Pix to Pix VPN routing problem
Hi,
I have a VPN between 2 Pix. One of the Pix use Websense to filter Internet for the local lan. I want to configure the 2nd Pix to use the same Websense server.
My setup is like this :
LAN (192.168.10.0) ---- PIX501 ----- INTERNET ----- PIX506 ---- LAN (172.26.60.0) ---- Websense (172.26.60.2)
I get this message from the PIX501 :
304006: URL Server 172.26.60.2 not responding
110001: No route to 172.26.60.2 from 192.168.10.254
192.168.10.254 is the Pix inside interface. I can't ping the Websense server from this interface but I can from any host on the network... What is missing ?
Thanks
I have a VPN between 2 Pix. One of the Pix use Websense to filter Internet for the local lan. I want to configure the 2nd Pix to use the same Websense server.
My setup is like this :
LAN (192.168.10.0) ---- PIX501 ----- INTERNET ----- PIX506 ---- LAN (172.26.60.0) ---- Websense (172.26.60.2)
I get this message from the PIX501 :
304006: URL Server 172.26.60.2 not responding
110001: No route to 172.26.60.2 from 192.168.10.254
192.168.10.254 is the Pix inside interface. I can't ping the Websense server from this interface but I can from any host on the network... What is missing ?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Just to avoid any confusion, in my first post I have mentionned that I get this message :
110001: No route to 172.26.60.2 from 192.168.10.254
That was because I had this command for websense :
url-server (inside) vendor websense host 172.26.60.2 timeout 30 protocol TCP version 4
instead of this one :
url-server (outside) vendor websense host 172.26.60.2 timeout 30 protocol TCP version 4
I'm still confused wich one I should use...
110001: No route to 172.26.60.2 from 192.168.10.254
That was because I had this command for websense :
url-server (inside) vendor websense host 172.26.60.2 timeout 30 protocol TCP version 4
instead of this one :
url-server (outside) vendor websense host 172.26.60.2 timeout 30 protocol TCP version 4
I'm still confused wich one I should use...
You have to use the (outside)
>304006: URL Server 172.26.60.2 not responding
Does the Websense server know about htis 192.168.10.0 subnet?
Can you post results of "show access list"
Can you ping that WebSense host from any other host on the LAN?
>304006: URL Server 172.26.60.2 not responding
Does the Websense server know about htis 192.168.10.0 subnet?
Can you post results of "show access list"
Can you ping that WebSense host from any other host on the LAN?
ASKER
1- All hosts on 192.168.10.0 network can ping successfully the websense server at 172.26.60.2
2- Websense know about the 192.168.10.0 network (and the 172.26.60.0 !)
PIX501
access-list IPSEC; 2 elements
access-list IPSEC line 1 permit ip 192.168.10.0 255.255.255.0 172.26.60.0 255.255.255.128 (hitcnt=1371836)
access-list IPSEC line 2 permit tcp interface outside host 172.26.60.2 (hitcnt=0)
access-list acl_Dery9000; 2 elements
access-list acl_Dery9000 line 1 permit ip 192.168.10.0 255.255.255.0 172.26.60.0 255.255.255.128 (hitcnt=1083581)
access-list acl_Dery9000 line 2 permit tcp interface outside host 172.26.60.2 (hitcnt=1635)
2- Websense know about the 192.168.10.0 network (and the 172.26.60.0 !)
PIX501
access-list IPSEC; 2 elements
access-list IPSEC line 1 permit ip 192.168.10.0 255.255.255.0 172.26.60.0 255.255.255.128 (hitcnt=1371836)
access-list IPSEC line 2 permit tcp interface outside host 172.26.60.2 (hitcnt=0)
access-list acl_Dery9000; 2 elements
access-list acl_Dery9000 line 1 permit ip 192.168.10.0 255.255.255.0 172.26.60.0 255.255.255.128 (hitcnt=1083581)
access-list acl_Dery9000 line 2 permit tcp interface outside host 172.26.60.2 (hitcnt=1635)
ASKER
Everything is working now, I made a mistake on an IP of an acl...
Glad to hear it!
ASKER
Thanks for your reply. I cannot add this line to the access-list because the outside interface on the PIX501 have a dynamic IP address.
Anyway, I tried your solution just to see if it work and it doesn't. I added theses lines :
PIX501
access-list IPSEC permit tcp interface outside host 172.26.60.2
access-list NO_NAT permit tcp interface outside host 172.26.60.2
PIX506
access-list IPSEC permit ip host 172.26.60.2 host <dynamic IP on PIX501>
access-list NO_NAT permit ip host 172.26.60.2 host <dynamic IP on PIX501>
Here are the line for websense :
url-server (outside) vendor websense host 172.26.60.2 timeout 30 protocol TCP version 4
filter url http 192.168.10.0 255.255.255.0 0.0.0.0 0.0.0.0 allow proxy-block longurl-truncate cgi-truncate
filter url 443 192.168.10.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
filter ftp 21 192.168.10.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
I'm still receiving this error :
304006: URL Server 172.26.60.2 not responding
And I cannot PING the server from the PIX501 (should I ?)
ping 172.26.60.2
172.26.60.2 NO response received -- 1000ms
Thanks.