Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Weird pix-to-pix vpn issue 1

Status
Not open for further replies.
smikes19

smikes19

MIS
Oct 18, 2001
62
US
Hi,
I have 4 other sites VPN'ed together pix-to-pix. When I try to change up the isakmp key or the access-list line to match, the PIX denies all internet access. Sometimes if I replace the lines, internet access works again, sometimes it won't. I end up having to reload the original config. It'd be nice for the internet access to work constantly so that I can change the configs up without having to worry. Anyone know why this happens or is there a work around?

thanks!
 
Sort by date Sort by votes
Yes... I'm assuming you're telneting into pix through the VPN tunnel. When you make changes to the tunnel, you will interrupt sustain connections to the pix.

The best way to work on a pix is via SSH. You want:
(in config term)
ca generate rsa 1024
ssh 0.0.0.0 0.0.0.0 outside

First line generates your Encryption key.
2nd line allows you to SSH into your pix from anywhere--You must use the outside IP address of the pix.

As for SSH clients, I use SecureCRT, but there are free ones out there as well, just go to google.

-Iota
 
Upvote 0 Downvote
BTW... When you finally establish the SSH PIX connection,
Pix supports DES encryption, not 3DES, Blowbish, etchh
the username for the session is: pix
and the password for the session is: <telnet pass>

Then you just enable like normal.

Iota
 
Upvote 0 Downvote
Thanks Iota,
I dont know if I want to go that far...as i'll probably never use it. Im actually telnet'ing into the inside interface. When I make changes to the VPN config from there, access from the inside to the outside comes to a halt...sorry I should have been more clear on that one.

--mike
 
Upvote 0 Downvote
How about a Config post minus passwords ?

-Iota
 
Upvote 0 Downvote
HI.

What pix version?
It might have been fixed in newer version, try searching CISCO web site for open cavets.

You can try to disable IPSEC while modifying it, like
no isakmp enable outside
no nat 0 access-list ...
[... make changes ...]
nat 0 access-list ...
isakmp enable outside

(Maybe unbinding the crypto map will also do the job, maybe only disabling nat 0 is enough, you can try and see).

You should also capture the syslog messages you get when the Internet connection is stopped, this will help you pin point the cause of the problem.

You should also read about the
clear xlate
and other clear commands, maybe this can also help.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
688
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
599
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
592
intel233
intel233
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
523
nnaarrnn
nnaarrnn
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
210
gkittelson
gkittelson

Part and Inventory Search

Sponsor

Back
Top