Solved

PIx 515e Site to Site VPN AARRH!!!

Posted on 2006-11-30
1
384 Views
Last Modified: 2013-11-16
Hi,

Thanks to those who helped on the last question, I have progress of sorts.  Now thhe pix report that a tunnel is up etc  but for some reason only some things seem to be going over the VPN when I try from Site A to connect to a Http://172.20.130.3 it tries to go a normal route not via the VPN and the pix blocks it in ACL rules!  I also need to pass SIP traffic of port 5060 which is also causing grief!

grateful for any suggestions or ideas!!  Also TFTP does the same thing, had to add an ACL to allow it for now!

Any ideas?!

Config A

: Saved
:
PIX Version 7.2(2)
!
hostname pixlocal
domain-name default.domain.invalid
enable password  encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.19.129.1 255.255.0.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 172.18.128.2 255.255.0.0
!
passwd  encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_20_cryptomap extended permit ip 172.18.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list outside_cryptomap_1 extended permit tcp 172.18.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list outside_cryptomap_2 extended permit udp 172.18.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list outside_cryptomap_3 extended permit icmp 172.18.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list outside_access_in extended permit udp host 172.19.129.4 host 172.18.128.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/pdm
no asdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 172.20.0.0 255.255.0.0 172.19.129.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.18.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 172.19.129.4
crypto map outside_map 1 set transform-set ESP-AES-256-MD5
crypto map outside_map 1 set reverse-route
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set peer 172.19.129.4
crypto map outside_map 2 set transform-set ESP-AES-256-MD5
crypto map outside_map 2 set reverse-route
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer 172.19.129.4
crypto map outside_map 3 set transform-set ESP-AES-256-MD5
crypto map outside_map 3 set reverse-route
crypto map outside_map 4 set peer 172.19.129.4
crypto map outside_map 4 set transform-set ESP-AES-256-MD5
crypto map outside_map 4 set reverse-route
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 172.19.129.4
crypto map outside_map 20 set transform-set ESP-AES-256-MD5
crypto map outside_map 20 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 5
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group 172.19.129.4 type ipsec-l2l
tunnel-group 172.19.129.4 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 172.18.128.3-172.18.129.2 inside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
!
service-policy global_policy global
tftp-server inside 172.18.128.240 pixlocal
prompt hostname context
Cryptochecksum:612ee2a03c76d5a8cc7e4ae1104bac90
: end
asdm image flash:/pdm
no asdm history enable

Config B


: Saved
:
PIX Version 7.2(2)
!
hostname pixremote
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.19.129.4 255.255.0.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 172.20.130.2 255.255.0.0
!
passwd  encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_20_cryptomap extended permit ip 172.20.0.0 255.255.0.0 172.18.0.0 255.255.0.0
access-list outside_cryptomap_1 extended permit tcp 172.20.0.0 255.255.0.0 172.18.0.0 255.255.0.0
access-list outside_cryptomap_2 extended permit udp 172.20.0.0 255.255.0.0 172.18.0.0 255.255.0.0
access-list outside_cryptomap_3 extended permit icmp 172.20.0.0 255.255.0.0 172.18.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/pdm
no asdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0
route outside 172.18.0.0 255.255.0.0 172.19.129.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.20.0.0 255.255.0.0 inside
http 172.18.128.240 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 172.19.129.1
crypto map outside_map 1 set transform-set ESP-AES-256-MD5
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set peer 172.19.129.1
crypto map outside_map 2 set transform-set ESP-AES-256-MD5
crypto map outside_map 2 set reverse-route
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer 172.19.129.1
crypto map outside_map 3 set transform-set ESP-AES-256-MD5
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 172.19.129.1
crypto map outside_map 20 set transform-set ESP-AES-256-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 5
 lifetime 86400
tunnel-group 172.19.129.1 type ipsec-l2l
tunnel-group 172.19.129.1 ipsec-attributes
 pre-shared-key *
telnet 172.20.130.240 255.255.255.255 inside
telnet 172.18.128.240 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 172.20.130.3-172.20.131.2 inside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
!
service-policy global_policy global
tftp-server inside 172.18.128.240 pixremote
prompt hostname context
: end
asdm image flash:/pdm
no asdm history enable

0
Comment
Question by:JonBarnard
1 Comment
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 18057902
Are you still having issues? I thought we resolved this in
http://www.experts-exchange.com/Security/Firewalls/Q_22076692.html

0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now