?
Solved

PIX Site-to-Site VPN Problem

Posted on 2005-02-27
9
Medium Priority
?
267 Views
Last Modified: 2013-11-16
I recently set up a site-to-site between Company A's PIX (outside int 206.139.x.x) and Company B's PIX (outside int 205.144.x.x).  The intended goal was to allow for 15 machines on Company A's internal network (10.6.x.x) to access a machine on Company B's internal network (10.5.x.x).  

When I initially set this up, I also added a static route on the PIX, since it is the default gateway,  to ensure clients in Company A know the route to access the machine on Company B, and was able to access the machine on Company B without any problems.  

I recently received a call that Company A cannot access the machine at Company B.   Upon looking at Company A's PIX, I noticed the static route was gone.  I have tried adding it, but to no avail.  

What should the proper syntax be for this static route?  I'm thinking that maybe I'm having abrain freeze here.

Using the  "sho cry is sa" command, I can see the tunnel is established and idle.  I cannot ping any IP's on the other network from the firewall, or any of the 15 machines even if I add a static route locally.

Any ideas on what it may be or how I can pinpoint this issue?
0
Comment
Question by:sohtnax
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 1

Expert Comment

by:shirkkan
ID: 13415306
Hi, how about posting your configs, with shortend IP's of course, but u dont need a static route in gerneral, since if u set it up right, the pix handles that.

But lets have a look first at your configs, then we go from there.
0
 

Author Comment

by:sohtnax
ID: 13415474
I don't have access to do so at this moment.  Any suggestions in the interim would be much appreciated.
0
 
LVL 5

Expert Comment

by:pazmanpro
ID: 13415682
Shirkkan is correct. Once you have created a site-to-site between two pixes, there is no need to add any routing information to get to the other site. The pix knows to send that information encrypted to the other pix.

You have to determine what changes have been made to the network since it was working and if there were rules added to the pix that may prevent acces to the relevent machines.

Look for the following

1) Personal or windows firewall on the machine at site B.
2) Rules on site A pix that allow the machines at site A to access machine at Site B.

Hope that helps.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:sohtnax
ID: 13415910

Can you give me a sample rule that would be on Site A to access site B based on what I've described in my initial question?
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 13416112
You don't need a static route on the PIX to send traffic down the tunnel.

For example in this diagram, as long as the default gateway on a 10.10.10.x machine is 10.10.10.254, then as soon as traffic from 10.10.10.x destined for 10.10.20.x hits 10.10.10.254, then the PIX takes care of it and sends it down the tunnel (no static route required)

10.10.10.x/24
|
10.10.10.254
PIX
|
VPN Tunnel
|
PIX
10.10.20.254
|
10.10.20.x/24

However - if there are then routers at either end, eg:

10.10.10.x/24
|
10.10.10.254
PIX
|
VPN Tunnel
|
PIX
10.10.20.254
|
10.10.20.x/24

unless of course there are routers to another network involved - eg:

10.10.10.x/24
|
10.10.10.254
PIX
|
VPN Tunnel
|
PIX
10.10.20.254
|
10.10.20.x/24
|
Router
|
10.10.30.x/24

...but then the VPN would have to support 10.10.30.x/24 as well, so this probably isn't your issue.

Could you post up the configs, and explain which machines need to access what ?
0
 
LVL 5

Expert Comment

by:pazmanpro
ID: 13416662
Since the PIX filters traffic entering the interface, you will have to allow the particular traffic through. If you have ACL on the inside interface then you will have to ensure that the traffic destined to the VPN is allowed through. It should look like this:

access-list inside_access_in permit ip host 10.6.x.x host 10.5.x.x

There should be one for each machine needing access, or use a group. But note, this is only if ACL are already defined for the inside interface. Look for this command

access-group <ACL_NAME> in interface inside

where ACL_NAME is the name of the access-list. If this is not there, then there is no ACL defined and all access is allowed out by default. Then this is not the issue.
0
 
LVL 1

Accepted Solution

by:
shirkkan earned 1500 total points
ID: 13468001
EXAMPLE of SITE TO SITE VPN - STATIC IP ADDRESSES ON BOTH SITES
THIS IS SOMEWHAT HOW IT COULD LOOK LIKE

THATS ALL YOU NEED FOR SITE-2-SITE VPN
(UNLESS I HAVE A TYPO SOMEWERE :))


++++++++++++++++++++++++++++++++++++++++++++++++++
IP ADDRESS SETUP SITE 1
LAN 192.168.1.0 255.255.255.0
Public 100.100.100.100 255.255.255.248
++++++++++++++++++++++++++++++++++++++++++++++++++
TUNNEL ACCESS-LIST
access-list 100 permit ip 192.168.1.1 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.1 255.255.255.0 192.168.2.0 255.255.255.0

ip address outside 100.100.100.100 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

++++++++++++++++++++++++++++++++++++++++++++++++++
IPSEC ISAKMP TUNNEL SETUP SITE 1
++++++++++++++++++++++++++++++++++++++++++++++++++

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto map MESH 40 ipsec-isakmp
crypto map MESH 40 match address 101
crypto map MESH 40 set peer 200.200.200.200
crypto map MESH 40 set transform-set myset
crypto map MESH interface outside
clear isakmp
isakmp enable outside
isakmp key "!!!yourkey!!!" address "200.200.200.200" netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp keepalive 60


++++++++++++++++++++++++++++++++++++++++++++++++++
ACCESS-LIST SETUP SITE 1
In case you have a LAN outgoing access-list
++++++++++++++++++++++++++++++++++++++++++++++++++
STANDARD ACCESS-LIST OUTGOING

access-l outgoing remark STANDARD ACCESS-LIST
access-l outgoing permit tcp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-group outgoing in interface inside


==================================================

++++++++++++++++++++++++++++++++++++++++++++++++++
IP ADDRESS SETUP SITE 2
LAN 192.168.2.0 255.255.255.0
Public 200.200.200.200 255.255.255.248
++++++++++++++++++++++++++++++++++++++++++++++++++
TUNNEL ACCESS-LIST
access-list 100 permit ip 192.168.2.1 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.168.2.1 255.255.255.0 192.168.1.0 255.255.255.0

ip address outside 200.200.200.200 255.255.255.248
ip address inside 192.168.2.1 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

++++++++++++++++++++++++++++++++++++++++++++++++++
IPSEC ISAKMP TUNNEL SETUP SITE 2
++++++++++++++++++++++++++++++++++++++++++++++++++

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto map MESH 40 ipsec-isakmp
crypto map MESH 40 match address 101
crypto map MESH 40 set peer 100.100.100.100
crypto map MESH 40 set transform-set myset
crypto map MESH interface outside
clear isakmp
isakmp enable outside
isakmp key "!!!yourkey!!!" address "100.100.100.100" netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp keepalive 60


++++++++++++++++++++++++++++++++++++++++++++++++++
ACCESS-LIST SETUP SITE 2
In case you have a LAN outgoing access-list
++++++++++++++++++++++++++++++++++++++++++++++++++
STANDARD ACCESS-LIST OUTGOING

access-l outgoing remark STANDARD ACCESS-LIST
access-l outgoing permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-group outgoing in interface inside
0
 
LVL 1

Expert Comment

by:shirkkan
ID: 13468017
OOPS, the "clear isakmp" of course doesnt belong there :))
0
 
LVL 1

Expert Comment

by:shirkkan
ID: 13524914
So where do we stand? Did the config posting help any ?
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question