compsol1993
asked on
PIX501 VPN Troubles
Hello, I am relatively new to the PIX501. We have established two of these units as routers at different locations and both work fine. We have port forwarding and basic internet access working. I am now trying to setup a VPN between the two. Both have static iP addresses from the ISP.
So far, my only attempts have been to run the wizards in the device manager. First of all I setup the PIX to communicate with the Cisco VPN client. That works fine.
When I go to setup the VPN between two units, I follow the wizard, providing all necessary information. It seems to work properly, but once I complete work on the wizard, two things happen (or do not). First, the VPN light does not turn on. Secondly, I lose access to the internet from all computers inside the PIX. It is not just loss of sites like google.com, but I can also not ping IP addresses directly, so I don't think it has anything to do with DNS. This happens on both PIXs. If I go into the VPN configuration and delete the tunnel policy that was setup, then I regain internet access without any problems.
I am looking for any pointers which may help me better understand what is causing me to lose connection, what I can do to regain it, and eventually any help on establishing the VPN. Note; the only thing I did to regain outside access was to delete the tunnel policy and click Apply. Access rules seem to be setup fine and work without the tunnel policy in place.
Device: Cisco PIX 501 Firewall
Device Manager: Cisco PIX Device Manger 3.0(4)
PIX Version: 6.3(5)
OS: Windows XP
Modem: Westell Wirespeed C90 Series
Thanks for any help
So far, my only attempts have been to run the wizards in the device manager. First of all I setup the PIX to communicate with the Cisco VPN client. That works fine.
When I go to setup the VPN between two units, I follow the wizard, providing all necessary information. It seems to work properly, but once I complete work on the wizard, two things happen (or do not). First, the VPN light does not turn on. Secondly, I lose access to the internet from all computers inside the PIX. It is not just loss of sites like google.com, but I can also not ping IP addresses directly, so I don't think it has anything to do with DNS. This happens on both PIXs. If I go into the VPN configuration and delete the tunnel policy that was setup, then I regain internet access without any problems.
I am looking for any pointers which may help me better understand what is causing me to lose connection, what I can do to regain it, and eventually any help on establishing the VPN. Note; the only thing I did to regain outside access was to delete the tunnel policy and click Apply. Access rules seem to be setup fine and work without the tunnel policy in place.
Device: Cisco PIX 501 Firewall
Device Manager: Cisco PIX Device Manger 3.0(4)
PIX Version: 6.3(5)
OS: Windows XP
Modem: Westell Wirespeed C90 Series
Thanks for any help
batry_boy
Post PIX configs from both sides of the VPN tunnel and we can take a look...please sanitize the output first...
ASKER
I will do that, unfortunately I may not get out to the other site until tomorrow to collect that data, so if anyone has any immediate thoughts they would be appreciated.
Thanks
Thanks
ASKER
Ok, attached is the configuration for one of the sides. Last night I was actually able to establish the VPN. Both VPN leds came on, in PDM each PIX showed one IKE Tunnel and one IPsec tunnel. I was not actually able to see any machines on either side of the VPN though, so I don't know if problem is related to the problem I am having with the internet.
Just to recap, the biggest issue right now is that once I run the VPN wizard, I loose all access to the internet. If I do a ping directly from the PIX PDM, then I get out fine. Any machine connected to the PIX is cutoff. If I go and delete the Tunnel Policy created by the wizard, click apply, all internet access is restored. Why would that one action bring the net back online...
Attached is the configuration, pretty much everything is directly from the wizard.
Thanks
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******** encrypted
passwd ****** encrypted
hostname ****
domain-name ******
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.2 Server
name 192.168.1.50 Laptop
access-list outside_access_in permit tcp any any
access-list inside_outbound_nat0_acl permit ip any any
access-list outside_cryptomap_20 permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Laptop 255.255.255.255 inside
pdm location Server 255.255.255.255 inside
pdm location 192.168.1.100 255.255.255.255 inside
pdm location 192.168.1.101 255.255.255.255 inside
pdm location 192.168.1.102 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 Server 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www Server www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https Server https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 444 Server 444 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4125 Server 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp Server pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp Server ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp ********** 5900 Laptop 5900 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5900 Laptop 5900 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http Laptop 255.255.255.255 inside
http Server 255.255.255.255 inside
http 192.168.1.100 255.255.255.255 inside
http 192.168.1.101 255.255.255.255 inside
http 192.168.1.102 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer ***.***.***.***
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address ***.***.***.*** netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.13
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:a024c25ab5e
: end
[OK]
Just to recap, the biggest issue right now is that once I run the VPN wizard, I loose all access to the internet. If I do a ping directly from the PIX PDM, then I get out fine. Any machine connected to the PIX is cutoff. If I go and delete the Tunnel Policy created by the wizard, click apply, all internet access is restored. Why would that one action bring the net back online...
Attached is the configuration, pretty much everything is directly from the wizard.
Thanks
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******** encrypted
passwd ****** encrypted
hostname ****
domain-name ******
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.2 Server
name 192.168.1.50 Laptop
access-list outside_access_in permit tcp any any
access-list inside_outbound_nat0_acl permit ip any any
access-list outside_cryptomap_20 permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Laptop 255.255.255.255 inside
pdm location Server 255.255.255.255 inside
pdm location 192.168.1.100 255.255.255.255 inside
pdm location 192.168.1.101 255.255.255.255 inside
pdm location 192.168.1.102 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 Server 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www Server www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https Server https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 444 Server 444 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4125 Server 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp Server pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp Server ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp ********** 5900 Laptop 5900 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 5900 Laptop 5900 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http Laptop 255.255.255.255 inside
http Server 255.255.255.255 inside
http 192.168.1.100 255.255.255.255 inside
http 192.168.1.101 255.255.255.255 inside
http 192.168.1.102 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer ***.***.***.***
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address ***.***.***.*** netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.13
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:a024c25ab5e
: end
[OK]
I see that you are exempting ALL traffic from being translated with the following statements:
access-list inside_outbound_nat0_acl permit ip any any
nat (inside) 0 access-list inside_outbound_nat0_acl
Is this your intent? Probably not...that would definitely cause a problem with Internet connectivity.
You also have your crypto ACL defined to tunnel everything down the site-to-site tunnel with the following commands:
access-list outside_cryptomap_20 permit ip any any
crypto map outside_map 20 match address outside_cryptomap_20
Is this correct? Typically you would define only traffic from behind the PIX going to the network behind the remote VPN tunnel peer and specify that source/destination pair, rather than "any any", in the crypto ACL. Could you clarify this?
access-list inside_outbound_nat0_acl permit ip any any
nat (inside) 0 access-list inside_outbound_nat0_acl
Is this your intent? Probably not...that would definitely cause a problem with Internet connectivity.
You also have your crypto ACL defined to tunnel everything down the site-to-site tunnel with the following commands:
access-list outside_cryptomap_20 permit ip any any
crypto map outside_map 20 match address outside_cryptomap_20
Is this correct? Typically you would define only traffic from behind the PIX going to the network behind the remote VPN tunnel peer and specify that source/destination pair, rather than "any any", in the crypto ACL. Could you clarify this?
ASKER
***I see that you are exempting ALL traffic from being translated with the following statements:
***access-list inside_outbound_nat0_acl permit ip any any
***nat (inside) 0 access-list inside_outbound_nat0_acl
***Is this your intent? Probably not...that would definitely cause a problem with Internet connectivity.
No this is not my intent. If I want to correct this, can you give me a pointer in the right direction. My work on the PIX has been entirely through the PDM, I'm not opposed to learning the command line format, I just haven't done so yet.
***You also have your crypto ACL defined to tunnel everything down the site-to-site tunnel with the
***following commands:
***access-list outside_cryptomap_20 permit ip any any
***crypto map outside_map 20 match address outside_cryptomap_20
***Is this correct? Typically you would define only traffic from behind the PIX going to the network
***behind the remote VPN tunnel peer and specify that source/destination pair, rather than "any any", in
***the crypto ACL. Could you clarify this?
Ok, once again I'm learning , but I see how this is a problem. The two networks I am trying to connect are 192.168.1.0 and 192.168.10.0 Are you saying this should be used instead of any any? Or something more specific?
Thanks
***access-list inside_outbound_nat0_acl permit ip any any
***nat (inside) 0 access-list inside_outbound_nat0_acl
***Is this your intent? Probably not...that would definitely cause a problem with Internet connectivity.
No this is not my intent. If I want to correct this, can you give me a pointer in the right direction. My work on the PIX has been entirely through the PDM, I'm not opposed to learning the command line format, I just haven't done so yet.
***You also have your crypto ACL defined to tunnel everything down the site-to-site tunnel with the
***following commands:
***access-list outside_cryptomap_20 permit ip any any
***crypto map outside_map 20 match address outside_cryptomap_20
***Is this correct? Typically you would define only traffic from behind the PIX going to the network
***behind the remote VPN tunnel peer and specify that source/destination pair, rather than "any any", in
***the crypto ACL. Could you clarify this?
Ok, once again I'm learning , but I see how this is a problem. The two networks I am trying to connect are 192.168.1.0 and 192.168.10.0 Are you saying this should be used instead of any any? Or something more specific?
Thanks
I would change the statements to read as follows:
no access-list inside_outbound_nat0_acl permit ip any any
access-list inside_outbound_nat0_acl permit 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
no access-list outside_cryptomap_20 permit ip any any
access-list outside_cryptomap_20 permit 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
The "no" form of the commands will take out the existing statements and then the commands after those will put back the ACL's with the specific traffic defined. Give it a shot...
no access-list inside_outbound_nat0_acl permit ip any any
access-list inside_outbound_nat0_acl permit 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
no access-list outside_cryptomap_20 permit ip any any
access-list outside_cryptomap_20 permit 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
The "no" form of the commands will take out the existing statements and then the commands after those will put back the ACL's with the specific traffic defined. Give it a shot...
You may get an error when you do those commands for the cryptomap ACL...no big deal since you're putting it right back with the next statement, but if you don't want the error you can reverse the last two commands like this:
access-list outside_cryptomap_20 permit 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
no access-list outside_cryptomap_20 permit ip any any
That way the cryptomap ACL is never totally gone, which is what the PIX will give you an error about if you do the "no" command first.
access-list outside_cryptomap_20 permit 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
no access-list outside_cryptomap_20 permit ip any any
That way the cryptomap ACL is never totally gone, which is what the PIX will give you an error about if you do the "no" command first.
ASKER
So far so good, I applied these settings to the local side of the VPN and I have the internet back, I'll let you know how I make out once I get out to the remote.
Thanks for the advice
Thanks for the advice
ASKER
Ok, it looks like you were correct. Making those changes did allow internet access on both ends. Unfortunately now I cannot get the VPN to work. This is a test configuration, I am doing this in prep for deploying the real VPN.
I ran the VPN wizard on both ends, both seemed to work simply enough, but I have not been able to make a VPN connection. In the PDM, is there any type of log I can look at to find out what I am failing on? For example, I'd like to know if it is actually finding the other PIX, if the Pre-Shared Keys match, that type of thing. Is there anyway to find the specific action that is failing?
Thanks
I ran the VPN wizard on both ends, both seemed to work simply enough, but I have not been able to make a VPN connection. In the PDM, is there any type of log I can look at to find out what I am failing on? For example, I'd like to know if it is actually finding the other PIX, if the Pre-Shared Keys match, that type of thing. Is there anyway to find the specific action that is failing?
Thanks
There are debugs that you can enable on each PIX to get that kind of info, but I will warn you that deciphering the debug messages are not for the faint of heart! :-)
If you issue these 3 commands on either PIX, you will get IPSEC tunnel negotiation debug messages that may give you a clue as to why the tunnel isn't coming up:
debug crypto isakmp
debug crypto ipsec
debug crypto engine
You can also use these commands for troubleshooting VPN tunnels:
show crypto isakmp sa
show crypto ipsec sa
These will tell you the status of any phase 1 (ISAKMP) or phase 2 (IPSEC) negotiations.
Since you've made changes, you can always repost your current PIX configs (both sides) and I can take a look to see if I see anything.
If you issue these 3 commands on either PIX, you will get IPSEC tunnel negotiation debug messages that may give you a clue as to why the tunnel isn't coming up:
debug crypto isakmp
debug crypto ipsec
debug crypto engine
You can also use these commands for troubleshooting VPN tunnels:
show crypto isakmp sa
show crypto ipsec sa
These will tell you the status of any phase 1 (ISAKMP) or phase 2 (IPSEC) negotiations.
Since you've made changes, you can always repost your current PIX configs (both sides) and I can take a look to see if I see anything.
ASKER
Ok, I'll post the configs for both sides below. I really appreciate all of your help, I am new to the PIX and your info really helps. I'd like to award you the 500 points now, and setup another topic to continue this troubleshooting, so you get more. I think this question has morphed a few times from the original topic anyway.
At this time, the configs are factory default configurations with the Startup Wizard and then the VPN wizard run on each simultaneously. These do not include any further manipulation, other than setting a few port translations.
Thanks again.
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname cspix
domain-name &&&&&&&&
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.50 MikePC
name 192.168.0.51 MikeHP
name 192.168.0.5 Server
name 192.168.10.0 Home
name 192.168.0.0 Office
access-list outside_access_in permit tcp any any
access-list inside_outbound_nat0_acl permit ip Office 255.255.255.0 Home 255.255.255.0
access-list outside_cryptomap_20 permit ip Office 255.255.255.0 Home 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location MikePC 255.255.255.255 inside
pdm location MikeHP 255.255.255.255 inside
pdm location Server 255.255.255.255 inside
pdm location Home 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 Server 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www Server www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https Server https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 444 Server 444 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4125 Server 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp Server pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp Server ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5900 MikeHP 5900 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http MikePC 255.255.255.255 inside
http Server 255.255.255.255 inside
http MikeHP 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer &&&&&&&&&
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address &&&&&&&&& netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.10-192.168.0.30 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:862764a54ef
: end
[OK]
%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.0 Office
access-list outside_cryptomap_40 permit ip 192.168.10.0 255.255.255.0 Office 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Office 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer &&&&&&&&&&&&&
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address &&&&&&&&&& netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname lbswanson
vpdn group pppoe_group ppp authentication pap
vpdn username lbswanson password *********
dhcpd address 192.168.10.2-192.168.10.33
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:bf280cde15f
: end
[OK]
At this time, the configs are factory default configurations with the Startup Wizard and then the VPN wizard run on each simultaneously. These do not include any further manipulation, other than setting a few port translations.
Thanks again.
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname cspix
domain-name &&&&&&&&
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.50 MikePC
name 192.168.0.51 MikeHP
name 192.168.0.5 Server
name 192.168.10.0 Home
name 192.168.0.0 Office
access-list outside_access_in permit tcp any any
access-list inside_outbound_nat0_acl permit ip Office 255.255.255.0 Home 255.255.255.0
access-list outside_cryptomap_20 permit ip Office 255.255.255.0 Home 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location MikePC 255.255.255.255 inside
pdm location MikeHP 255.255.255.255 inside
pdm location Server 255.255.255.255 inside
pdm location Home 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 Server 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www Server www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https Server https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 444 Server 444 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4125 Server 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp Server pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp Server ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5900 MikeHP 5900 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http MikePC 255.255.255.255 inside
http Server 255.255.255.255 inside
http MikeHP 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer &&&&&&&&&
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address &&&&&&&&& netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.10-192.168.0.30 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:862764a54ef
: end
[OK]
%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.0 Office
access-list outside_cryptomap_40 permit ip 192.168.10.0 255.255.255.0 Office 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Office 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer &&&&&&&&&&&&&
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address &&&&&&&&&& netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname lbswanson
vpdn group pppoe_group ppp authentication pap
vpdn username lbswanson password *********
dhcpd address 192.168.10.2-192.168.10.33
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:bf280cde15f
: end
[OK]
Add the following statements to the bottom PIX config (the one that sits in front of the 192.168.10.0/24 network):
access-list inside_outbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl
See if this helps...
access-list inside_outbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl
See if this helps...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Adding those lines did not seem to help. What I have now done is brought both PIX's into the same office and we have setup a second broadband connection to troubleshoot this faster. I am going to close this quesiton, batry_boy thanks for all of your help. I will start a new topic once I get everything working locally.