Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN IP Address Change

Status
Not open for further replies.
Ztrek7

Ztrek7

IS-IT--Management
Mar 12, 2004
100
US
We had DSL connection, and a few Pix-Pix VPN's. We upgraded one end to cable. I changed the config, write mem, reload. One connection came back, the others have not. I then removed the entries completely for the offenders, and put them back, still a no go. sh isakmp sa only shows the good connection, sh ipsec sa shows the entry's, correct local and endpoint IP's, but no traffic. The access-lists are exactly the same. Ideas? I will post some portion of config:

Pix A: (Changed IP)

access-list 110 permit ip 192.168.7.0 255.255.255.0 192.1.1.0 255.255.255.0
ip address outside xxx.xxx.12.200 255.255.255.0
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set full esp-des esp-md5-hmac
crypto map crmap 1 ipsec-isakmp
crypto map crmap 1 match address 110
crypto map crmap 1 set peer xxx.xxx.0.249
crypto map crmap 1 set transform-set full
isakmp key ******** address xxx.xxx.0.249 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 3600

Pix B:

access-list 140 permit ip 192.1.1.0 255.255.255.0 192.168.7.0 255.255.255.0
ip address outside xxx.xxx.0.249 255.255.255.248
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set full esp-des esp-md5-hmac
crypto map crmap 3 ipsec-isakmp
crypto map crmap 3 match address 140
crypto map crmap 3 set peer xxx.xxx.12.200
crypto map crmap 3 set transform-set full
isakmp key ******** address xxx.xxx.12.200 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 3600
 
Sort by date Sort by votes
UPDATE maybe?

I have ran this by a couple people, and everything seems right. My only working theory is we had 5 IP with DSL and a global command with a address range for that. We still have 5 IP, but since we weren't going to use them, I just globaled the one. Is it one IP per site to site VPN? My only working theory! I have hopefully removed the element of human typing error by removing and readding with simple keys a couple more times, with same results.

 
Upvote 0 Downvote
You need to enable the outside interface by
#isakmp enable outside

End of the phase2 config you need to bind to outside interface by
#crypto map crmap interface outside

then check whether you did identity nat for VPN traffic
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

teknance
  • Locked
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
606
GlobeTrekkerGal
GlobeTrekkerGal
F
  • Locked
  • Solved
some IP Phone not working over site-to-site OpenVPN, packets modified on other side of tunnel
Replies
1
Views
2K
FrankSider12
F
sarahz2
  • Locked
  • Question
Best vpn safe and fast
Replies
4
Views
443
GlobeTrekkerGal
GlobeTrekkerGal
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
398
sircles
sircles
ramblingrebel
  • Locked
  • Question
Built-in Windows 10 VPN
Replies
1
Views
352
Joon Smith
Joon Smith

Part and Inventory Search

Sponsor

Back
Top