PIX Site-to-Site VPN Problem

I recently set up a site-to-site between Company A's PIX (outside int 206.139.x.x) and Company B's PIX (outside int 205.144.x.x).  The intended goal was to allow for 15 machines on Company A's internal network (10.6.x.x) to access a machine on Company B's internal network (10.5.x.x).  

When I initially set this up, I also added a static route on the PIX, since it is the default gateway,  to ensure clients in Company A know the route to access the machine on Company B, and was able to access the machine on Company B without any problems.  

I recently received a call that Company A cannot access the machine at Company B.   Upon looking at Company A's PIX, I noticed the static route was gone.  I have tried adding it, but to no avail.  

What should the proper syntax be for this static route?  I'm thinking that maybe I'm having abrain freeze here.

Using the  "sho cry is sa" command, I can see the tunnel is established and idle.  I cannot ping any IP's on the other network from the firewall, or any of the 15 machines even if I add a static route locally.

Any ideas on what it may be or how I can pinpoint this issue?
sohtnaxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

shirkkanCommented:
Hi, how about posting your configs, with shortend IP's of course, but u dont need a static route in gerneral, since if u set it up right, the pix handles that.

But lets have a look first at your configs, then we go from there.
0
sohtnaxAuthor Commented:
I don't have access to do so at this moment.  Any suggestions in the interim would be much appreciated.
0
pazmanproCommented:
Shirkkan is correct. Once you have created a site-to-site between two pixes, there is no need to add any routing information to get to the other site. The pix knows to send that information encrypted to the other pix.

You have to determine what changes have been made to the network since it was working and if there were rules added to the pix that may prevent acces to the relevent machines.

Look for the following

1) Personal or windows firewall on the machine at site B.
2) Rules on site A pix that allow the machines at site A to access machine at Site B.

Hope that helps.
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

sohtnaxAuthor Commented:

Can you give me a sample rule that would be on Site A to access site B based on what I've described in my initial question?
0
Tim HolmanCommented:
You don't need a static route on the PIX to send traffic down the tunnel.

For example in this diagram, as long as the default gateway on a 10.10.10.x machine is 10.10.10.254, then as soon as traffic from 10.10.10.x destined for 10.10.20.x hits 10.10.10.254, then the PIX takes care of it and sends it down the tunnel (no static route required)

10.10.10.x/24
|
10.10.10.254
PIX
|
VPN Tunnel
|
PIX
10.10.20.254
|
10.10.20.x/24

However - if there are then routers at either end, eg:

10.10.10.x/24
|
10.10.10.254
PIX
|
VPN Tunnel
|
PIX
10.10.20.254
|
10.10.20.x/24

unless of course there are routers to another network involved - eg:

10.10.10.x/24
|
10.10.10.254
PIX
|
VPN Tunnel
|
PIX
10.10.20.254
|
10.10.20.x/24
|
Router
|
10.10.30.x/24

...but then the VPN would have to support 10.10.30.x/24 as well, so this probably isn't your issue.

Could you post up the configs, and explain which machines need to access what ?
0
pazmanproCommented:
Since the PIX filters traffic entering the interface, you will have to allow the particular traffic through. If you have ACL on the inside interface then you will have to ensure that the traffic destined to the VPN is allowed through. It should look like this:

access-list inside_access_in permit ip host 10.6.x.x host 10.5.x.x

There should be one for each machine needing access, or use a group. But note, this is only if ACL are already defined for the inside interface. Look for this command

access-group <ACL_NAME> in interface inside

where ACL_NAME is the name of the access-list. If this is not there, then there is no ACL defined and all access is allowed out by default. Then this is not the issue.
0
shirkkanCommented:
EXAMPLE of SITE TO SITE VPN - STATIC IP ADDRESSES ON BOTH SITES
THIS IS SOMEWHAT HOW IT COULD LOOK LIKE

THATS ALL YOU NEED FOR SITE-2-SITE VPN
(UNLESS I HAVE A TYPO SOMEWERE :))


++++++++++++++++++++++++++++++++++++++++++++++++++
IP ADDRESS SETUP SITE 1
LAN 192.168.1.0 255.255.255.0
Public 100.100.100.100 255.255.255.248
++++++++++++++++++++++++++++++++++++++++++++++++++
TUNNEL ACCESS-LIST
access-list 100 permit ip 192.168.1.1 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.1 255.255.255.0 192.168.2.0 255.255.255.0

ip address outside 100.100.100.100 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

++++++++++++++++++++++++++++++++++++++++++++++++++
IPSEC ISAKMP TUNNEL SETUP SITE 1
++++++++++++++++++++++++++++++++++++++++++++++++++

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto map MESH 40 ipsec-isakmp
crypto map MESH 40 match address 101
crypto map MESH 40 set peer 200.200.200.200
crypto map MESH 40 set transform-set myset
crypto map MESH interface outside
clear isakmp
isakmp enable outside
isakmp key "!!!yourkey!!!" address "200.200.200.200" netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp keepalive 60


++++++++++++++++++++++++++++++++++++++++++++++++++
ACCESS-LIST SETUP SITE 1
In case you have a LAN outgoing access-list
++++++++++++++++++++++++++++++++++++++++++++++++++
STANDARD ACCESS-LIST OUTGOING

access-l outgoing remark STANDARD ACCESS-LIST
access-l outgoing permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-group outgoing in interface inside


==================================================

++++++++++++++++++++++++++++++++++++++++++++++++++
IP ADDRESS SETUP SITE 2
LAN 192.168.2.0 255.255.255.0
Public 200.200.200.200 255.255.255.248
++++++++++++++++++++++++++++++++++++++++++++++++++
TUNNEL ACCESS-LIST
access-list 100 permit ip 192.168.2.1 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.168.2.1 255.255.255.0 192.168.1.0 255.255.255.0

ip address outside 200.200.200.200 255.255.255.248
ip address inside 192.168.2.1 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

++++++++++++++++++++++++++++++++++++++++++++++++++
IPSEC ISAKMP TUNNEL SETUP SITE 2
++++++++++++++++++++++++++++++++++++++++++++++++++

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto map MESH 40 ipsec-isakmp
crypto map MESH 40 match address 101
crypto map MESH 40 set peer 100.100.100.100
crypto map MESH 40 set transform-set myset
crypto map MESH interface outside
clear isakmp
isakmp enable outside
isakmp key "!!!yourkey!!!" address "100.100.100.100" netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp keepalive 60


++++++++++++++++++++++++++++++++++++++++++++++++++
ACCESS-LIST SETUP SITE 2
In case you have a LAN outgoing access-list
++++++++++++++++++++++++++++++++++++++++++++++++++
STANDARD ACCESS-LIST OUTGOING

access-l outgoing remark STANDARD ACCESS-LIST
access-l outgoing permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-group outgoing in interface inside
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
shirkkanCommented:
OOPS, the "clear isakmp" of course doesnt belong there :))
0
shirkkanCommented:
So where do we stand? Did the config posting help any ?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.