[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
06/22/2005 at 10:01PM PDT, ID: 21467912
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
8.0

PIX 501 - VPN and NAT broke

Asked by nwru in Network Routers

Tags: pix

I recently have changed ISPs in a branch office.  There was a VPN between the offices that worked before the switch, but I can't seem to get it working again.  I have NAT working again, but only on a single computer(192.168.30.150).  As you can see, I had 6 IPs to play with before, but now I only have 2, so I had to change things up a bit.  There have been no hardware changes.  I'll try to give as much relevant information as I can.

Headquarters: Cisco 1720 router - v12.1(21)
old config:
ip cef
crypto isakmp policy 4
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ******** address 66.x.x.234
crypto ipsec transform-set trans1 esp-des esp-md5-hmac
crypto map combined 30 ipsec-isakmp
 set peer 66.x.x.234
 set transform-set trans1
 match address 107
interface Loopback0
 ip address 192.168.16.1 255.255.255.0
interface Serial0
 ip address 167.x.x.230 255.255.255.252
 ip access-group 115 in
 ip nat outside
 ip load-sharing per-packet
 no ip mroute-cache
 service-module t1 timeslots 1-24
 no cdp enable
 crypto map combined
interface Serial1
 ip address 167.x.x.242 255.255.255.252
 ip access-group 115 in
 ip nat outside
 ip load-sharing per-packet
 no ip mroute-cache
 service-module t1 timeslots 1-24
 no cdp enable
 crypto map combined
interface FastEthernet0
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip policy route-map nostatic
 speed auto
 half-duplex
 no cdp enable
ip nat pool natpool1 167.x.x.201 167.x.x.206 netmask 255.255.255.248
ip nat inside source route-map NAT pool natpool1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 167.x.x.229
ip route 0.0.0.0 0.0.0.0 167.x.x.241
access-list 102 deny   ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
access-list 103 permit ip host 192.168.10.150 192.168.30.0 0.0.0.255
access-list 103 permit ip host 192.168.10.151 192.168.30.0 0.0.0.255
access-list 103 permit ip host 192.168.10.160 192.168.30.0 0.0.0.255
access-list 103 permit ip host 192.168.10.170 192.168.30.0 0.0.0.255
access-list 107 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 115 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 115 permit udp any any eq isakmp
access-list 115 permit esp any any
access-list 115 permit ahp any any
access-list 115 permit tcp any any eq 443
access-list 115 permit udp any any eq 443
access-list 115 permit icmp any any echo-reply
access-list 115 remark *** Allow a few port mappings ***
no cdp run
route-map nostatic permit 10
 match ip address 103
 set ip next-hop 192.168.16.2
route-map NAT permit 10
 match ip address 102
*************************************************
new config: (only changed these entries)
crypto isakmp key hamm123 address 68.x.x.217
crypto map combined 30 ipsec-isakmp
 set peer 68.x.x.217
 set transform-set trans1
 match address 107

*************************************************

Branch office: Cisco PIX 501 - v6.3(1)
old config:
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list 102 permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list 102 permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list 102 permit tcp any any eq ssh
access-list 102 permit tcp any any eq 3389
access-list vpntohq permit ip 192.168.30.0 255.255.255.0 192.168.10.0 255.255.255.0
ip address outside 66.x.x.234 255.255.255.248
ip address inside 192.168.30.1 255.255.255.0
global (outside) 1 66.x.x.236 netmask 255.255.255.248
nat (inside) 0 access-list vpntohq
nat (inside) 1 192.168.30.0 255.255.255.0 0 0
static (inside,outside) 66.x.x.235 192.168.30.150 netmask 255.255.255.255 0 0
access-group 102 in interface outside
route outside 0.0.0.0 0.0.0.0 66.x.x.233 1
crypto ipsec transform-set set1 esp-des esp-md5-hmac
crypto map map1 69 ipsec-isakmp
crypto map map1 69 match address vpntohq
crypto map map1 69 set peer 167.x.x.230
crypto map map1 69 set peer 167.x.x.242
crypto map map1 69 set transform-set set1
crypto map map1 interface outside
isakmp enable outside
isakmp key ******** address 167.x.x.230 netmask 255.255.255.255
isakmp key ******** address 167.x.x.242 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
*************************************************
new config: (only changed these entries)
ip address outside 68.x.x.217 255.255.255.252
global (outside) 1 interface
static (inside,outside) 68.x.x.217 192.168.30.150 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 68.x.x.218 1

So this simple ISP change has turned into a big ordeal.  Where it stands now is that no traffic can go between the two private networks over the VPN, whereas it could before.  Only 192.168.30.150 can get on the the Internet through NAT and no other machines can and they all could before too.  I was able to SSH to the PIX after changing only the ip address and route commands.  I was able to Remote Desktop to 192.168.30.150 via port 3389 after changing the global and static commands.  I'm no Cisco expert and I've been trying to figure this out for 16 hours straight, so I'm burnt out and desperate.  Please advise.  Thanks.
[+][-]06/23/05 04:34 AM, ID: 14283009

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]06/23/05 04:39 AM, ID: 14283037

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]06/23/05 04:42 AM, ID: 14283051

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]06/23/05 05:47 AM, ID: 14283419

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]06/23/05 05:58 AM, ID: 14283497

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]06/23/05 06:06 AM, ID: 14283576

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]06/23/05 06:21 AM, ID: 14283697

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]06/23/05 06:48 AM, ID: 14283935

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zone: Network Routers
Tags: pix
Sign Up Now!
Solution Provided By: lrmoore
Participating Experts: 1
Solution Grade: A
 
 
[+][-]06/23/05 06:59 AM, ID: 14284046

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]06/23/05 07:49 AM, ID: 14284605

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]06/23/05 07:57 AM, ID: 14284689

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]06/23/05 08:57 AM, ID: 14285437

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]06/23/05 10:53 AM, ID: 14286681

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20090824-EE-VQP-74