So for every line on both firewalls that has 192.168.5.0 add a line that has 192.168.15.0


-----
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 192.168.15.0 255.255.255.0
access-list 105 permit ip 172.16.0.0 255.255.0.0 192.168.15.0 255.255.255.0
access-list outside_cryptomap_40 permit ip 172.16.0.0 255.255.0.0 192.168.15.0 255.255.255.0
 
Have I done the other firewalls config wrong -

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 20
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit icmp any any echo
access-list 101 permit ip any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit icmp any any
access-list 101 permit ip 172.16.0.0 255.255.0.0 192.168.15.0 255.255.255.0
access-list 102 permit ip 192.168.5.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list 102 permit ip 172.16.0.0 255.255.0.0 192.168.15.0 255.255.255.0
pager lines 24
icmp permit any echo outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
mtu outside 1500
mtu inside 1500
ip address outside 195.153.xx.xx 255.255.255.224
ip address inside 192.168.5.1 255.255.255.0
ip verify reverse-path interface outside
ip audit name cci info action alarm
ip audit name cca attack action alarm drop reset
ip audit interface outside cci
ip audit interface outside cca
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.5.0 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 195.153.6.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.5.1 255.255.255.255 inside
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set traffic esp-des esp-md5-hmac
crypto map manchester 10 ipsec-isakmp
crypto map manchester 10 match address 102
crypto map manchester 10 set peer 194.193.xx.xx
crypto map manchester 10 set transform-set traffic
crypto map manchester interface outside
isakmp enable outside
isakmp key ******** address 194.193.xx.xx netmask 255.255.255.0
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet 192.168.5.0 255.255.255.0 inside
telnet timeout 5
ssh 194.193.169.98 255.255.255.255 outside
ssh timeout 5
management-access outside
console timeout 0
terminal width 80
 
is it working?
did anything stop working when you applied the changes?
 
access list 102 should look like this
access-list 102 permit ip 192.168.5.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list 102 permit ip 192.168.15.0 255.255.255.0 172.16.0.0 255.255.0.0
 
Thank you very much for your help thus far! I've made the change, but still no luck. What I've noticed is that the traceroute is not doing a search in the public domain anymore, but it doesn't seem to reach the 192.168.5.x range or any further either... I've also done a ping from the PIX interface on the remote site, which doesn't reach the 192.168.15.x address range... I'm wondering if this might be where the problem lies...???

Here's the upddated config of the remote site:

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 20
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit icmp any any echo
access-list 101 permit ip any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit icmp any any
access-list 101 permit ip 172.16.0.0 255.255.0.0 192.168.15.0 255.255.255.0
access-list 102 permit ip 192.168.5.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list 102 permit ip 192.168.15.0 255.255.255.0 172.16.0.0 255.255.0.0
pager lines 24
icmp permit any echo outside
icmp permit any unreachable outside
icmp permit any time-exceeded outside
mtu outside 1500
mtu inside 1500
ip address outside 195.153.xx.xx 255.255.255.224
ip address inside 192.168.5.1 255.255.255.0
ip verify reverse-path interface outside
ip audit name cci info action alarm
ip audit name cca attack action alarm drop reset
ip audit interface outside cci
ip audit interface outside cca
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.5.0 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 195.153.6.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.5.1 255.255.255.255 inside
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set traffic esp-des esp-md5-hmac
crypto map manchester 10 ipsec-isakmp
crypto map manchester 10 match address 102
crypto map manchester 10 set peer 194.193.xx.xx
crypto map manchester 10 set transform-set traffic
crypto map manchester interface outside
isakmp enable outside
isakmp key ******** address 194.193.xx.xx netmask 255.255.255.0
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet 192.168.5.0 255.255.255.0 inside
telnet timeout 5
ssh 194.193.xx.xx 255.255.255.255 outside
ssh timeout 5
management-access outside
console timeout 0
terminal width 80

The central PIX now looks like this:

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
interface ethernet6 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
nameif ethernet6 intf6 security12
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service OWA tcp
port-object eq www
port-object eq https
port-object eq imap4
port-object range 3389 3389
access-list compiled
access-list outside-in permit esp any any
access-list outside-in permit icmp any any echo-reply
access-list outside-in permit icmp any any time-exceeded
access-list outside-in permit icmp any any unreachable
access-list outside-in permit tcp any host 194.193. eq www
access-list outside-in permit tcp any host 194.193. eq www
access-list outside-in permit tcp any host 193.114. www
access-list outside-in permit tcp any host 194.193. eq www
access-list outside-in permit tcp any host 194.193. eq ftp
access-list outside-in permit tcp any host 193.114. eq www
access-list outside-in permit tcp any host 193.114. eq www
access-list outside-in permit tcp any host 194.193. eq smtp
access-list outside-in permit tcp any any eq ssh
access-list outside-in permit udp any any eq isakmp
access-list outside-in deny tcp any any eq 135
access-list outside-in deny udp any any eq 135
access-list outside-in permit tcp any interface outside object-group OWA
access-list outside-in permit tcp any host 194.193. eq www
access-list outside-in deny tcp any host 65.54. eq www
access-list outside-in deny tcp any host 207.46.
access-list outside-in deny tcp any host 213.160.
access-list outside-in deny tcp any host 65.54.
access-list outside-in deny tcp any host 213.160.
access-list outside-in deny tcp any any eq 1863
access-list outside-in deny tcp any host 213.186.
access-list inside-out deny tcp any any eq 135
access-list inside-out deny tcp any any eq 137
access-list inside-out deny tcp any any eq 138
access-list inside-out deny tcp any any eq netbios-ssn
access-list inside-out deny udp any any eq 135
access-list inside-out deny udp any any eq netbios-ns
access-list inside-out deny udp any any eq netbios-dgm
access-list inside-out deny udp any any eq 139
access-list inside-out permit ip any any
access-list inside-out permit udp any any eq isakmp
access-list inside-out deny tcp any any eq 1863
access-list inside-out deny tcp any any eq 6901
access-list inside-out deny udp any any eq 1863
access-list inside-out deny udp any any eq 5190
access-list inside-out deny udp any any eq 6901
access-list inside-out deny tcp any host 65.54. eq www
access-list inside-out deny tcp any host 64.4.
access-list inside-out deny tcp any host 207.46.
access-list inside-out deny tcp any any eq 4531
access-list inside-out deny udp any any eq 4531
access-list inside-out deny tcp any host 213.160.
access-list inside-out deny tcp any host 65.54.
access-list inside-out deny tcp any host 213.160.
access-list inside-out deny tcp any host 207.46.
access-list inside-out deny tcp any host 213.186.
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 172.16.253.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 192.168.5.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 192.168.6.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 192.168.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 192.168.15.0 255.255.255.0
access-list 101 permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list 102 permit ip 172.16.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list 103 permit ip 172.16.0.0 255.255.0.0 192.168.3.0 255.255.255.0
access-list 105 permit ip 172.16.0.0 255.255.0.0 192.168.5.0 255.255.255.0
access-list 105 permit ip 172.16.0.0 255.255.0.0 192.168.15.0 255.255.255.0
access-list 106 permit ip 172.16.0.0 255.255.0.0 192.168.6.0 255.255.255.0
access-list outside_cryptomap_40 permit ip 172.16.0.0 255.255.0.0 192.168.5.0 255.255.255.0
access-list outside_cryptomap_40 permit ip 172.16.0.0 255.255.0.0 192.168.15.0 255.255.255.0
access-list outside_cryptomap_50 permit ip 172.16.0.0 255.255.0.0 192.168.6.0 255.255.255.0
access-list outside_cryptomap_60 permit ip 172.16.0.0 255.255.0.0 192.168.10.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging console warnings
logging buffered debugging
logging trap debugging
logging device-id hostname
icmp permit any outside
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
mtu intf6 1500
ip address outside 194.193. 255.255.255.0
ip address inside 172.16.254.1 255.255.0.0
ip address intf2 127.0.0.1 255.255.255.255
no ip address intf3
no ip address intf4
no ip address intf5
no ip address intf6
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 172.16.253.1-172.16.253.30
ip local pool VPN(2) 172.16.254.31-172.16.254.100
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
no failover ip address intf6
pdm location 172.16.0.0 255.255.0.0 outside
pdm location 172.16.1.235 255.255.255.255 inside
pdm location 172.16.196.101 255.255.255.255 inside
pdm location 172.16.196.104 255.255.255.255 inside
pdm location 172.16.196.112 255.255.255.255 inside
pdm location 172.16.196.113 255.255.255.255 inside
pdm location 172.16.196.114 255.255.255.255 inside
pdm location 172.16.196.121 255.255.255.255 inside
pdm location 80.225. 255.255.255.255 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.2.0 255.255.255.0 outside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location 172.16.253.0 255.255.255.224 outside
pdm location 192.168.6.0 255.255.255.0 outside
pdm location 193.114. 255.255.255.255 outside
pdm location 172.16.1.237 255.255.255.255 inside
pdm location 193.114. 255.255.255.255 outside
pdm location 172.16.1.100 255.255.255.255 inside
pdm location 172.16.1.101 255.255.255.255 inside
pdm location 172.16.1.102 255.255.255.255 inside
pdm location 172.16.1.103 255.255.255.255 inside
pdm location 172.16.1.104 255.255.255.255 inside
pdm location 172.16.1.105 255.255.255.255 inside
pdm location 192.168.5.0 255.255.255.0 outside
pdm location 172.16.1.103 255.255.255.255 outside
pdm location 172.16.1.108 255.255.255.255 inside
pdm location 172.16.1.108 255.255.255.255 outside
pdm location 81.153. 255.255.255.255 outside
pdm location 192.168.10.0 255.255.255.0 outside
pdm location 64.4. 255.255.255.255 outside
pdm location 65.54. 255.255.255.255 outside
pdm location 65.54. 255.255.255.255 outside
pdm location 207.46. 255.255.255.255 outside
pdm location 207.46. 255.255.255.255 outside
pdm location 213.160. 255.255.255.255 outside
pdm location 213.160. 255.255.255.255 outside
pdm location 172.16.1.236 255.255.255.255 inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 172.16.0.0 255.255.0.0 0 0
static (inside,outside) tcp interface smtp 172.16.1.236 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp interface https 172.16.1.237 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface imap4 172.16.1.237 imap4 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 172.16.1.237 3389 netmask 255.255.255.255 0 0
static (inside,outside) 194.193. 172.16.1.100 netmask 255.255.255.255 0 0
static (inside,outside) 194.193. 172.16.1.101 netmask 255.255.255.255 0 0
static (inside,outside) 193.114. 172.16.1.102 netmask 255.255.255.255 0 0
static (inside,outside) 194.193. 172.16.1.104 netmask 255.255.255.255 0 0
static (inside,outside) 193.114. 172.16.1.105 netmask 255.255.255.255 0 0
static (inside,outside) 194.193. 172.16.1.103 netmask 255.255.255.255 0 0
static (inside,outside) 193.114. 172.16.1.108 netmask 255.255.255.255 0 0
access-group outside-in in interface outside
access-group inside-out in interface inside
conduit deny ip any host 213.186.50.156
route outside 0.0.0.0 0.0.0.0 194.193.169.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 195.13.1.153 source outside
http server enable
http 172.16.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt ipsec pl-compatible
crypto ipsec transform-set traffic esp-des esp-md5-hmac
crypto map ethnicmap 10 ipsec-isakmp
crypto map ethnicmap 10 match address 101
crypto map ethnicmap 10 set peer 81.5.
crypto map ethnicmap 10 set transform-set traffic
crypto map ethnicmap 20 ipsec-isakmp
crypto map ethnicmap 20 match address 103
crypto map ethnicmap 20 set peer 82.151.
crypto map ethnicmap 20 set peer 255.255.255.255
crypto map ethnicmap 20 set transform-set traffic
crypto map ethnicmap 30 ipsec-isakmp
crypto map ethnicmap 30 match address 102
crypto map ethnicmap 30 set peer 217.204.
crypto map ethnicmap 30 set peer 255.255.255.255
crypto map ethnicmap 30 set transform-set traffic
crypto map ethnicmap 40 ipsec-isakmp
crypto map ethnicmap 40 match address outside_cryptomap_40
crypto map ethnicmap 40 set peer 195.153.
crypto map ethnicmap 40 set transform-set traffic
crypto map ethnicmap 50 ipsec-isakmp
crypto map ethnicmap 50 match address outside_cryptomap_50
crypto map ethnicmap 50 set peer 213.120.
crypto map ethnicmap 50 set transform-set traffic
crypto map ethnicmap 60 ipsec-isakmp
crypto map ethnicmap 60 match address outside_cryptomap_60
crypto map ethnicmap 60 set peer 217.46.
crypto map ethnicmap 60 set transform-set traffic
crypto map ethnicmap interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address 217.204. netmask 255.255.255.0
isakmp key ******** address 82.151. netmask 255.255.255.0
isakmp key ******** address 81.5. netmask 255.255.255.255
isakmp key ******** address 195.153. netmask 255.255.255.224
isakmp key ******** address 217.46. netmask 255.255.255.255
isakmp key ******** address 213.120. netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 2
isakmp policy 21 lifetime 86400
telnet 172.16.0.0 255.255.0.0 inside
telnet 172.16.0.0 255.255.0.0 intf2
telnet 172.16.0.0 255.255.0.0 intf3
telnet 172.16.0.0 255.255.0.0 intf4
telnet 172.16.0.0 255.255.0.0 intf5
telnet 172.16.0.0 255.255.0.0 intf6
telnet timeout 5
ssh 80.225. 255.255.255.255 outside
ssh timeout 5
management-access outside
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40
vpdn group PPTP-VPDN-GROUP client configuration address local VPN
vpdn group PPTP-VPDN-GROUP client configuration dns 172.16.1.1 172.16.1.2
vpdn group PPTP-VPDN-GROUP client configuration wins 172.16.1.1 172.16.1.2
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username xxxxxxxx password *********
vpdn enable outside
vpnclient server 172.16.254.1
vpnclient mode client-mode
vpnclient vpngroup VPN password ********
terminal width 80
 
On your remote pix, put this.
Change the ip address to the ip address of virutal address on your switch.
route inside 192.168.15.0 255.255.255.0 192.168.5.x




 
jdeisenm, you wrote:

access list 102 should look like this
access-list 102 permit ip 192.168.5.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list 102 permit ip 192.168.15.0 255.255.255.0 172.16.0.0 255.255.0.0

Shouldn't those be wildcard masks instead of standard subnet masks? My belief is that they should read:

access list 102 should look like this
access-list 102 permit ip 192.168.5.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 102 permit ip 192.168.15.0 0.0.0.255 172.16.0.0 0.0.255.255
 
Thank you so much for your assistance jdeisenm! It's working without a hitch now!

Gerhard
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top