We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

PIX-to-PIX Site-to-Site VPN connection works only in one direction

a_hilboll
a_hilboll asked
on
Medium Priority
898 Views
Last Modified: 2013-11-16
Hi,

I'm running into some VPN-configuration-problem which is driving me nuts.

Headquarters PIX 515 E
Remote Site PIX 501
Roadwarriors wich Cisco VPN Client 4 on WinXP

The VPN client configuration works just fine.
When setting up the Site-to-Site VPN between Headquarters and the remote site, I have the following problem:
The connection FROM the remote site TO headquarters is working just fine, i.e. I can browse the network neighbourhood, access any computer at headquarters, even the mailserver which is located in a dmz.
However, I cannot connect FROM headquarters TO the remote site. The headquarters PIX tells me something like "access from 192.168.135.55 to 192.168.185.55 denied by access-list inside_if", so I figure the headquarters PIX does not understand it is supposed to encrypt the traffic.
How can that be, when the VPN-connection works fine in the other direction? I don't get it.
inside_if is the access-list applied to the inside interface; it does only contain permit statements. But this should not touch my problem since I'm using sysopt connection permit-ipsec.

Below are some configuration sniplets.

I'd really appreciate if anyone could help me.

Thanks!
Andreas

PIX 515 (headquarters)

PIX Version 6.3(1)
access-list inside_outbound_nat0_acl permit ip 192.168.135.0 255.255.255.0 192.168.145.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.135.128 255.255.255.128
access-list inside_outbound_nat0_acl permit ip 192.168.135.0 255.255.255.0 192.168.185.0 255.255.255.0
access-list roadwarrior_splitTunnelAcl permit ip 192.168.135.0 255.255.255.0 any
access-list roadwarrior_splitTunnelAcl permit ip host [external IP of Mailserver standing in DMZ; needed for access from Software Clients] any
access-list outside_cryptomap_dyn_10 permit ip any 192.168.135.128 255.255.255.128
access-list outside_cryptomap_dyn_10 permit ip any 192.168.180.0 255.255.255.0
access-list outside_cryptomap_dyn_10 permit ip any 192.168.170.0 255.255.255.0
access-list dmz_outbound_nat0_acl permit ip host 192.168.145.2 192.168.185.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.135.0 255.255.255.0 192.168.185.0 255.255.255.0
access-list outside_cryptomap_20 permit ip host 192.168.145.2 192.168.185.0 255.255.255.0
ip local pool warriorpool 192.168.135.180-192.168.135.189
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer [remote PIX IP]
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address [remote PIX IP] netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash md5
isakmp policy 30 group 5
isakmp policy 30 lifetime 86400
vpngroup roadwarrior address-pool warriorpool
vpngroup roadwarrior split-tunnel roadwarrior_splitTunnelAcl
vpngroup roadwarrior idle-time 1800
vpngroup roadwarrior password ********


PIX 501 (remote site)

PIX Version 6.3(1)
access-list inside_outbound_nat0_acl permit ip 192.168.185.0 255.255.255.0 192.168.135.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.185.0 255.255.255.0 host 192.168.145.2
access-list outside_cryptomap_20 permit ip 192.168.185.0 255.255.255.0 192.168.135.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.185.0 255.255.255.0 host 192.168.145.2
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer [headquarters PIX IP]
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address [headquarters PIX IP] netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash md5
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
Comment
Watch Question

Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
>sysopt connection permit-ipsec
Only bypasses outside interface access-lists, not outbound from inside hosts

I don't see your access-list inside_if anywhere in the config snippits you've posted..


Author

Commented:
> Only bypasses outside interface access-lists, not outbound from inside hosts
So what do I do to explicitly permit outbound ipsec traffic?

However, even when I added access-list inside_if permit ip any any, it didn't work. No message in syslog then, obviously.

Without the permit any any, the exact error message was something like
"access from udp 192.168.135.55 eq 137  to 192.168.185.55 eq 137 denied by access-list inside_if".

I thought the Cisco Docs said that traffic from inside to outside was always permitted by default unless it is explicitly denied?

access-list inside_if only contains permit statements from inside to outside (and to dmz). However, no specific rule to permit ipsec outbound traffic.

Any ideas?

Thanks,
Andreas

Author

Commented:
PS: Sorry, but I can't post the exact contents of inside_if right now, since I'm already at home (getting late in Europe...). If needed I can do so tomorrow. However, I don't see why this should matter since the problem still exists with an "access-list inside_if permit ip any any" statement...
Sr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
Thanks for the answer; I'll try first thing tomorrow morning.

Author

Commented:
So, I tested, and after some trial-and-error, it's working fine.
In fact, I had two problems at the same time:
The access-list denied the outbound ipsec traffic (here I have to say that Cisco's docs are not that great: in the command reference, as for sysopt connection permit-ipsec, it says that ipsec traffic will pass through any access-lists, not just through the one applied to the interface where the tunnel is terminating.)
The second problem was that for some reason, my laptop, which I used as the only machine connected to the inside interface of the remote site pix, did not answer any requests, even though  I have no personal firewall installed. So no wonder I didn't get a response. I figured this one out by counting the ipsec packages on the remote site pix, noting that there were packages being decrypted, but none encrypted (after I permitted ipsec traffic on the main pix).
Thanks a lot!
ANdreas
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
> I have no personal firewall installed.
But, do you have the Cisco VPN client installed? IT has a personal firewall built-in

Glad you're working!

Author

Commented:
> But, do you have the Cisco VPN client installed? IT has a personal firewall built-in

You're right, I do have the Cisco VPN Client installed. Thanks again!
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.