?
Solved

3 Pix 501s 3 VPNs

Posted on 2005-03-28
51
Medium Priority
?
368 Views
Last Modified: 2012-05-05
I have 3 501s, 1 main site and 2 remotes.  I need to connect via VPN from the remotes to the Main site.  I don't need to be able to access remote to remote.
I have 1 remote connecting back to the main site via VPN and it is working great.  The other remote is not.
Take a look at my config.  Isakmp policy 20 is working but Isakmp policy 20 is not.   What have I done wrong?  When I type the command  show cry is sa   there is only 1 vpn showing up.  The other one is nowhere to be found.

MAIN SITE

PIX Version 6.3(3)                  
interface ethernet0 auto                        
interface ethernet1 100full                          
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
enable password 8Ry2YjIyt7RRXU24 encrypted                                          
passwd LKaZHBJfS0jXLkAX encrypted                                
hostname pixfirewall                    
domain-name ciscopix.com                        
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
fixup protocol tftp 69                      
names    
name 10.18.158.0 North_1                        
name 10.18.159.0 North                      
name 10.18.157.0 West                    
access-list inside_outbound_nat0_acl permit ip any North_1 255.255.255.0                                                                        
access-list inside_outbound_nat0_acl permit ip any West 255.255.255.0                                                                    
access-list outside_cryptomap_20 permit ip an                                            
access-list outside_access_in permit ip any any                                              
access-list outside_access_in permit udp any any                                                
access-list outside_access_in permit tcp any any                                                
access-list outside_access_in permit icmp any any                                                
access-list inside_access_in permit icmp any any                                                
access-list inside_access_in permit ip any any                                              
access-list outside_cryptomap_40 permit ip any West 255.255.255.0                                                                
pager lines 24              
mtu outside 1500                
mtu inside 1500              
ip address outside 67.77.92.27 255.255.255.192                                              
ip address inside 10.18.159.50 255.255.255.0                                            
ip audit info action                  
ip audit attack action alarm                            
pdm location North_1 255.255.255.0 outside                                          
pdm location West 255.255.255.0 outside                                      
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 0 access-list inside_outbound_nat0_acl                                                  
nat (inside) 1 0.0.0.0 0.0.0.0 0 0                                  
access-group outside_access_in in interface outside                                                  
access-group inside_access_in in interface inside                                                
route outside 0.0.0.0 0.0.0.0 67.77.92.1 1                                          
timeout xlate 0:05:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc                                                        
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server RADIUS protocol radius                                
aaa-server LOCAL protocol local                              
http server enable                  
http North 255.255.255.0 inside                              
no snmp-server location                      
no snmp-server contact                      
snmp-server community public                            
no snmp-server enable traps                          
floodguard enable                
sysopt connection permit-ipsec                              
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac                                                            
crypto map outside_map 20 ipsec-isakmp                                      
crypto map outside_map 20 match address outside_cryptomap_20                                                            
crypto map outside_map 20 set peer 69.68.148.138                                                
crypto map outside_map 20 set transform-set ESP-3DES-MD5                                                        
crypto map outside_map 40 ipsec-isakmp                                      
crypto map outside_map 40 match address outside_cryptomap_40                                                            
crypto map outside_map 40 set peer 64.45.232.144                                                
crypto map outside_map 40 set transform-set ESP-3DES-MD5                                                        
crypto map outside_map interface outside                                        
isakmp enable outside                    
isakmp key ******** address 69.68.148.138 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp key ******** address 64.45.232.144 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

isakmp identity address
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.18.159.51-10.18.159.82 inside
dhcpd dns 204.117.214.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80





REMOTE SITE

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.18.159.0 South
access-list inside_outbound_nat0_acl permit ip any South 255.255.255.0
access-list outside_cryptomap_20 permit ip any South 255.255.255.0
access-list outside_access_in permit ip any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit tcp any any
access-list outside_access_in permit icmp any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list inside_access_in permit udp any any
access-list inside_access_in permit tcp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 64.45.232.144 255.255.255.192
ip address inside 10.18.157.50 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.18.157.0 255.255.255.0 inside
pdm location South 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 64.45.232.129 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.18.157.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 67.77.92.27
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 67.77.92.27 netmask 255.255.255.255 no-xauth no-conf
ig-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.18.157.55-10.18.157.75 inside
dhcpd dns 204.117.214.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:f5ce1120480b58fc34f97937aee1de38
: end
pixfirewall#




Thanks
will
0
Comment
Question by:tangofniro
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 32
  • 19
51 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13648805
First, remove this from all PIX's
>access-group inside_access_in in interface inside                                                
You access-list allows everything anyway, which is the default bahavior without an acl..
  no access-group inside_access_in in interface inside


Instead of "any" use your local IP subnet
>access-list outside_cryptomap_40 permit ip any West 255.255.255.0      
Should read
  access-list outside_cryptomap_40 permit ip 10.18.159.0 255.255.255.0  West 255.255.255.0    

On the remote side, same principle
>access-list inside_outbound_nat0_acl permit ip any South 255.255.255.0
>access-list outside_cryptomap_20 permit ip any South 255.255.255.0
Should be:
 access-list inside_outbound_nat0_acl permit ip 10.18.157.0 255.255.255.0 South 255.255.255.0
 access-list outside_cryptomap_20 permit ip 10.18.157.0 255.255.255.0 South 255.255.255.0

Post result of "show cry is sa" and "show cry ip sa" from your side


0
 

Author Comment

by:tangofniro
ID: 13658909
Having trouble with telnet from the outside world  any tips on that?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13661080
No can do. Telnet to the outside interface will not be allowed. Use SSH instead, or https
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:tangofniro
ID: 13663994
Is this the commands I need to add to allow ssh?
Do I need to add anything else to my acls ?              



ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside


Anything else?

Trying to get some remote access working so I don't have run around getting te vpn to work

thank you very much,
will
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13664781
That's all you need to allow ssh. Nothing to do with acls..
0
 

Author Comment

by:tangofniro
ID: 13664857
Perfect , will get ssh up and running and then start on the vpn.
Thanks Lrmoore.
0
 

Author Comment

by:tangofniro
ID: 13672115
here is what I get

pixfirewall# show cry is sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
     67.77.92.27    69.68.148.138    QM_IDLE         0           2



pixfirewall# show cry ip sa


interface: outside
    Crypto map tag: outside_map, local addr. 67.77.92.27

   local  ident (addr/mask/prot/port): (North/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (North_1/255.255.255.0/0/0)
   current_peer: 69.68.148.138:500
     PERMIT, flags={}
    #pkts encaps: 84459, #pkts encrypt: 84459, #pkts digest 84459
    #pkts decaps: 145357, #pkts decrypt: 145357, #pkts verify 145357
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 67.77.92.27, remote crypto endpt.: 69.68.148.138
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: b861b8a7

     inbound esp sas:
      spi: 0xcfdb0c08(3487239176)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 4, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4607951/19013)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0xb861b8a7(3093412007)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4607903/19013)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (West/255.255.255.0/0/0)
   current_peer: 64.45.232.144:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 67.77.92.27, remote crypto endpt.: 64.45.232.144
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (North_1/255.255.255.0/0/0)
   current_peer: 69.68.148.138:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 151, #recv errors 0

     local crypto endpt.: 67.77.92.27, remote crypto endpt.: 69.68.148.138
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:

0
 

Author Comment

by:tangofniro
ID: 13674940
Ok I did some more tinkering with it and I get this

pixfirewall# sh cry is sa
Total     : 2
Embryonic : 0
        dst               src                     state         pending     created
     67.77.92.27    64.45.232.144    QM_IDLE         0           0
     67.77.92.27    69.68.148.138    QM_IDLE         0           1


But I don't seem to be able to pass data back and forth on the .144 link.
0
 

Author Comment

by:tangofniro
ID: 13675619
Here is what I have for configs now

Main Site North:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
name 10.18.158.0 North_1
name 10.18.159.0 North
name 10.18.157.0 West
access-list inside_outbound_nat0_acl permit ip any North_1 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any West 255.255.255.0
access-list outside_cryptomap_20 permit ip any North_1 255.255.255.0
access-list outside_access_in permit ip any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit tcp any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any any eq 3389
access-list outside_access_in permit tcp any any eq 5628
access-list outside_access_in permit tcp any any eq 5629
access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list outside_cryptomap_30 permit ip any West 255.255.255.0
access-list outside_cryptomap_30 permit ip North 255.255.255.0 West 255.255.255.0
access-list outside_access_out permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 67.77.92.27 255.255.255.192
ip address inside 10.18.159.50 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location North_1 255.255.255.0 outside
pdm location West 255.255.255.0 outside
pdm location 10.18.159.1 255.255.255.255 inside
pdm location 10.18.159.53 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
static (inside,outside) tcp interface 5628 10.18.159.1 5628 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5629 10.18.159.1 5629 netmask 255.255.255.255 0 0
static (inside,outside) tcp
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.77.92.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http North 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 69.68.148.138
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set peer 64.45.232.144
crypto map outside_map 30 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 69.68.148.138 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 64.45.232.144 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.18.159.51-10.18.159.82 inside
dhcpd dns 204.117.214.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

: end
pixfirewall#  





Remote

West
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd  encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
name 10.18.159.0 South
access-list inside_outbound_nat0_acl permit ip any South 255.255.255.0
access-list outside_cryptomap_20 permit ip any South 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.18.157.0 255.255.255.0 South 255.255.255.0
access-list outside_access_in permit ip any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit tcp any any
access-list outside_access_in permit icmp any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list inside_access_in permit udp any any
access-list inside_access_in permit tcp any any
access-list outside_access_out permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 64.45.232.144 255.255.255.192
ip address inside 10.18.157.50 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.18.157.0 255.255.255.0 inside
pdm location South 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 64.45.232.129 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable

http 10.18.157.0 255.255.255.0 inside

no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 67.77.92.27
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 67.77.92.27 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.18.157.55-10.18.157.75 inside
dhcpd dns 204.117.214.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80

: end
pixfirewall#



here is what I get with  sh cry ip sa


pixfirewall# sh cry ip sa


interface: outside
    Crypto map tag: outside_map, local addr. 67.77.92.27

   local  ident (addr/mask/prot/port): (North/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (North_1/255.255.255.0/0/0)
   current_peer: 69.68.148.138:500
     PERMIT, flags={}
    #pkts encaps: 511, #pkts encrypt: 511, #pkts digest 511
    #pkts decaps: 527, #pkts decrypt: 527, #pkts verify 527
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 67.77.92.27, remote crypto endpt.: 69.68.148.138
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 4b3bbe82

     inbound esp sas:
      spi: 0x2453819a(609452442)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4607879/26950)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x4b3bbe82(1262206594)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4607860/26950)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (North/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (West/255.255.255.0/0/0)
   current_peer: 64.45.232.144:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 67.77.92.27, remote crypto endpt.: 64.45.232.144
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (West/255.255.255.0/0/0)
   current_peer: 64.45.232.144:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 3, #recv errors 0

     local crypto endpt.: 67.77.92.27, remote crypto endpt.: 64.45.232.144
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (North_1/255.255.255.0/0/0)
   current_peer: 69.68.148.138:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 33, #recv errors 0

     local crypto endpt.: 67.77.92.27, remote crypto endpt.: 69.68.148.138
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13676766
OK, this is good...we need the "QM_IDLE" - this means the tunnel is established..

     67.77.92.27    64.45.232.144    QM_IDLE         0           0
     67.77.92.27    69.68.148.138    QM_IDLE         0           1

You're acl's look OK- check:

access-list inside_outbound_nat0_acl permit ip any North_1 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any West 255.255.255.0
access-list outside_cryptomap_20 permit ip any North_1 255.255.255.0
access-list outside_cryptomap_30 permit ip any West 255.255.255.0

And, they are applied appropriately - check:

  crypto map outside_map 20 ipsec-isakmp
  crypto map outside_map 20 match address outside_cryptomap_20 <== to North_1
  crypto map outside_map 30 ipsec-isakmp
  crypto map outside_map 30 match address outside_cryptomap_30  <==to West

At the North_1 side:
  crypto map outside_map 20 match address outside_cryptomap_20 - check
  name 10.18.159.0 South - check
  access-list inside_outbound_nat0_acl permit ip any South 255.255.255.0 - check
  access-list outside_cryptomap_20 permit ip any South 255.255.255.0 - check

 Aha!  
   access-group inside_access_in in interface inside <== remove this!!!

Make sure that this inside IP is the default gateway for the systems on this site. If not, then whatever is the gateway needs a static route statement fo rthe 10.18.159.0 subnet pointing to this PIX IP:
  ip address inside 10.18.157.50 255.255.255.0





0
 

Author Comment

by:tangofniro
ID: 13677008
Pulled out the access group command but it still seems dead.
The default gateway on the West side is the inside interface of the local West Pix.


Nothing active on that link no packets
0
 

Author Comment

by:tangofniro
ID: 13678516
This is one of my longer threads:  Still nothing, both links seem alive but empty

pixfirewall(config)# sh cry ip sa


interface: outside
    Crypto map tag: outside_map, local addr. 67.77.92.27

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (West/255.255.255.0/0/0)
   current_peer: 64.45.232.144:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 3, #recv errors 0

     local crypto endpt.: 67.77.92.27, remote crypto endpt.: 64.45.232.144
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:

             
     inbound pcp sas:
             
             
     outbound esp sas:
             
             
     outbound ah sas:
             
             
     outbound pcp sas:
             
             
             
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (North_1/255.255.255.0/0/0)
   current_peer: 69.68.148.138:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 6, #recv errors 0
             
     local crypto endpt.: 67.77.92.27, remote crypto endpt.: 69.68.148.138
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
             
     inbound esp sas:
             
             
     inbound ah sas:
             
             
     inbound pcp sas:
             
             
     outbound esp sas:
             
             
     outbound ah sas:
             
             
     outbound pcp sas:
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13680839
>#send errors 6,
Some things that can cause this:
- incompatible policies. All of yours match at 3des/md5/group2
- incorrect subnet mask on the interface. All of yours appear to be correct 255.255.255.0
- incorrect routing where the pc's don't point to the PIX as their default gateway. You are using the PIX as dhcp server, so this should not be a problem.
- incorrect nat0 acl. Yours looks fine.

Seems like everything is in place.
Last ditch effort, save the config that you have and power off the PIX, wait 2 minutes, power it back up (real hard reboot)

BTW, why does West call the North site "south" ? That was confusing me for a good while...
0
 

Author Comment

by:tangofniro
ID: 13682357
Okay the one vpn is back the hard reboot did nothing for the other one.
What do I need to add more to allow ping between west and North?
I was given these pix after the previous guys was let go and he the confusing location names.  I should have changed it but haven't.  I get lost though.
Should I ditch the current West vpn and start fresh? Maybe we(I) have missed something.
I could post my configs again just in case I added or took away something I should not have...


Thanks lrmoore
0
 

Author Comment

by:tangofniro
ID: 13682379
The other vpn going out had the same errors as the west last night but it is fine now.  Why would that happen.  It did it on it's own before the reeboot this am.
Both VPNs had a 0 under created and  errors sending.  Now the good one is fine and the other is not??
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13682381
Go ahead and post the two configs as they are now. It might be better just to start again fresh with them both..

0
 

Author Comment

by:tangofniro
ID: 13682458
Main

hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
name 10.18.158.0 North_1
name 10.18.159.0 North
name 10.18.157.0 West
access-list inside_outbound_nat0_acl permit ip any North_1 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any West 255.255.255.0
access-list outside_cryptomap_20 permit ip any North_1 255.255.255.0
access-list outside_access_in permit ip any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit tcp any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any any eq 3389
access-list outside_access_in permit tcp any any eq 5628
access-list outside_access_in permit tcp any any eq 5629
access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list outside_cryptomap_30 permit ip any West 255.255.255.0
access-list outside_access_out permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 67.77.92.27 255.255.255.192
ip address inside 10.18.159.50 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location North_1 255.255.255.0 outside
pdm location West 255.255.255.0 outside
pdm location 10.18.159.1 255.255.255.255 inside
pdm location 10.18.159.53 255.255.255.255 inside
pdm location 10.18.159.54 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 5628 10.18.159.1 5628 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5629 10.18.159.1 5629 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 10.18.159.54 3389 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.77.92.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http North 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 69.68.148.138
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set peer 64.45.232.144
crypto map outside_map 30 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 69.68.148.138 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 64.45.232.144 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.18.159.51-10.18.159.82 inside
dhcpd dns 204.117.214.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:2e2c586328b2d814c6231508aef1c546
: end
pixfirewall#  



West:


hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
name 10.18.159.0 South
access-list inside_outbound_nat0_acl permit ip 10.18.157.0 255.255.255.0 South 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.18.157.0 255.255.255.0 South 255.255.255.0
access-list outside_access_in permit ip any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit tcp any any
access-list outside_access_in permit icmp any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list inside_access_in permit udp any any
access-list inside_access_in permit tcp any any
access-list outside_access_out permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 64.45.232.144 255.255.255.192
ip address inside 10.18.157.50 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.18.157.0 255.255.255.0 inside
pdm location South 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.45.232.129 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.18.157.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 67.77.92.27
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 67.77.92.27 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.18.157.55-10.18.157.75 inside
dhcpd dns 204.117.214.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:ec7fba2197b00926065b530a6c617016
: end
pixfirewall#  




thanks again
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13683864
D'OH! We're missing this on West:

  nat (inside) 0 access-list inside_outbound_nat0_acl

0
 

Author Comment

by:tangofniro
ID: 13686312
Still no,  look at the newer config, My eyes hurt..
Thank you again.

Main

pixfirewall# sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 43PR8aR.TQLujhtD encrypted
passwd LKaZHBJfS0jXLkAX encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
name 10.18.158.0 North_1
name 10.18.159.0 North
name 10.18.157.0 WestBranch
access-list inside_outbound_nat0_acl permit ip any North_1 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any WestBranch 255.255.255.0
access-list outside_cryptomap_20 permit ip any North_1 255.255.255.0
access-list outside_access_in permit ip any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit tcp any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any any eq 3389
access-list outside_access_in permit tcp any any eq 5628
access-list outside_access_in permit tcp any any eq 5629
access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list outside_cryptomap_40 permit ip any WestBranch 255.255.255.0
access-list outside_access_out permit icmp any any
access-list outside_cryptomap_30 permit ip any WestBranch 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 67.77.92.27 255.255.255.192
ip address inside 10.18.159.50 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location North_1 255.255.255.0 outside
pdm location WestBranch 255.255.255.0 outside
pdm location 10.18.159.1 255.255.255.255 inside
pdm location 10.18.159.53 255.255.255.255 inside
pdm location 10.18.159.54 255.255.255.255 inside
pdm location North 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 5628 10.18.159.1 5628 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5629 10.18.159.1 5629 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 10.18.159.54 3389 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.77.92.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http North 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 69.68.148.138
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_30
crypto map outside_map 40 set peer 64.45.232.144
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 69.68.148.138 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 64.45.232.144 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.18.159.51-10.18.159.82 inside
dhcpd dns 204.117.214.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:0901279fc9c864da83d2b9037347c761
: end
pixfirewall#



West
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
name 10.18.159.0 NukeMain
access-list inside_outbound_nat0_acl permit ip 10.18.157.0 255.255.255.0 NukeMain 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.18.157.0 255.255.255.0 NukeMain 255.255.255.0
access-list outside_access_in permit ip any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit tcp any any
access-list outside_access_in permit icmp any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list inside_access_in permit udp any any
access-list inside_access_in permit tcp any any
access-list outside_access_out permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 64.45.232.144 255.255.255.192
ip address inside 10.18.157.50 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.18.157.0 255.255.255.0 inside
pdm location NukeMain 255.255.255.0 inside
pdm location 10.18.157.0 255.255.255.0 outside
pdm location NukeMain 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.45.232.129 1
route inside NukeMain 255.255.255.0 67.77.92.27 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.18.157.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 67.77.92.27
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 67.77.92.27 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.18.157.55-10.18.157.75 inside
dhcpd dns 204.117.214.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:cb2be9147eeb07c2b0ee35eafc2dee61
: end
pixfirewall#


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13688068
Man, I just can't see anything in either one that is keeping this from working...
Are you still getting QM_IDLE conditions for both sites?
0
 

Author Comment

by:tangofniro
ID: 13688381
No longer getting QM_Idle on the west VPN

The North VPn is getting send errors.


I seem to be taking steps backwards...
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 13688510
Best I can suggest. Change these on North site to be specific instead of "any"
no access-list inside_outbound_nat0_acl permit ip any North_1 255.255.255.0
no access-list inside_outbound_nat0_acl permit ip any WestBranch 255.255.255.0
no access-list outside_cryptomap_20 permit ip any North_1 255.255.255.0
no access-list outside_cryptomap_30 permit ip any WestBranch 255.255.255.0

Change to
access-list inside_outbound_nat0_acl permit ip 10.18.159.0 255.255.255.0 10.18.157.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.18.159.0 255.255.255.0 10.18.158.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.18.159.0 255.255.255.0 10.18.158.0 255.255.255.0
access-list outside_cryptomap_30 permit ip 10.18.159.0 255.255.255.0 10.18.157.0 255.255.255.0
Be sure to re-apply the nat 0
  nat (inside) 0 access-list inside_outbound_nat0_acl
And re-apply the crypto map
  crypto map outside_map interface outside


On West, remove this acl:
  no access-group outside_access_in in interface outside

On BOTH sites, add this:
  sysopt noproxyarp inside


0
 

Author Comment

by:tangofniro
ID: 13700281
I tried to start over, now when I add   crypto map outside_map 20 match address outside_cryptomap_20  or cryptomap_30
the router locks down the outside interface. I have to pull those commands to get it back up.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13700357
Been there, done that...
Make sure you remove this line first:

>crypto map outside_map interface outside

Then make all your changes, then re-apply the crypto map to the interface..
0
 

Author Comment

by:tangofniro
ID: 13700529
locked me out again,
pulled crypto map outside_map intface outside

applied mycrypto map outside_map 20 match address outside_cryptomap_20

re apply crypto to the int and bam , locked up
0
 

Author Comment

by:tangofniro
ID: 13707276
Okay I researched around and it seems like I can't do what I am doing from ssh.  I need to do it from pdm and use the multible line command function.
I hope I am on the right track....

I am actually configuring outside the vpns and local networks.  
0
 

Author Comment

by:tangofniro
ID: 13709312
Okay what do I need to do to make it not shut down when I apply the crypto map on the outside interface?
Is there a group of commands I need to enter?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13709505
Sorry for the delay...
Let's try this sequence:

 Remove the crypto map from the interface, then  clear crypto is and sa:
   no crypto map outside_map interface outside
   clear crypto is sa
   clear crypto ip sa

Make your changes with new config
 apply the new map to the interface

0
 

Author Comment

by:tangofniro
ID: 13709790
okay, got it back in no problem using pdm /...if I even had to use it?

Look at the main site config.  I changed a lot of stuff and I believe I am missing something but I don't know what.
The remote site has qm_idle  but the main site does not.  I really apprieciate your time.

names        
name 10.18.158.0 North_1
name 10.18.159.0 North
name 10.18.157.0 WestBranch
access-list 101 permit ip North 255.255.255.0 WestBranch 255.255.255.0
access-list 101 permit ip North 255.255.255.0 North_1 255.255.255.0
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 5628
access-list 101 permit tcp any any eq 5629
access-list 120 permit ip North 255.255.255.0 WestBranch 255.255.255.0
access-list outside_access_in permit ip any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit tcp any any
access-list outside_access_in permit icmp any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list 110 permit ip North 255.255.255.0 North_1 255.255.255.0
access-list outside_access_out permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 67.77.92.27 255.255.255.192
ip address inside 10.18.159.50 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location North_1 255.255.255.0 outside
pdm location WestBranch 255.255.255.0 outside
pdm location 10.18.159.1 255.255.255.255 inside
pdm location 10.18.159.53 255.255.255.255 inside
pdm location 10.18.159.54 255.255.255.255 inside
pdm location North 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 5628 10.18.159.1 5628 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5629 10.18.159.1 5629 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 10.18.159.53 3389 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 67.77.92.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http North 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address 110
crypto map outside_map 20 set peer 69.68.148.138
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address 120
crypto map outside_map 30 set peer 64.45.232.144
crypto map outside_map 30 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 69.68.148.138 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 64.45.232.144 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.18.159.51-10.18.159.82 inside
dhcpd dns 204.117.214.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:29836b4e3a05c19df7aa5ff5c3c5b64c
: end
pixfirewall#
0
 

Author Comment

by:tangofniro
ID: 13710066
sh access list


access-list 110 line 1 permit ip North 255.255.255.0 North_1 255.255.255.0 (hitcnt=34)
access-list 120 line 1 permit ip North 255.255.255.0 WestBranch 255.255.255.0 (hitcnt=0)


access-list 101; 5 elements
access-list 101 line 1 permit ip North 255.255.255.0 WestBranch 255.255.255.0 (hitcnt=0)
access-list 101 line 2 permit ip North 255.255.255.0 North_1 255.255.255.0 (hitcnt=48)
access-list 101 line 3 permit tcp any any eq 3389 (hitcnt=0)
access-list 101 line 4 permit tcp any any eq 5628 (hitcnt=0)
access-list 101 line 5 permit tcp any any eq 5629 (hitcnt=0)


I am lost now...
0
 

Author Comment

by:tangofniro
ID: 13710098
Okay  it is showing hits because I got my original good vpn back up and working.

I am at square one with my original question.  Why isn't my second vpn working? ha
0
 

Author Comment

by:tangofniro
ID: 13710565
here is the remote config


PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
name 10.18.159.0 NukeMain
name 10.18.157.0 West
access-list 120 permit ip West 255.255.255.0 NukeMain 255.255.255.0
access-list outside_access_in permit ip any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit tcp any any
access-list outside_access_in permit icmp any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list inside_access_in permit udp any any
access-list inside_access_in permit tcp any any
access-list outside_access_out permit icmp any any
access-list 101 permit ip West 255.255.255.0 NukeMain 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 64.45.232.144 255.255.255.192
ip address inside 10.18.157.50 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location West 255.255.255.0 inside
pdm location NukeMain 255.255.255.0 inside
pdm location West 255.255.255.0 outside
pdm location NukeMain 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 64.45.232.129 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http West 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address 120
crypto map outside_map 20 set peer 67.77.92.27
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 67.77.92.27 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.18.157.55-10.18.157.75 inside
dhcpd dns 204.117.214.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:b28f64e3da31e49817ee82e120679967
: end
pixfirewall#
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13710808
Is there any chance that the ISP is blocking VPN at the west location? What type of connection is it in front of the PIX? Is it a router that you own? Is it a ISP provided box?
I think we might be chasing our tails here. Everything appears to be correct. You've got one site up and running, so the other one should be a piece of cake. I've never had one this difficult to get working unless there was something blocking packets at one site or the other..
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13710824
Hold everything...
>sysopt noproxyarp inside

Let's remove this line from West...
  no sysopt noproxyarp inside

0
 

Author Comment

by:tangofniro
ID: 13710880
It is DSL  so there is a router/bridge in front of the pix.  Sprint provided.


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13710913
One more question. I'm sure we've covered it...but I have to ask again..
The local PIX is the default gateway for all machines on the LAN, both ends, right?
You are pinging from a host on one lan to a host on the other Lan, not from pix to pix, right?
0
 

Author Comment

by:tangofniro
ID: 13710981
Tried removing the sys but nothing still.

I will see if the sprint box is causing anything.  I have to believe the problem is on the remote site.  Everything seems to be working on the Main site and I have 1 vpn already working.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13711028
Agree. More investigation at the West site is definately in order. We're chasing our tails here ...

Good luck!
0
 

Author Comment

by:tangofniro
ID: 13711080
Thanks
0
 

Author Comment

by:tangofniro
ID: 13711184
One more question my 2 pix once configure correctly should connect right away no even if I have the network down on the inside,workstations are off right now.  I am not even pinging anything.  I am just going by the fact I don't see them connected.  I should still be getting QM_IDLE  no matter what...?  

Is there any other commands I could use to see what exactly is happening, besides sh cry is sa & sh cry ip sa ?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13711249
Because this is a dynamic VPN tunnel, it's not even there unless/until there is actually traffic being passed on it.

debug cryp is
debug cryp ip
Could help shed some light..
0
 

Author Comment

by:tangofniro
ID: 13711372
So QM_Idle would not show up unless machines on the remote end are on, and trying access the other network?The PIX themselves will not initiate the ipsec tunnel?  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13711534
The PIX themselves will not initiate the ipsec tunnel all on their own.
The access-lists that you have defined will "trigger" the VPN tunnel. Unless something triggers it, nothing else happens.
First they exchange keys, get QM_IDLE, then they can send the traffic.

What you can do is include the local/remote public IP's in the trigger access-list:

West:
access-list 120 permit ip host 64.45.232.144  host 67.77.92.27

NORTH:
access-list 120 permit ip host 67.77.92.27 host 64.45.232.144

Now you can ping from the console of the PIX and it should bring up the tunnel.

0
 

Author Comment

by:tangofniro
ID: 13712561
I did it and it locked me out of the North site.
0
 

Author Comment

by:tangofniro
ID: 13712574
Did I need to pull the crypto command and reapply it?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13712741
Yes, you need to pull and reapply the crypo map each time you change something like the access list
0
 

Author Comment

by:tangofniro
ID: 13712758
damn
0
 

Author Comment

by:tangofniro
ID: 13713585
Why is it the North locks down but the west does not?  Is it because there is an active ipsec sa on that pix?  When the policy lifetimes ends does the int int reset itself?
Just trying to understand it a bit.
0
 

Author Comment

by:tangofniro
ID: 13717183
Okay I think I have it except I screwed up my access lists in the process.
I need to have 3389 and the pcany working what did I do?


domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.18.158.0 North_1
name 10.18.159.0 North
name 10.18.157.0 WestBranch
access-list 101 permit ip North 255.255.255.0 WestBranch 255.255.255.0
access-list 101 permit ip North 255.255.255.0 North_1 255.255.255.0
access-list 120 permit ip North 255.255.255.0 WestBranch 255.255.255.0
access-list outside_access_in permit ip any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit tcp any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any any eq 3389
access-list outside_access_in permit tcp any any eq 5628
access-list outside_access_in permit tcp any any eq 5629
access-list inside_access_in permit icmp any any
access-list inside_access_in permit ip any any
access-list 110 permit ip North 255.255.255.0 North_1 255.255.255.0
access-list outside_access_out permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 67.77.92.27 255.255.255.192
ip address inside 10.18.159.50 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location North_1 255.255.255.0 outside
pdm location WestBranch 255.255.255.0 outside
pdm location 10.18.159.1 255.255.255.255 inside
pdm location 10.18.159.53 255.255.255.255 inside
pdm location 10.18.159.54 255.255.255.255 inside
pdm location North 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 5628 10.18.159.1 5628 netmask 255.255.255.
255 0 0
static (inside,outside) tcp interface 5629 10.18.159.1 5629 netmask 255.255.255.
255 0 0
static (inside,outside) tcp interface 3389 10.18.159.53 3389 netmask 255.255.255
.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.77.92.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http North 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address 110
crypto map outside_map 20 set peer 69.68.148.138
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address 120
crypto map outside_map 30 set peer 64.45.232.144
crypto map outside_map 30 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 69.68.148.138 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp key ******** address 64.45.232.144 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.18.159.51-10.18.159.82 inside
dhcpd dns 204.117.214.10
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
0
 

Author Comment

by:tangofniro
ID: 13717627
Well maybe not  it seems that rdp was letting me go out from the site hit my personal server and then come back in.  Got back to the office and able to get back in fine.

Was able to ping back and forth between the west and north sites which was good.

I guess I need to close this one out and if I run into anymore problems start a new novel.


Thank you very much for you help lrmoore.  You have helped me more than once on ee.

thanks,
will
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13719383
Yea! Sorry I've been away for a while. Busy at work...
Glad to hear you have most of it working!
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question