Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Problem for connecting on share directory

Posted on 2007-10-02
5
Medium Priority
?
275 Views
Last Modified: 2008-01-09
Hi,
I have 2 pix 501, 1 local and other remote business. When the pc with adress 192.168.51.100 in the remote site call \\192.168. 16.10\share all is ok. But if i try to connect with my server with adress 192.168.16.10 on pc in other site with command: \\192.168.51.100\share that's not work.

This is my pix configuration for the server 192.168.16.10

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password i6UxfZXAJDRy0dDX encrypted
passwd i6UxfZXAJDRy0dDX encrypted
hostname sani-qc
domain-name sani-tech
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.16.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 101 permit ip 192.168.16.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list 101 remark OUVERTURE DU PORT SSH SUR LE SCO-UNIX

access-list 101 permit tcp host 199.243.181.75 host 70.12.25.41 eq 1022
access-list 101 permit tcp host 69.70.107.234 host 70.12.25.41 eq 1022
access-list 101 permit tcp host 69.159.244.96 host 70.12.25.41 eq 1022
access-list 101 remark OUVERTURE PORT POUR LE MAIL
access-list 101 permit tcp any host 70.12.25.41 eq 10025
access-list 101 remark OUVERTURE PORT POUR HTPPS
access-list 101 permit tcp any host 70.12.25.41 eq https
access-list 101 remark OUVERTURE PORT POUR VPN MICROSOFT
access-list 101 permit tcp any host 70.12.25.41 eq pptp
access-list 101 remark OUVERTURE PORT HTTP
access-list 101 permit tcp any host 70.12.25.41 eq www
access-list splitter permit ip 192.168.16.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list msn-login remark BLOCK MESSENGER LOGIN
access-list msn-login permit ip host 192.168.16.2 any
access-list msn-login deny tcp any any eq 1863
access-list msn-login deny ip any 65.54.239.0 255.255.255.0
access-list msn-login deny ip any host 65.55.152.124
access-list msn-login deny ip any host 65.54.179.203
access-list msn-login deny ip any host 204.15.20.27
access-list msn-login deny ip any host 65.55.195.250
access-list msn-login deny ip any host 72.232.96.74
access-list msn-login permit ip any any
access-list msn-login permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 70.12.25.41 255.255.255.252
ip address inside 192.168.16.99 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool iccpool 192.168.10.1-192.168.10.10
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 10025 192.168.16.2 10025 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface pptp 192.168.16.2 pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1022 192.168.16.1 1022 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.16.2 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.16.13 www netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group msn-login in interface inside
conduit permit icmp any any
conduit permit tcp any any
route outside 0.0.0.0 0.0.0.0 70.12.25.40 1
timeout xlate 0:05:00
timeout conn 48:00:00 half-closed 3:00:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.16.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key souris address 0.0.0.0 netmask 0.0.0.0
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpnicc address-pool iccpool
vpngroup vpntest split-tunnel splitter
vpngroup vpntest idle-time 86400
vpngroup vpntest password souris
telnet 192.168.16.0 255.255.255.0 inside
telnet timeout 5
ssh 69.70.107.234 255.255.255.255 outside
ssh 69.159.244.96 255.255.255.255 outside
ssh timeout 5
console timeout 0
terminal width 80


This is my pix configuration for the pc 192.168.51.100

: Written by enable_15 at 05:40:43.744 UTC Wed Mar 2 2005
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password iccctrl
passwd iccctrl
hostname sani-mtl
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.51.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 101 permit ip 192.168.51.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list 110 permit ip 192.168.51.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list msn-login remark BLOCK MESSENGER LOGIN
access-list msn-login deny tcp any any eq 1863
access-list msn-login deny ip any 65.54.239.0 255.255.255.0
access-list msn-login deny ip any host 65.54.179.203
access-list msn-login deny ip any host 65.55.152.124
access-list msn-login permit ip any any
access-list msn-login permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe
ip address inside 192.168.51.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool iccpool 192.168.10.1-192.168.10.10
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 101 in interface outside
access-group msn-login in interface inside
conduit permit icmp any any
conduit permit tcp any any
route outside 0.0.0.0 0.0.0.0 204.1.1.2 1
timeout xlate 0:05:00
timeout conn 48:00:00 half-closed 3:00:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.51.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map sylvain 10 ipsec-isakmp
crypto map sylvain 10 match address 110
crypto map sylvain 10 set peer 70.12.25.41
crypto map sylvain 10 set transform-set myset
crypto map sylvain 20 ipsec-isakmp dynamic cisco
crypto map sylvain interface outside
isakmp enable outside
isakmp key souris address 70.12.25.41 netmask 255.255.255.255
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpntest address-pool iccpool
vpngroup vpntest split-tunnel 101
vpngroup vpntest idle-time 86400
vpngroup vpntest password souris
telnet 192.168.51.0 255.255.255.0 inside
telnet timeout 5
ssh 69.70.107.234 255.255.255.255 outside
ssh 69.159.244.96 255.255.255.255 outside
ssh 70.12.25.41 255.255.255.255 outside
ssh timeout 5
console timeout 0
vpdn group web request dialout pppoe
vpdn group web localname sanit@dslqzstcom.com
vpdn group web ppp authentication pap
vpdn username sanit@dslqzstcom.com password ********
dhcpd address 192.168.51.150-192.168.51.180 inside
dhcpd dns 192.168.16.2 66.234.16.12
dhcpd wins 192.168.16.2
dhcpd lease 86000
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80

What is my problem ?

Thank's in advance
0
Comment
Question by:DaveICC
  • 2
4 Comments
 
LVL 2

Expert Comment

by:atyar
ID: 20008927
On the first pix config, you don't have a crypto map configured, as you do on the 2nd pix, with a match address and set peer statement.  These are needed to identify the traffic to be sent over the vpn tunnel, and where to send the traffic.  I would tweak your first pix vpn config to be like the 2nd pix listed above, which looks correct.
0
 

Author Comment

by:DaveICC
ID: 20015214
If my first pix he as dynamic ip address outside? Do you have un solution for me?
0
 
LVL 2

Accepted Solution

by:
atyar earned 2000 total points
ID: 20015271
I see your point.
I don't know how you could make that work with a dynamic address.  The vpn tunnel needs an ip endpoint on the other end to send the traffic to - if that ip address changes, so would your tunnel config.
I'd suggest looking into getting a static address assigned instead of the dynamic - it's likely available, for a modest monthly fee (like under $20/month)
0
 
LVL 1

Expert Comment

by:Computer101
ID: 20370051
Forced accept.

Computer101
EE Admin
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question