September 7, 2008 10:54am pdt

Member Login

Hall of Fame

Yearly

1RobWill 359,633
2batry_boy 238,234
3lrmoore 182,443
4arnold 120,053
5dpk_wal 72,695
6mwecom... 67,924
7ebjers 44,300
8MrHusy 43,020
9mkielar 42,800
10Qlemo 41,435
11Voltz-dk 37,970
12TechSoEasy 37,914
13Cyclops3... 34,840
14tigermatt 32,825
15trinak96 28,315
16keith_ala... 27,046
172PiFL 22,725
18JFrederic... 21,480
19PeteLong 21,475
20from_exp 21,275
21stuknhaw... 20,075
22rsivanandan 19,950
23rowansmith 19,875
24johnb6767 19,122
25RPPreacher 18,450

	[x] Attachment Details

Need help with Cisco Site-To-Site VPN config again

Zone: Virtual Private Networking (VPN)

Tags: Cisco, PIX, 501, Site-To-Site VPN

I posted a question in here a few months ago:

http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_23244155.html

and got great assistance from lrmoore (Thanks, by the way). He gave me everything I needed to solve my problem, and he also give me tips and sample code to use for future use.

I have just setup a new remote site on a site-to-site VPN between a couple of Cisco PIX 501s using the recommendations from what he suggested. The tunnel is up and running, and I can get to the main site (site1) from the remote site (site3) just fine, which is the most important. My problem is that I can't seem to get from site1 to site3. Something is getting blocked. I need this connection to be completely two way. I have a printer at site3 that is on the network and it is controlled by a print server at site1.

I did this exact same scenario in the related question referenced above the last time. That connection works great and the printer and the devices at that remote site (site2) are accessible from site1.

I am attaching code from all three PIXs, and would really appreciate if a PIX guru could look them over and see if they can tell why my connection from site1 to site3 doesn't work. I'm sure it's probably something simple that I overlooked, but I am not anything close to an expert with PIX configs. I have learned by example, and sometimes I goof up because I don't know the reason for a particular line in a config somewhere.

Just so there is no confusion - I have site1 (main site with servers), site2 (thin-clients, laptop and a network printer), and site3 (thin-clients, laptops and a network printer). Site1 and site2 work great - complete 2 way communication, VPN tunnel is fine, site2 clients can see terminal server at site1 and print to site2). Site2 doesn't need to see Site3. Site3 connects great to site1, the VPN tunnel is great, and the stations can access the terminal server at site1 from site3. Site3 is not accessible from site1 (can't ping or connect to any IPs at site3 from site1), so I cannot print to site3 to the network printer).

I appreciate anyone's help!

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:

           
           
             SITE1 PIX CONFIG  - LAN 192.168.4.0/24
-----------------------------------------
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password vZmH5kRpB27TNMxf encrypted
passwd vZmH5kRpB27TNMxf encrypted
hostname pix1
domain-name ppt.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 5800
access-list 101 permit tcp any any eq 5900
access-list 101 permit tcp any any eq ftp-data
access-list 101 permit tcp any any eq ftp
access-list acl_vpn permit ip 192.168.4.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list acl_vpn permit ip 192.168.4.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list acl_vpn permit ip 192.168.4.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list acl_crypto_brandywine permit ip 192.168.4.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list acl_crypto_germantown permit ip 192.168.4.0 255.255.255.0 192.168.101.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpndhcp 192.168.10.1-192.168.10.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list acl_vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 101 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server fileserver protocol radius
aaa-server fileserver max-failed-attempts 3
aaa-server fileserver deadtime 10
aaa-server fileserver (inside) host 192.168.4.2 ********* timeout 15
http 192.168.4.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto dynamic-map vpndynmap 10 set transform-set vpnset
crypto map vpnmap 20 ipsec-isakmp
crypto map vpnmap 20 match address acl_crypto_brandywine
crypto map vpnmap 20 set peer site2.wan.ip.address
crypto map vpnmap 20 set transform-set vpnset
crypto map vpnmap 30 ipsec-isakmp
crypto map vpnmap 30 match address acl_crypto_germantown
crypto map vpnmap 30 set peer site3.wan.ip.address
crypto map vpnmap 30 set transform-set vpnset
crypto map vpnmap 65535 ipsec-isakmp dynamic vpndynmap
crypto map vpnmap client authentication fileserver
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address site2.wan.ip.address netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address site3.wan.ip.address netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpngroup address-pool vpndhcp
vpngroup vpngroup dns-server 192.168.4.2
vpngroup vpngroup split-tunnel acl_vpn
vpngroup vpngroup idle-time 1800
vpngroup vpngroup password ********
telnet 192.168.4.0 255.255.255.0 inside
telnet timeout 60
ssh support.wan.ip.address 255.255.255.255 outside
ssh site2.wan.ip.address 255.255.255.255 outside
ssh site3.wan.ip.address 255.255.255.255 outside
ssh 192.168.4.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname ************************
vpdn group ISP ppp authentication pap
vpdn username ************************ password *********
dhcpd auto_config outside
terminal width 80
Cryptochecksum:33e69899949f1cb1b2021c95208ba1fa
: end
 
SITE2 PIX CONFIG  - LAN 192.168.100.0/24
-----------------------------------------
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password vZmH5kRpB27TNMxf encrypted
passwd vZmH5kRpB27TNMxf encrypted
hostname pix2
domain-name ppt.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list acl_nat permit ip 192.168.100.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list acl_crypto_corp permit ip 192.168.100.0 255.255.255.0 192.168.4.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside site2.wan.ip.address 255.255.255.248
ip address inside 192.168.100.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.4.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list acl_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 site2.gateway.address 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto dynamic-map vpndynmap 10 set transform-set vpnset
crypto map vpnmap 20 ipsec-isakmp
crypto map vpnmap 20 match address acl_crypto_corp
crypto map vpnmap 20 set peer site1.wan.ip.address
crypto map vpnmap 20 set transform-set vpnset
crypto map vpnmap 65535 ipsec-isakmp dynamic vpndynmap
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address site1.wan.ip.address netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 60
ssh site1.wan.ip.address 255.255.255.255 outside
ssh support.wan.ip.address 255.255.255.255 outside
ssh site3.wan.ip.address 255.255.255.255 outside
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.100.200-192.168.100.231 inside
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:b2cc06e2ee77822ab57919a336135d00
: end
 
SITE3 PIX CONFIG  - LAN 192.168.101.0/24
-----------------------------------------
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password vZmH5kRpB27TNMxf encrypted
passwd vZmH5kRpB27TNMxf encrypted
hostname pix3
domain-name ppt.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list acl_nat permit ip 192.168.101.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list acl_crypto_corp permit ip 192.168.101.0 255.255.255.0 192.168.4.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside site3.wan.ip.address 255.255.255.240
ip address inside 192.168.101.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.4.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list acl_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 site3.wan.gateway 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.101.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto dynamic-map vpndynmap 10 set transform-set vpnset
crypto map vpnmap 20 ipsec-isakmp
crypto map vpnmap 20 match address acl_crypto_corp
crypto map vpnmap 20 set peer site1.wan.ip.address
crypto map vpnmap 20 set transform-set vpnset
crypto map vpnmap 65535 ipsec-isakmp dynamic vpndynmap
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address site1.wan.ip.address netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.101.0 255.255.255.0 inside
telnet timeout 60
ssh site1.wan.ip.address 255.255.255.255 outside
ssh support.wan.ip.address 255.255.255.255 outside
ssh site2.wan.ip.address 255.255.255.255 outside
ssh 192.168.101.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.101.200-192.168.101.231 inside
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:a69b1201741ad8cb0da0e1a2b775eb9a
: end

           
         

Start your free trial to view this solution

Related Solutions: Need help with Cisco Site-To-Site VPN config

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.4

Question Stats

Zone: Software

Question Asked By: pottersesolutions

Solution Provided By: lrmoore

Participating Experts: 2

Solution Grade: A

Translate:

Loading Advertisement...

20080723-EE-VQP-34 / EE_QW_Related_20080208