Solved

Problem passing IPSEC traffic after IKE tunnel setup

Posted on 2006-06-13
12
946 Views
Last Modified: 2008-02-01
I have a VPN network with 6 PIX 501's connected to a PIX 515e.  Everything worked fine until the cable company decided to upgrade multiple pieces of hardware.  After three weeks of having no cable service or static ip's that didn't stay static it seems that the cable system has calmed down and I can put my broken network back together again.  My problem is when I changed the IP addresses for the VPN only 2 of the 4 sites came back online (the other 2 sites use DSL and have had no problems at all).  I deleted the config information for the 2 non working sites and decided to re-create them 1 at a time to see if they come back up.  Needless to say it didn’t work.  The IKE tunnel connects and is idle but there is no IPSEC tunnel being created.

Running sh crypto isakmp sa returns the following
Total     : 5
Embryonic : 0
        dst               src               state       pending     created
     x.x.x.244   x.x.x.212    QM_IDLE         0           5
     x.x.x.244   x.x.x.210    QM_IDLE         0           4
     x.x.x.244   x.x.x.208    QM_IDLE         0           0
     x.x.x.244   x.x.x.188    QM_IDLE         0           4
     x.x.x.244   x.x.x.16      QM_IDLE         0           2


Instead I get send errors

Result of firewall command: "sh ipsec sa"
 
interface: outside
    Crypto map tag: outside_map, local addr. x.x.x.244
   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (FD1/255.255.255.0/0/0)
   current_peer: x.x.x.188:500
     PERMIT, flags={}
    #pkts encaps: 546, #pkts encrypt: 546, #pkts digest 546
    #pkts decaps: 622, #pkts decrypt: 628, #pkts verify 628
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: x.x.x.244, remote crypto endpt.: x.x.x.188
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 322df5c
     inbound esp sas:
      spi: 0xcfe30e41(3487764033)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 7, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4607870/28112)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x322df5c(52617052)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 8, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4607921/28112)
        IV size: 8 bytes
        replay detection support: Y
     outbound ah sas:
     outbound pcp sas:
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (FD1/255.255.255.0/0/0)
   current_peer: x.x.x.188:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: x.x.x.244, remote crypto endpt.: x.x.x.188
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (FD4/255.255.255.0/0/0)
   current_peer: x.x.x.208:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 7, #recv errors 0
     local crypto endpt.: x.x.x.244, remote crypto endpt.: x.x.x.208
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:

The cable company tech guys say they are not doing any port filtering or blocking, logically they would be correct if two of the four sites from the same local mom and pop cable operator are working.  Stranger things have happened though.

Thank you for you time and ideas.
0
Comment
Question by:SpazzCat74
  • 4
  • 4
12 Comments
 
LVL 11

Expert Comment

by:prueconsulting
ID: 16897447
Stupid question but acls are properly configured to pass traffic through to those other 2 sites ?
0
 
LVL 1

Author Comment

by:SpazzCat74
ID: 16897566
Yes they were working until the cable company changed the ip addressing scheme of all the cable modems
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16897940
Can you post your config?
Send errors suggest a config error on the 515 end

>local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
>   remote ident (addr/mask/prot/port): (FD4/255.255.255.0/0/0)

Local ident 0.0.0.0 suggests that your acl looks like this:
 access-list yadayada permit ip any FD4 255.255.255.0

It is not recommended to ever use "any" in the acls because the two ends should be mirror images of each other:
  access-list 515_to_FD4 permit ip 10.0.0.0 255.255.255.0 FD4 255.255.255.0
 
  access-list FD4_to_515 permit ip FD4 255.255.255.0 10.0.0.0 255.255.255.0

Notice the setup to FD1 that appears to be working.....


0
 
LVL 1

Author Comment

by:SpazzCat74
ID: 16902639
Okay here is my configuration.  My acls look the the same for Parks and FD1 as the do for FD3 and FD4.  Parks and FD1 are working fine which is the problem.  If they were all broken I think it would be easier to fix.  Thank you again for your help.

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password OWiwiiregnCFc/.N encrypted
passwd CEr.uSgZ.RVn/lUw encrypted
hostname CPCEdge
domain-name CPC.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.110.0.0 Golf
name 10.100.0.0 Parks
name 10.40.0.0 FD4
name 10.30.0.0 FD3
name 10.200.0.0 PDT
name 10.10.0.0 FD1
name 10.250.0.0 Test_Site
name 10.3.3.0 Sheriffs_Office
access-list CPCVPN_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 10.5.5.0 255.255.255.0
access-list CPCVPN_splitTunnelAcl permit ip Sheriffs_Office 255.255.255.0 10.5.5.0 255.255.255.0
access-list outside_cryptomap_260 permit ip any FD4 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any PDT 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.5.5.96 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.5.5.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip Sheriffs_Office 255.255.255.0 10.5.5.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any Parks 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any FD1 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any FD4 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any FD3 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.5.5.96 255.255.255.224
access-list outside_cryptomap_240 permit ip any FD1 255.255.255.0
access-list outside_cryptomap_280 permit ip any FD3 255.255.255.0
access-list outside_cryptomap_140 permit ip any PDT 255.255.255.0
access-list outside_cryptomap_220 permit ip any Parks 255.255.255.0
access-list outside_access_in permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside x.x.x.244 255.255.255.0
ip address inside 10.0.0.5 255.255.255.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool CPCVPNPool 10.5.5.100-10.5.5.119
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location PDT 255.255.255.0 outside
pdm location FD1 255.255.255.0 outside
pdm location FD3 255.255.255.0 outside
pdm location FD4 255.255.255.0 outside
pdm location Parks 255.255.255.0 outside
pdm location Golf 255.255.255.0 outside
pdm location Test_Site 255.255.255.0 outside
pdm location 10.5.5.0 255.255.255.0 outside
pdm location Sheriffs_Office 255.255.255.0 inside
pdm location x.x.x.x 255.255.255.255 outside
no pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.254 1
route inside Sheriffs_Office 255.255.255.0 10.0.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 140 ipsec-isakmp
crypto map outside_map 140 match address outside_cryptomap_140
crypto map outside_map 140 set peer x.x.x.210
crypto map outside_map 140 set transform-set ESP-DES-MD5
crypto map outside_map 220 ipsec-isakmp
crypto map outside_map 220 match address outside_cryptomap_220
crypto map outside_map 220 set peer x.x.x.212
crypto map outside_map 220 set transform-set ESP-DES-MD5
crypto map outside_map 240 ipsec-isakmp
crypto map outside_map 240 match address outside_cryptomap_240
crypto map outside_map 240 set peer x.x.x.188
crypto map outside_map 240 set transform-set ESP-DES-MD5
crypto map outside_map 260 ipsec-isakmp
crypto map outside_map 260 match address outside_cryptomap_260
crypto map outside_map 260 set peer x.x.x.208
crypto map outside_map 260 set transform-set ESP-DES-MD5
crypto map outside_map 280 ipsec-isakmp
crypto map outside_map 280 match address outside_cryptomap_280
crypto map outside_map 280 set peer x.x.x.236
crypto map outside_map 280 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.210 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address x.x.x.212 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address x.x.x.188 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address x.x.x.208 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address x.x.x.236 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup CPCVPN address-pool CPCVPNPool
vpngroup CPCVPN dns-server 10.0.0.20 198.6.1.3
vpngroup CPCVPN wins-server 10.0.0.20
vpngroup CPCVPN default-domain CPC.local
vpngroup CPCVPN split-tunnel CPCVPN_splitTunnelAcl
vpngroup CPCVPN idle-time 1800
vpngroup CPCVPN password ********
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.255 outside
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:5973d8420fe2a9f0ff5ba80ef8adc25e
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 79

Expert Comment

by:lrmoore
ID: 16910341
What is 10.0.0.2 ? Another router?
What is the local default gateway? That router, or the PIX 10.0.0.5?

Is there any difference in the remote site configs between FD1 and FD4 ?
0
 
LVL 1

Author Comment

by:SpazzCat74
ID: 16911328
10.0.0.2 is the internal router that connects us (the city) to county services to share GIS and public safety information.  The local default gateway is the 10.0.0.2 router.  There is only differences in the remote configs are the ip addresses and the names.  I'll go out and grab the current configs later today.
0
 
LVL 1

Author Comment

by:SpazzCat74
ID: 16922618
Here are the current running configs and the status of sh isakmp sa and sh ipsec sa
FD 1:
Result of firewall command: "sh isakmp sa"
 
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
     x.x.x.244      x.x.x.188    QM_IDLE         0           1

Result of firewall command: "sh ipsec sa"
 
interface: outside
    Crypto map tag: outside_map, local addr. x.x.x.188
   local  ident (addr/mask/prot/port): (10.10.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (CPC/255.255.255.0/0/0)
   current_peer: x.x.x.244:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 37131, #pkts encrypt: 37131, #pkts digest 37131
    #pkts decaps: 37057, #pkts decrypt: 37203, #pkts verify 37203
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
     local crypto endpt.: x.x.x.188, remote crypto endpt.: x.x.x.244
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: f10ac121
     inbound esp sas:
      spi: 0x72ff17a8(1929320360)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4586147/5359)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xf10ac121(4044013857)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4600898/5359)
        IV size: 8 bytes
        replay detection support: Y
     outbound ah sas:
     outbound pcp sas:
   local  ident (addr/mask/prot/port): (10.10.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (RCSO/255.255.255.0/0/0)
   current_peer: x.x.x.244:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: x.x.x.188, remote crypto endpt.: x.x.x.244
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:

Result of firewall command: "sh config"
 
: Saved
: Written by enable_15 at 20:15:26.728 UTC Tue May 2 2006
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password OWiwiiregnCFc/.N encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname FD1Edge
domain-name cpc.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.0 CPC
name 10.3.3.0 RCSO
access-list outside_access_in permit icmp any any
access-list inside_outbound_nat0_acl permit ip 10.10.0.0 255.255.255.0 CPC 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.10.0.0 255.255.255.0 RCSO 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.10.0.0 255.255.255.0 CPC 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.10.0.0 255.255.255.0 RCSO 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.10.0.10 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location CPC 255.255.255.0 outside
pdm location RCSO 255.255.255.0 outside
pdm location 65.7.136.167 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.10.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.244
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.244 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh 65.7.136.167 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd address 10.10.0.100-10.10.0.109 inside
dhcpd dns 10.0.0.20 198.6.1.3
dhcpd wins 10.0.0.20
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain cpc.local
dhcpd enable inside
terminal width 80
Cryptochecksum:119a8cd447d4a1814ec667f6433cd3ca


FD 4:
Result of firewall command: "sh isakmp sa"
 
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
     x.x.x.244   x.x.x.236    QM_IDLE         0           0

Result of firewall command: "sh ipsec sa"
 
interface: outside
    Crypto map tag: outside_map, local addr. x.x.x.236
   local  ident (addr/mask/prot/port): (10.40.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (CPC/255.255.255.0/0/0)
   current_peer: x.x.x.244:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 11048, #recv errors 0
     local crypto endpt.: x.x.x.236, remote crypto endpt.: x.x.x.244
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:

Result of firewall command: "sh config"
 
: Saved
: Written by enable_15 at 04:38:40.895 UTC Mon Jun 12 2006
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password OWiwiiregnCFc/.N encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname FD4Edge
domain-name cpc.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.0 CPC
access-list outside_access_in permit icmp any any
access-list inside_outbound_nat0_acl permit ip 10.40.0.0 255.255.255.0 CPC 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.40.0.0 255.255.255.0 CPC 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.40.0.10 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location CPC 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.40.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.244
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.244 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.40.0.100-10.40.0.104 inside
dhcpd dns 10.0.0.20 198.6.1.3
dhcpd wins 10.0.0.20
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain cpc.local
dhcpd enable inside
terminal width 80
Cryptochecksum:a607f00f107f0a778eaa1a361a9d15d4
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 16922816
>The local default gateway is the 10.0.0.2 router.
Does that router have static routes for 10.10.0.0 /24 and 10.40.0.0/24  pointing to the PIX?
I'll bet lunch it's a routing issue on that default router..
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17065912
Interested
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now