[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 312
  • Last Modified:

Pix to Pix VPN routing problem

Hi,
I have a VPN between 2 Pix. One of the Pix use Websense to filter Internet for the local lan. I want to configure the 2nd Pix to use the same Websense server.

My setup is like this :
LAN (192.168.10.0) ---- PIX501 ----- INTERNET ----- PIX506 ---- LAN (172.26.60.0) ---- Websense (172.26.60.2)

I get this message from the PIX501 :
304006: URL Server 172.26.60.2 not responding
110001: No route to 172.26.60.2 from 192.168.10.254

192.168.10.254 is the Pix inside interface. I can't ping the Websense server from this interface but I can from any host on the network... What is missing ?
Thanks
0
Phil_Trahan
Asked:
Phil_Trahan
  • 4
  • 3
1 Solution
 
lrmooreCommented:
Problem is that when the pix itself generates a packet, the source address is the public IP. Since your VPN acls do not include your public IP, then transmission fails across the vpn tunnel.

Try this:
 1. add the outside public ip to the ipsec match acl:
 access-list <vpn_match_acl> permit ip host <yourpublic ip> host 172.26.60.2
 2. add this traffic to the nat_zero acl
 access-list <nat_zero_acl> permit ip host <yourpublic ip> host 172.26.60.2

3. Do the exact same/mirror image on the other PIX
  access-list <vpn_match_acl> permit ip host 172.26.60.2 host <yourpublic ip>
  access-list <nat_zero_acl> permit ip host 172.26.60.2 host <yourpublic ip>
0
 
Phil_TrahanAuthor Commented:
Irmoore,
Thanks for your reply. I cannot add this line to the access-list because the outside interface on the PIX501 have a dynamic IP address.

Anyway, I tried your solution just to see if it work and it doesn't. I added theses lines :
PIX501
access-list IPSEC permit tcp interface outside host 172.26.60.2
access-list NO_NAT permit tcp interface outside host 172.26.60.2

PIX506
access-list IPSEC permit ip host 172.26.60.2 host <dynamic IP on PIX501>
access-list NO_NAT permit ip host 172.26.60.2 host <dynamic IP on PIX501>

Here are the line for websense :
url-server (outside) vendor websense host 172.26.60.2 timeout 30 protocol TCP version 4
filter url http 192.168.10.0 255.255.255.0 0.0.0.0 0.0.0.0 allow proxy-block longurl-truncate cgi-truncate
filter url 443 192.168.10.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
filter ftp 21 192.168.10.0 255.255.255.0 0.0.0.0 0.0.0.0 allow

I'm still receiving this error :
304006: URL Server 172.26.60.2 not responding

And I cannot PING the server from the PIX501 (should I ?)
 ping 172.26.60.2
        172.26.60.2 NO response received -- 1000ms

Thanks.
0
 
Phil_TrahanAuthor Commented:
Just to avoid any confusion, in my first post I have mentionned that I get this message :
110001: No route to 172.26.60.2 from 192.168.10.254

That was because I had this command for websense :
url-server (inside) vendor websense host 172.26.60.2 timeout 30 protocol TCP version 4

instead of this one :
url-server (outside) vendor websense host 172.26.60.2 timeout 30 protocol TCP version 4

I'm still confused wich one I should use...
0
How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

 
lrmooreCommented:
You have to use the (outside)

>304006: URL Server 172.26.60.2 not responding
Does the Websense server know about htis 192.168.10.0 subnet?
Can you post results of "show access list"

Can you ping that WebSense host from any other host on the LAN?
0
 
Phil_TrahanAuthor Commented:
1- All hosts on 192.168.10.0 network can ping successfully the websense server at 172.26.60.2
2- Websense know about the 192.168.10.0 network (and the 172.26.60.0 !)

PIX501
access-list IPSEC; 2 elements
access-list IPSEC line 1 permit ip 192.168.10.0 255.255.255.0 172.26.60.0 255.255.255.128 (hitcnt=1371836)
access-list IPSEC line 2 permit tcp interface outside host 172.26.60.2 (hitcnt=0)
access-list acl_Dery9000; 2 elements
access-list acl_Dery9000 line 1 permit ip 192.168.10.0 255.255.255.0 172.26.60.0 255.255.255.128 (hitcnt=1083581)
access-list acl_Dery9000 line 2 permit tcp interface outside host 172.26.60.2 (hitcnt=1635)
0
 
Phil_TrahanAuthor Commented:
Everything is working now, I made a mistake on an IP of an acl...
0
 
lrmooreCommented:
Glad to hear it!
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now