Solved

PIx 515e Site to Site VPN AARRH!!!

Posted on 2006-11-30
1
385 Views
Last Modified: 2013-11-16
Hi,

Thanks to those who helped on the last question, I have progress of sorts.  Now thhe pix report that a tunnel is up etc  but for some reason only some things seem to be going over the VPN when I try from Site A to connect to a Http://172.20.130.3 it tries to go a normal route not via the VPN and the pix blocks it in ACL rules!  I also need to pass SIP traffic of port 5060 which is also causing grief!

grateful for any suggestions or ideas!!  Also TFTP does the same thing, had to add an ACL to allow it for now!

Any ideas?!

Config A

: Saved
:
PIX Version 7.2(2)
!
hostname pixlocal
domain-name default.domain.invalid
enable password  encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.19.129.1 255.255.0.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 172.18.128.2 255.255.0.0
!
passwd  encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_20_cryptomap extended permit ip 172.18.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list outside_cryptomap_1 extended permit tcp 172.18.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list outside_cryptomap_2 extended permit udp 172.18.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list outside_cryptomap_3 extended permit icmp 172.18.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list outside_access_in extended permit udp host 172.19.129.4 host 172.18.128.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/pdm
no asdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 172.20.0.0 255.255.0.0 172.19.129.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.18.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 172.19.129.4
crypto map outside_map 1 set transform-set ESP-AES-256-MD5
crypto map outside_map 1 set reverse-route
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set peer 172.19.129.4
crypto map outside_map 2 set transform-set ESP-AES-256-MD5
crypto map outside_map 2 set reverse-route
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer 172.19.129.4
crypto map outside_map 3 set transform-set ESP-AES-256-MD5
crypto map outside_map 3 set reverse-route
crypto map outside_map 4 set peer 172.19.129.4
crypto map outside_map 4 set transform-set ESP-AES-256-MD5
crypto map outside_map 4 set reverse-route
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 172.19.129.4
crypto map outside_map 20 set transform-set ESP-AES-256-MD5
crypto map outside_map 20 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 5
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group 172.19.129.4 type ipsec-l2l
tunnel-group 172.19.129.4 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 172.18.128.3-172.18.129.2 inside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
!
service-policy global_policy global
tftp-server inside 172.18.128.240 pixlocal
prompt hostname context
Cryptochecksum:612ee2a03c76d5a8cc7e4ae1104bac90
: end
asdm image flash:/pdm
no asdm history enable

Config B


: Saved
:
PIX Version 7.2(2)
!
hostname pixremote
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 172.19.129.4 255.255.0.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 172.20.130.2 255.255.0.0
!
passwd  encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_20_cryptomap extended permit ip 172.20.0.0 255.255.0.0 172.18.0.0 255.255.0.0
access-list outside_cryptomap_1 extended permit tcp 172.20.0.0 255.255.0.0 172.18.0.0 255.255.0.0
access-list outside_cryptomap_2 extended permit udp 172.20.0.0 255.255.0.0 172.18.0.0 255.255.0.0
access-list outside_cryptomap_3 extended permit icmp 172.20.0.0 255.255.0.0 172.18.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/pdm
no asdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0
route outside 172.18.0.0 255.255.0.0 172.19.129.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.20.0.0 255.255.0.0 inside
http 172.18.128.240 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 172.19.129.1
crypto map outside_map 1 set transform-set ESP-AES-256-MD5
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set peer 172.19.129.1
crypto map outside_map 2 set transform-set ESP-AES-256-MD5
crypto map outside_map 2 set reverse-route
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer 172.19.129.1
crypto map outside_map 3 set transform-set ESP-AES-256-MD5
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 172.19.129.1
crypto map outside_map 20 set transform-set ESP-AES-256-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 5
 lifetime 86400
tunnel-group 172.19.129.1 type ipsec-l2l
tunnel-group 172.19.129.1 ipsec-attributes
 pre-shared-key *
telnet 172.20.130.240 255.255.255.255 inside
telnet 172.18.128.240 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 172.20.130.3-172.20.131.2 inside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
!
service-policy global_policy global
tftp-server inside 172.18.128.240 pixremote
prompt hostname context
: end
asdm image flash:/pdm
no asdm history enable

0
Comment
Question by:JonBarnard
1 Comment
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 18057902
Are you still having issues? I thought we resolved this in
http://www.experts-exchange.com/Security/Firewalls/Q_22076692.html

0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now