Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

PIX Site-to-Site VPN Problem

Posted on 2005-02-27
9
Medium Priority
?
282 Views
Last Modified: 2013-11-16
I recently set up a site-to-site between Company A's PIX (outside int 206.139.x.x) and Company B's PIX (outside int 205.144.x.x).  The intended goal was to allow for 15 machines on Company A's internal network (10.6.x.x) to access a machine on Company B's internal network (10.5.x.x).  

When I initially set this up, I also added a static route on the PIX, since it is the default gateway,  to ensure clients in Company A know the route to access the machine on Company B, and was able to access the machine on Company B without any problems.  

I recently received a call that Company A cannot access the machine at Company B.   Upon looking at Company A's PIX, I noticed the static route was gone.  I have tried adding it, but to no avail.  

What should the proper syntax be for this static route?  I'm thinking that maybe I'm having abrain freeze here.

Using the  "sho cry is sa" command, I can see the tunnel is established and idle.  I cannot ping any IP's on the other network from the firewall, or any of the 15 machines even if I add a static route locally.

Any ideas on what it may be or how I can pinpoint this issue?
0
Comment
Question by:sohtnax
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 1

Expert Comment

by:shirkkan
ID: 13415306
Hi, how about posting your configs, with shortend IP's of course, but u dont need a static route in gerneral, since if u set it up right, the pix handles that.

But lets have a look first at your configs, then we go from there.
0
 

Author Comment

by:sohtnax
ID: 13415474
I don't have access to do so at this moment.  Any suggestions in the interim would be much appreciated.
0
 
LVL 5

Expert Comment

by:pazmanpro
ID: 13415682
Shirkkan is correct. Once you have created a site-to-site between two pixes, there is no need to add any routing information to get to the other site. The pix knows to send that information encrypted to the other pix.

You have to determine what changes have been made to the network since it was working and if there were rules added to the pix that may prevent acces to the relevent machines.

Look for the following

1) Personal or windows firewall on the machine at site B.
2) Rules on site A pix that allow the machines at site A to access machine at Site B.

Hope that helps.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 

Author Comment

by:sohtnax
ID: 13415910

Can you give me a sample rule that would be on Site A to access site B based on what I've described in my initial question?
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 13416112
You don't need a static route on the PIX to send traffic down the tunnel.

For example in this diagram, as long as the default gateway on a 10.10.10.x machine is 10.10.10.254, then as soon as traffic from 10.10.10.x destined for 10.10.20.x hits 10.10.10.254, then the PIX takes care of it and sends it down the tunnel (no static route required)

10.10.10.x/24
|
10.10.10.254
PIX
|
VPN Tunnel
|
PIX
10.10.20.254
|
10.10.20.x/24

However - if there are then routers at either end, eg:

10.10.10.x/24
|
10.10.10.254
PIX
|
VPN Tunnel
|
PIX
10.10.20.254
|
10.10.20.x/24

unless of course there are routers to another network involved - eg:

10.10.10.x/24
|
10.10.10.254
PIX
|
VPN Tunnel
|
PIX
10.10.20.254
|
10.10.20.x/24
|
Router
|
10.10.30.x/24

...but then the VPN would have to support 10.10.30.x/24 as well, so this probably isn't your issue.

Could you post up the configs, and explain which machines need to access what ?
0
 
LVL 5

Expert Comment

by:pazmanpro
ID: 13416662
Since the PIX filters traffic entering the interface, you will have to allow the particular traffic through. If you have ACL on the inside interface then you will have to ensure that the traffic destined to the VPN is allowed through. It should look like this:

access-list inside_access_in permit ip host 10.6.x.x host 10.5.x.x

There should be one for each machine needing access, or use a group. But note, this is only if ACL are already defined for the inside interface. Look for this command

access-group <ACL_NAME> in interface inside

where ACL_NAME is the name of the access-list. If this is not there, then there is no ACL defined and all access is allowed out by default. Then this is not the issue.
0
 
LVL 1

Accepted Solution

by:
shirkkan earned 1500 total points
ID: 13468001
EXAMPLE of SITE TO SITE VPN - STATIC IP ADDRESSES ON BOTH SITES
THIS IS SOMEWHAT HOW IT COULD LOOK LIKE

THATS ALL YOU NEED FOR SITE-2-SITE VPN
(UNLESS I HAVE A TYPO SOMEWERE :))


++++++++++++++++++++++++++++++++++++++++++++++++++
IP ADDRESS SETUP SITE 1
LAN 192.168.1.0 255.255.255.0
Public 100.100.100.100 255.255.255.248
++++++++++++++++++++++++++++++++++++++++++++++++++
TUNNEL ACCESS-LIST
access-list 100 permit ip 192.168.1.1 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.1 255.255.255.0 192.168.2.0 255.255.255.0

ip address outside 100.100.100.100 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

++++++++++++++++++++++++++++++++++++++++++++++++++
IPSEC ISAKMP TUNNEL SETUP SITE 1
++++++++++++++++++++++++++++++++++++++++++++++++++

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto map MESH 40 ipsec-isakmp
crypto map MESH 40 match address 101
crypto map MESH 40 set peer 200.200.200.200
crypto map MESH 40 set transform-set myset
crypto map MESH interface outside
clear isakmp
isakmp enable outside
isakmp key "!!!yourkey!!!" address "200.200.200.200" netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp keepalive 60


++++++++++++++++++++++++++++++++++++++++++++++++++
ACCESS-LIST SETUP SITE 1
In case you have a LAN outgoing access-list
++++++++++++++++++++++++++++++++++++++++++++++++++
STANDARD ACCESS-LIST OUTGOING

access-l outgoing remark STANDARD ACCESS-LIST
access-l outgoing permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-group outgoing in interface inside


==================================================

++++++++++++++++++++++++++++++++++++++++++++++++++
IP ADDRESS SETUP SITE 2
LAN 192.168.2.0 255.255.255.0
Public 200.200.200.200 255.255.255.248
++++++++++++++++++++++++++++++++++++++++++++++++++
TUNNEL ACCESS-LIST
access-list 100 permit ip 192.168.2.1 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.168.2.1 255.255.255.0 192.168.1.0 255.255.255.0

ip address outside 200.200.200.200 255.255.255.248
ip address inside 192.168.2.1 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

++++++++++++++++++++++++++++++++++++++++++++++++++
IPSEC ISAKMP TUNNEL SETUP SITE 2
++++++++++++++++++++++++++++++++++++++++++++++++++

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto map MESH 40 ipsec-isakmp
crypto map MESH 40 match address 101
crypto map MESH 40 set peer 100.100.100.100
crypto map MESH 40 set transform-set myset
crypto map MESH interface outside
clear isakmp
isakmp enable outside
isakmp key "!!!yourkey!!!" address "100.100.100.100" netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp keepalive 60


++++++++++++++++++++++++++++++++++++++++++++++++++
ACCESS-LIST SETUP SITE 2
In case you have a LAN outgoing access-list
++++++++++++++++++++++++++++++++++++++++++++++++++
STANDARD ACCESS-LIST OUTGOING

access-l outgoing remark STANDARD ACCESS-LIST
access-l outgoing permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-group outgoing in interface inside
0
 
LVL 1

Expert Comment

by:shirkkan
ID: 13468017
OOPS, the "clear isakmp" of course doesnt belong there :))
0
 
LVL 1

Expert Comment

by:shirkkan
ID: 13524914
So where do we stand? Did the config posting help any ?
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question