Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

What am I doing wrong? PIX 515E & 506E Site to Site. 1

Status
Not open for further replies.

dave2korg

IS-IT--Management
Feb 25, 2006
102
US
So here is my problem. I have to setup a site to site between my office (company) and a remote location. For the time being I have the remote location's PIX (506E) setup here behind my router so I can test the site-to-site. I went through asdm/pdm on both devices and set it up the way I was taught back in school. I've never claimed to be an expert with Cisco, and I'm usually lost when it comes to command line.. Pair that with being out of school for a few years and no hands on cisco experience in about that amount of time.. here I am.

Here is my Config on the PIX's: (note: site A's external ip has been marked as xxx.xxx.xxx.xxx, while site B's external ip is yyy.yyy.yyy.yyy)

First the Mirrored set of 515E's at the main location (Site A)

PIX Version 7.2(1)
hostname pixfirewall
domain-name ciscopix.com
!
interface Ethernet0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxa 255.255.255.x standby xxx.xxx.xxx.xxb
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.254
!
interface Ethernet2
nameif intf2
security-level 4
ip address 192.168.4.1 255.255.255.0 standby 192.168.4.254
!
ftp mode passive
access-list outside_access_in extended permit ip any any
access-list company_splitTunnelAcl_3 standard permit 192.168.1.0 255.255.255.0
access-list Default_splitTunnelAcl standard permit any
access-list company_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list company_splitTunnelAcl standard permit 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.64 255.255.255.192
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended deny ip any any
access-list intf2_access_out extended permit icmp any any
access-list intf2_access_out extended permit ip 192.168.0.0 255.255.0.0 any
access-list intf2_access_out extended deny ip any any inactive
access-list company_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_cryptomap extended permit ip any 192.168.1.64 255.255.255.192
access-list company_splitTunnelAcl_2 standard permit 192.168.1.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 host yyy.yyy.yyy.yyy
mtu outside 1500
mtu inside 1500
ip local pool companyVPN 192.168.1.90-192.168.1.99 mask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
group-policy Default internal
group-policy Default attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelall
split-tunnel-network-list none
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer yyy.yyy.yyy.yyy
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 40 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group yyy.yyy.yyy.yyy type ipsec-l2l
tunnel-group yyy.yyy.yyy.yyy ipsec-attributes
pre-shared-key *

And the PIX at site B:

PIX Version 6.3(5)
hostname failoverpix
domain-name ciscopix.com
name xxx.xxx.xxx.xxx Company
access-list company_splitTunnelAcl permit ip 10.10.4.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 10.10.4.0 255.255.255.0 10.10.4.64 255.255.255.192
access-list inside_outbound_nat0_acl permit ip 10.10.4.0 255.255.255.0 host xxx.xxx.xxx.xxx
access-list outside_cryptomap_dyn_20 permit ip any 10.10.4.64 255.255.255.192
access-list outside_cryptomap_20 permit ip 10.10.4.0 255.255.255.0 host xxx.xxx.xxx.xxx
pager lines 24
mtu outside 1500
mtu inside 1500
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.129 1
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xxx
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup xxx.xxx.xxx.xxx address-pool vpn
vpngroup xxx.xxx.xxx.xxx split-tunnel company_splitTunnelAcl
vpngroup xxx.xxx.xxx.xxx idle-time 1800
vpngroup xxx.xxx.xxx.xxx password ********


If I didnt post the right info, or enough of it. Please let me know, I would like to box and ship this hardware at the latest on Saturday.

David McKissic
A+, Net+, i-net+, CCNA, CNE, CNA
Dell, Compaq, IBM, HP
Network Administrator
 
Can you post the whole config from each and just leave out the passwords and mask the IPs. That way we can see which ACL's and where as well as the crypto map statements.

Sorry ahead of time, but I like the CLI. I don't remember enough of the screens from the ASDM to walk you through it. On the brite side, for the CLI, you can just paste in what you want.

Ok, so is the ip on B dynamic? If not, we shold do this as a site-to-site static. It is just easier.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
the ip on B is static as well.

Here is the config on the main site's 515E
asdm image flash:/asdm-521.bin
asdm location server1 255.255.255.255 inside
asdm location 192.168.1.241 255.255.255.255 inside
asdm location 0.0.0.0 255.255.255.255 inside
asdm location 67.103.142.169 255.255.255.255 outside
asdm location cluster1 255.255.255.255 intf2
asdm location cluster2 255.255.255.255 intf2
asdm location cluster3 255.255.255.255 intf2
asdm location WI_1 255.255.255.255 outside
asdm location WI_2 255.255.255.255 outside
asdm location WI_3 255.255.255.255 outside
asdm location server2 255.255.255.255 inside
asdm location service 255.255.255.255 intf2
asdm location mailserver 255.255.255.255 inside
asdm location website 255.255.255.255 intf2
asdm location service_1 255.255.255.255 outside
asdm location service_2 255.255.255.255 outside
asdm location service_4 255.255.255.255 outside
asdm location user 255.255.255.255 outside
asdm location filestore 255.255.255.255 intf2
asdm location webservices1 255.255.255.255 inside
asdm location server5 255.255.255.255 inside
asdm location user 255.255.255.255 outside
asdm location webservicesnas1 255.255.255.255 intf2
asdm location website 255.255.255.255 intf2
asdm location user 255.255.255.255 outside
asdm location website 255.255.255.255 intf2
asdm location website 255.255.255.255 intf2
asdm location IDA_6 255.255.255.255 outside
asdm location IDA_5 255.255.255.255 outside
asdm location website 255.255.255.255 intf2
asdm group service inside
asdm group servers inside
asdm group servers intf2
asdm group servers_ref intf2 reference servers
asdm group PUBLIC_WEBSERVERS1 intf2
asdm group WEBSERVERS_ref inside reference WEBSERVERS
asdm group DMZSERVERS intf2
asdm group DomainServers inside
asdm group service_New outside
asdm group service_New_ref inside reference service_New
asdm group IDA outside
asdm group DomainServers_ref intf2 reference DomainServers
asdm group service_ref outside
asdm history enable
: Saved
:
PIX Version 7.2(1)
!
hostname pixfirewall
domain-name ciscopix.com
enable password * encrypted
names
name 12.37.31.x service
name 192.168.1.24 server
name 192.168.4.5 server
name 192.168.4.4 server
name 192.168.1.25 server
name 192.168.1.41 server
name 192.168.1.52 server
name 192.168.1.51 server
name 192.168.1.50 server
name 192.168.4.241 cluster
name 192.168.4.240 cluster
name 192.168.4.242 cluster
name 192.168.1.23 server
name 192.168.1.67 server
name 69.238.100.x router
name 192.168.4.243 cluster
name 12.36.215.x ftp_drop
name 192.168.4.244 cluster
name 192.168.4.245 cluster
name 192.168.4.246 cluster
name 192.168.1.79 server
name 192.168.4.247 cluster
name 192.168.1.74 server
name 192.168.4.248 cluster
name 192.168.1.242 server
name 192.168.1.33 server
name 192.168.4.249 cluster
name 192.168.4.250 cluster
name 192.168.4.8 server
name 192.168.4.251 server
name 72.3.243.x server
name 72.3.243.x server
name 72.3.243.x server
name 192.168.4.252 cluster
name 192.168.1.75 cluster
name 192.168.4.239 cluster
name 192.168.4.253 cluster
name 192.168.1.29 mailserver
name 192.168.4.236 cluster
name 66.166.197.x server
name 66.155.197.x server
name 72.130.84.x server
name 66.159.213.x server
name 192.168.4.10 cluster
name 192.168.1.26 server
name 192.168.1.243 server
name 69.234.244.x server
name 192.168.4.9 server
name 192.168.4.234 cluster
name 66.108.47.x server
name 192.168.4.231 cluster
name 192.168.4.232 cluster
name 72.134.78.x user
name 207.234.146.x user
name 192.168.4.233 cluster
name 67.122.153.x user
!
interface Ethernet0
nameif outside
security-level 0
ip address 69.238.100.x 255.255.255.128 standby 69.238.100.x
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.254
!
interface Ethernet1.1
vlan 44
nameif wirelessSec
security-level 98
ip address 10.10.3.1 255.255.255.0
!
interface Ethernet1.2
vlan 42
nameif wirelessPub
security-level 3
ip address 10.10.5.1 255.255.255.0
!
interface Ethernet2
nameif intf2
security-level 4
ip address 192.168.4.1 255.255.255.0 standby 192.168.4.254
!
passwd * encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name xxxxxxxx.com
object-group network name
network-object server 255.255.255.255
network-object server 255.255.255.255
network-object server 255.255.255.255
object-group network cluster
description Internal SQL Servers
network-object server 255.255.255.255
network-object server 255.255.255.255
network-object server 255.255.255.255
object-group network WEBSERVERS
description DMZ Web Servers
network-object server 255.255.255.255
network-object server 255.255.255.255
object-group network SQLSERVERS_ref
network-object server 255.255.255.255
network-object server 255.255.255.255
network-object server 255.255.255.255
object-group service WebandFTP tcp
port-object eq www
port-object eq ftp-data
port-object eq https
port-object eq ftp
port-object eq smtp
object-group service WebFTP tcp
port-object eq www
port-object eq ftp-data
port-object eq ftp
port-object eq https
object-group service FTPandFTPData tcp
port-object eq ftp-data
port-object eq ftp
object-group service HTTPandSecure tcp
port-object eq www
port-object eq https
object-group service DomainPortsTCP tcp
port-object eq 3268
port-object eq 135
port-object eq 445
port-object eq 3269
port-object eq ldaps
port-object eq 88
port-object eq ldap
port-object eq domain
port-object range 5100 5400
object-group network DMZSERVERS
network-object server 255.255.255.255
network-object server 255.255.255.255
object-group service MMS_TCP tcp
port-object eq 1755
port-object eq rtsp
object-group service MMS_UDP udp
port-object eq 1755
port-object eq 554
port-object eq 5005
object-group service service tcp
port-object eq ftp-data
port-object eq ftp
port-object eq https
port-object eq smtp
object-group network PUBLIC_WEBSERVERS1
network-object cluster 255.255.255.255
network-object cluster 255.255.255.255
network-object cluster 255.255.255.255
network-object cluster 255.255.255.255
network-object cluster 255.255.255.255
network-object CLUSTER 255.255.255.255
network-object CLUSTER 255.255.255.255
network-object CLUSTER 255.255.255.255
network-object CLUSTER 255.255.255.255
network-object CLUSTER 255.255.255.255
network-object CLUSTER 255.255.255.255
network-object cluster 255.255.255.255
network-object CLUSTer 255.255.255.255
network-object cluster 255.255.255.255
network-object cluster 255.255.255.255
network-object cluster 255.255.255.255
network-object cluster 255.255.255.255
network-object cluster 255.255.255.255
network-object cluster 255.255.255.255
network-object cluster 255.255.255.255
object-group service Exchange tcp
port-object eq www
port-object eq https
port-object eq pop3
port-object eq smtp
port-object eq imap4
object-group network WEBSERVERS_ref
network-object WEBSERVER 255.255.255.255
network-object WEBSERVER 255.255.255.255
object-group network DomainServers
network-object server 255.255.255.255
network-object server 255.255.255.255
object-group network service_New
network-object WI_1 255.255.255.255
network-object WI_2 255.255.255.255
network-object WI_3 255.255.255.255
network-object user 255.255.255.255
object-group network service_New_ref
network-object WI_1 255.255.255.255
network-object WI_2 255.255.255.255
network-object WI_3 255.255.255.255
network-object user 255.255.255.255
object-group service SourceSafe tcp
description Vendor Access to SourceSafe
port-object range https https
port-object range 3389 3389
object-group service DomainPortsUDP udp
port-object eq 88
port-object eq 389
port-object eq domain
port-object range 5100 5400
object-group service RPCPorts tcp
port-object eq 135
port-object range 5100 5400
object-group network vendor_ref
network-object user 255.255.255.255
network-object user 255.255.255.255
network-object user 255.255.255.255
network-object user 255.255.255.255
network-object user 255.255.255.255
network-object user 255.255.255.255
network-object user 255.255.255.255
network-object host user
object-group network DomainServers_ref
network-object server 255.255.255.255
network-object server 255.255.255.255
object-group service Netmeeting tcp
port-object eq 522
port-object eq h323
port-object eq 1731
port-object eq 1503
port-object eq ldap
access-list intf2_access_in extended permit icmp any any
access-list intf2_access_in extended permit tcp host server host server eq 1433
access-list intf2_access_in extended permit tcp object-group WEBSERVERS object-group SQLSERVERS_ref eq 1433
access-list intf2_access_in extended permit tcp object-group WEBSERVERS host webservices1 eq www
access-list intf2_access_in extended permit tcp object-group WEBSERVERS host server eq 1433
access-list intf2_access_in extended permit udp any object-group DomainServers eq domain
access-list intf2_access_in extended permit tcp any object-group DomainServers eq domain
access-list intf2_access_in extended permit tcp host server host server eq smtp
access-list intf2_access_in extended permit tcp host server object-group DomainServers_ref object-group DomainPortsTCP
access-list intf2_access_in extended permit udp host server object-group DomainServers_ref object-group DomainPortsUDP
access-list intf2_access_in extended permit tcp host server host server eq www
access-list intf2_access_in extended permit tcp host server host server eq www
access-list intf2_access_in extended permit tcp host server host server eq www
access-list intf2_access_in extended deny ip any 192.168.1.0 255.255.255.0
access-list intf2_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list company_splitTunnelAcl_3 standard permit 192.168.1.0 255.255.255.0
access-list Default_splitTunnelAcl standard permit any
access-list company_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list company_splitTunnelAcl standard permit 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.64 255.255.255.192
access-list inside_access_out extended permit icmp any any
access-list inside_access_out remark Allow SMTP, HTTP, HTTPS, FTP to server
access-list inside_access_out extended permit tcp any host server object-group service
access-list inside_access_out extended permit ip servergroup 255.255.255.0 object-group service
access-list inside_access_out extended permit ip object-group serviceref object-group servergroup
access-list inside_access_out extended permit tcp any host server object-group FTPandFTPData
access-list inside_access_out extended permit tcp any host server object-group WebandFTP
access-list inside_access_out extended permit tcp any host server object-group HTTPandSecure
access-list inside_access_out remark Allow port 3200 incoming to the Exchange / Blackberry Server
access-list inside_access_out extended permit tcp any host server eq 3200
access-list inside_access_out extended permit tcp any host server object-group Exchange
access-list inside_access_out extended permit tcp any host server eq smtp
access-list inside_access_out remark Allow HTTP access to the server server
access-list inside_access_out remark Allow SMTP access to the server server from interface2
access-list inside_access_out remark Allow SMTP access to the server server from interface2
access-list inside_access_out remark Allow SMTP access to the server server from interface2
access-list inside_access_out remark Allow access to servicegroup
access-list inside_access_out extended permit tcp any host server eq www
access-list inside_access_out remark Allow HTTP access to the server server
access-list inside_access_out remark Allow SMTP access to the server server from interface2
access-list inside_access_out remark Allow SMTP access to the server server from interface2
access-list inside_access_out remark Allow SMTP access to the server server from interface2
access-list inside_access_out remark Allow access to servicegroup
access-list inside_access_out extended permit tcp any host server eq www
access-list inside_access_out extended permit tcp object-group server_ref object-group server eq 1433
access-list inside_access_out extended permit tcp object-group server_ref host server eq www
access-list inside_access_out extended permit tcp host server host server eq 1433
access-list inside_access_out extended permit tcp host server object-group DomainServers object-group DomainPortsTCP
access-list inside_access_out extended permit udp host server object-group DomainServers object-group DomainPortsUDP
access-list inside_access_out extended permit udp any object-group DomainServers eq domain
access-list inside_access_out extended permit tcp 66.214.0.0 255.255.0.0 host server eq 3389
access-list inside_access_out extended permit tcp object-group vendor_ref host server object-group HTTPandSecure
access-list inside_access_out extended permit tcp any host server eq www
access-list inside_access_out extended permit tcp any host server object-group Netmeeting
access-list inside_access_out extended permit ip 10.10.3.0 255.255.255.0 any
access-list inside_access_out extended deny ip any any
access-list intf2_access_out extended permit icmp any any
access-list intf2_access_out extended permit tcp any object-group PUBLIC_WEBSERVERS1 object-group HTTPandSecure
access-list intf2_access_out extended permit tcp any object-group PUBLIC_WEBSERVERS1 object-group MMS_TCP
access-list intf2_access_out extended permit udp any object-group PUBLIC_WEBSERVERS1 object-group MMS_UDP
access-list intf2_access_out extended permit tcp any host server eq www
access-list intf2_access_out extended permit ip 192.168.0.0 255.255.0.0 any
access-list intf2_access_out extended deny ip any any inactive
access-list Server remark group access to VSS
access-list Server extended permit tcp any object-group SourceSafe host server object-group SourceSafe
access-list Server extended permit udp any host server
access-list company_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0
access-list inside_access_in remark Block access to gotomypc.com
access-list inside_access_in extended deny ip any host 66.151.158.x log alerts
access-list inside_access_in extended permit ip any any
access-list wirelessSec_access_in extended permit ip any any
access-list wirelessPub_access_in extended deny ip 10.10.5.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list wirelessPub_access_in extended permit icmp 10.10.5.0 255.255.255.0 any
access-list wirelessPub_access_in extended permit tcp 10.10.5.0 255.255.255.0 any eq www
access-list wirelessPub_access_in_1 extended permit ip any any
access-list outside_cryptomap extended permit ip any 192.168.1.64 255.255.255.192
access-list company_splitTunnelAcl_2 standard permit 192.168.1.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 host 69.238.100.180
pager lines 24
logging enable
logging timestamp
logging buffered emergencies
logging asdm alerts
logging host inside 192.168.1.203
logging host inside user
logging debug-trace
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu wirelessSec 1500
mtu wirelessPub 1500
mtu intf2 1500
ip local pool companyVPN 192.168.1.90-192.168.1.99 mask 255.255.255.0
failover
monitor-interface outside
monitor-interface inside
no monitor-interface wirelessSec
no monitor-interface wirelessPub
monitor-interface intf2
asdm image flash:/asdm-521.bin
asdm history enable
arp timeout 14400
global (outside) 10 interface
global (intf2) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 192.168.1.0 255.255.255.0
nat (wirelessSec) 10 10.10.3.0 255.255.255.0
nat (wirelessPub) 10 0.0.0.0 0.0.0.0 dns
nat (intf2) 10 0.0.0.0 0.0.0.0
static (inside,outside) 69.238.100.x server netmask 255.255.255.255 dns
static (inside,outside) 69.238.100.x server netmask 255.255.255.255 dns
static (inside,outside) 69.238.100.x server netmask 255.255.255.255
static (inside,outside) 69.238.100.x server netmask 255.255.255.255
static (intf2,outside) 69.238.100.x server netmask 255.255.255.255 dns
static (inside,outside) 69.238.100.x server netmask 255.255.255.255
static (intf2,outside) 69.238.100.x server netmask 255.255.255.255 dns
static (intf2,outside) 69.238.100.x cluster netmask 255.255.255.255 dns
static (intf2,outside) 69.238.100.x cluster netmask 255.255.255.255 dns
static (inside,outside) 69.238.100.x server netmask 255.255.255.255
static (intf2,outside) 69.238.100.x server netmask 255.255.255.255 dns
static (intf2,outside) 69.238.100.x server netmask 255.255.255.255 dns
static (intf2,outside) 69.238.100.x cluster netmask 255.255.255.255 dns
static (inside,outside) 69.238.100.x server netmask 255.255.255.255 dns
static (intf2,outside) 69.238.100.x server netmask 255.255.255.255 dns
static (inside,outside) 69.238.100.x server netmask 255.255.255.255 dns
static (intf2,outside) 69.238.100.x server netmask 255.255.255.255 dns
static (intf2,outside) 69.238.100.x server netmask 255.255.255.255 dns
static (intf2,outside) 69.238.100.x server netmask 255.255.255.255 dns
static (intf2,outside) 69.238.100.x server netmask 255.255.255.255 dns
static (intf2,outside) 69.238.100.x cluster netmask 255.255.255.255 dns
static (intf2,outside) 69.238.100.x cluster netmask 255.255.255.255 dns
static (intf2,outside) 69.238.100.x server netmask 255.255.255.255 dns
static (intf2,outside) 69.238.100.x server netmask 255.255.255.255 dns
static (intf2,outside) 69.238.100.x server netmask 255.255.255.255 dns
static (intf2,outside) 69.238.100.x server netmask 255.255.255.255 dns
static (intf2,outside) 69.238.100.x server netmask 255.255.255.255 dns
static (inside,outside) 69.238.100.x server netmask 255.255.255.255 dns
static (inside,outside) 69.238.100.x server netmask 255.255.255.255 dns
static (inside,outside) 69.238.100.x server netmask 255.255.255.255 dns
static (inside,outside) 69.238.100.x server netmask 255.255.255.255
static (inside,outside) 69.238.100.x server netmask 255.255.255.255
static (inside,wirelessSec) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,intf2) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside,wirelessPub) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (intf2,outside) 69.238.100.x server netmask 255.255.255.255 dns
static (intf2,outside) 69.238.100.x cluster netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group wirelessSec_access_in in interface wirelessSec
access-group wirelessPub_access_in_1 in interface wirelessPub
access-group intf2_access_in in interface intf2
access-group intf2_access_out out interface intf2
!
route-map inside_outbound_nat0_acl permit 10
!
route outside 0.0.0.0 0.0.0.0 Cisco3850 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS host server
key *
group-policy Default internal
group-policy Default attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Default_splitTunnelAcl
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication enable
user-authentication enable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
group-policy SoftwareVendor internal
group-policy SoftwareVendor attributes
vpn-tunnel-protocol IPSec
group-policy company internal
group-policy company attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value company_splitTunnelAcl_3
vpn-group-policy DfltGrpPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside server poll community company
snmp-server host inside server community company
no snmp-server location
no snmp-server contact
snmp-server community company
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 0
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 69.238.100.x
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 40 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group company type ipsec-ra
tunnel-group company general-attributes
address-pool companyVPN
default-group-policy company
tunnel-group company ipsec-attributes
pre-shared-key *
tunnel-group 69.238.100.x type ipsec-l2l
tunnel-group 69.238.100.x ipsec-attributes
pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet user 255.255.255.255 inside
telnet 192.168.1.203 255.255.255.255 inside
telnet 192.168.1.68 255.255.255.255 inside
telnet timeout 5
ssh user 255.255.255.255 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns server server
dhcpd ping_timeout 750
dhcpd domain ciscopix.com
!
dhcpd address 192.168.1.140-192.168.1.240 inside
dhcpd enable inside
!
dhcpd address 10.10.3.2-10.10.3.250 wirelessSec
dhcpd enable wirelessSec
!
dhcpd address 10.10.5.2-10.10.5.250 wirelessPub
dhcpd enable wirelessPub
!
!
class-map global-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect dns migrated_dns_map_2
inspect icmp error
inspect icmp
policy-map type inspect http test
parameters
protocol-violation action drop-connection
match request uri regex _default_GoToMyPC-tunnel
drop-connection log
match request uri regex _default_GoToMyPC-tunnel_2
drop-connection log
policy-map global-policy
class global-class
inspect dns
!
service-policy global_policy global
ntp server 192.43.244.18 source outside prefer
prompt hostname context
Cryptochecksum: **
: end

And the config on the 506E:

Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password * encrypted
passwd * encrypted
hostname failoverpix
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 69.238.100.x company
access-list company_splitTunnelAcl permit ip 10.10.4.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 10.10.4.0 255.255.255.0 10.10.4.64 255.255.255.192
access-list inside_outbound_nat0_acl permit ip 10.10.4.0 255.255.255.0 host company
access-list outside_cryptomap_dyn_20 permit ip any 10.10.4.64 255.255.255.192
access-list outside_cryptomap_20 permit ip 10.10.4.0 255.255.255.0 host company
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 69.238.100.x 255.255.255.128
ip address inside 10.10.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn 10.10.4.94-10.10.4.98
pdm location comapany 255.255.255.255 outside
pdm location 69.238.100.x 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 69.238.100.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http company 255.255.255.255 outside
http 69.238.100.x 255.255.255.255 outside
http 10.10.4.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer company
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address company netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup company address-pool vpn
vpngroup company split-tunnel company_splitTunnelAcl
vpngroup company idle-time 1800
vpngroup company password ********
telnet timeout 5
ssh 69.238.100.x 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80
Cryptochecksum: **
: end
[OK]


Hope this helps.


David McKissic
A+, Net+, i-net+, CCNA, CNE, CNA

 
Add these lines to both of the boxes.

isakmp identity address
isakmp nat-traversal 20

Site A:
Change the no-nat ACl to be -
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.4.0 255.255.255.0
Change the crypto map ACL to be the same -
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.10.4.0 255.255.255.0

Now Site B:
Change the no-nat ACl to be -
access-list inside_outbound_nat0_acl permit ip 10.10.4.0 255.255.255.0 192.168.1.0 255.255.255.0
Change the crypto map ACL to be the same -
access-list outside_cryptomap_20 permit ip 10.10.4.0 255.255.255.0 192.168.1.0 255.255.255.0

Everything else looks good. That should spin you up.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Thanks so much Brent.

I'll give that a try in the AM

David McKissic
A+, Net+, i-net+, CCNA, CNE, CNA

 
That worked, Thanks!

David McKissic
A+, Net+, i-net+, CCNA, CNE, CNA

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top