[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 291
  • Last Modified:

VPN Established Betweem Cisco PIX 515 and Cisco PIX 510, But cannot access Data

I have set up a simple connecton between a PIX 515 and a PIX 501.  I am attempting to use the Easy VPN Server/Client since I don't have a lot of time and I need this up right away.  

I ran through the VPN wizard on the 515 and set up the 515 as a Easy VPN Server.  It was a pretty simple set up.  I wanted to give the remote site (501) full access to the whole subnet at the Primary Site (515).  

I then went clicked on the Easy VPN Remote Section of the PDM and checked the "Network Extension Mode", added the Group Settings, and enterned the Server IP Address in the Easy VPN Server area.

I was able to get a IKE Tunnel, (I have the 501 connected to one of my open IP Addresses outside my Firewall).  If I go to the monitoring area of the PDM, it states I have sucessfully created a VPN connection.  If I look at the IKE Sa, it is in an QM-IDLE state.  It also show a couple of IPSec VPNs.  Unfortunately, I cannot see either network from the other side.  I cannot ping any devices across the tunnel, therefore I cannot access any servers.  

I will post pertinant config below:

The 515 config:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100

access-list public_access_in permit tcp any host 64.163.20.98 eq pop3
access-list public_access_in permit tcp any host 64.163.20.98 eq www
access-list public_access_in permit tcp any host 64.163.20.98 eq https
access-list public_access_in permit tcp any host 64.163.20.98 eq smtp
access-list public_access_in permit tcp any host 64.163.20.101 eq pcanywhere-data
access-list public_access_in permit udp any host 64.163.20.101 eq pcanywhere-status
access-list public_access_in permit tcp any host 64.163.20.102 eq 5633
access-list public_access_in permit udp any host 64.163.20.102 eq 5634
access-list public_access_in permit udp any host 64.163.20.103 eq tftp

ip address outside 64.163.20.109 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
ip local pool VPN_IPPool 192.168.0.80-192.168.0.205


global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 64.163.20.98 Ezionmail01 netmask 255.255.255.255 0 0
static (inside,outside) 64.163.20.101 192.168.0.120 netmask 255.255.255.255 0 0
static (inside,outside) 64.163.20.102 192.168.0.121 netmask 255.255.255.255 0 0
static (inside,outside) 64.163.20.103 Eziondc01 netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 64.163.20.97 1

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local

floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup remote address-pool VPN_IPPool
vpngroup remote dns-server Eziondc01 Ezionmail01
vpngroup remote wins-server Eziondc01 Ezionmail01
vpngroup remote default-domain HQ
vpngroup remote idle-time 1800
vpngroup remote password ********

Here is the 501:
501 Config

interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

ip address outside 64.163.20.110 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 64.163.20.97 1

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local

vpnclient server 64.163.20.109
vpnclient mode network-extension-mode
vpnclient vpngroup remote password ********
vpnclient enable

Pretty Straightforward.  The Tunnel comes up but no data.  What am I missing?  Need to do some training and Friday and I need this up.  



0
Javier196
Asked:
Javier196
  • 2
1 Solution
 
lrmooreCommented:
Much easier on you if you don't use the "easy-VPN", but instead use the VPN Wizard to create a site-to-site VPN


0
 
lrmooreCommented:
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now