DaveICC
asked on
Problem for connecting on share directory
Hi,
I have 2 pix 501, 1 local and other remote business. When the pc with adress 192.168.51.100 in the remote site call \\192.168. 16.10\share all is ok. But if i try to connect with my server with adress 192.168.16.10 on pc in other site with command: \\192.168.51.100\share that's not work.
This is my pix configuration for the server 192.168.16.10
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password i6UxfZXAJDRy0dDX encrypted
passwd i6UxfZXAJDRy0dDX encrypted
hostname sani-qc
domain-name sani-tech
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.16.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 101 permit ip 192.168.16.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list 101 remark OUVERTURE DU PORT SSH SUR LE SCO-UNIX
access-list 101 permit tcp host 199.243.181.75 host 70.12.25.41 eq 1022
access-list 101 permit tcp host 69.70.107.234 host 70.12.25.41 eq 1022
access-list 101 permit tcp host 69.159.244.96 host 70.12.25.41 eq 1022
access-list 101 remark OUVERTURE PORT POUR LE MAIL
access-list 101 permit tcp any host 70.12.25.41 eq 10025
access-list 101 remark OUVERTURE PORT POUR HTPPS
access-list 101 permit tcp any host 70.12.25.41 eq https
access-list 101 remark OUVERTURE PORT POUR VPN MICROSOFT
access-list 101 permit tcp any host 70.12.25.41 eq pptp
access-list 101 remark OUVERTURE PORT HTTP
access-list 101 permit tcp any host 70.12.25.41 eq www
access-list splitter permit ip 192.168.16.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list msn-login remark BLOCK MESSENGER LOGIN
access-list msn-login permit ip host 192.168.16.2 any
access-list msn-login deny tcp any any eq 1863
access-list msn-login deny ip any 65.54.239.0 255.255.255.0
access-list msn-login deny ip any host 65.55.152.124
access-list msn-login deny ip any host 65.54.179.203
access-list msn-login deny ip any host 204.15.20.27
access-list msn-login deny ip any host 65.55.195.250
access-list msn-login deny ip any host 72.232.96.74
access-list msn-login permit ip any any
access-list msn-login permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 70.12.25.41 255.255.255.252
ip address inside 192.168.16.99 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool iccpool 192.168.10.1-192.168.10.10
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 10025 192.168.16.2 10025 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp 192.168.16.2 pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1022 192.168.16.1 1022 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.16.2 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.16.13 www netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group msn-login in interface inside
conduit permit icmp any any
conduit permit tcp any any
route outside 0.0.0.0 0.0.0.0 70.12.25.40 1
timeout xlate 0:05:00
timeout conn 48:00:00 half-closed 3:00:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.16.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key souris address 0.0.0.0 netmask 0.0.0.0
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpnicc address-pool iccpool
vpngroup vpntest split-tunnel splitter
vpngroup vpntest idle-time 86400
vpngroup vpntest password souris
telnet 192.168.16.0 255.255.255.0 inside
telnet timeout 5
ssh 69.70.107.234 255.255.255.255 outside
ssh 69.159.244.96 255.255.255.255 outside
ssh timeout 5
console timeout 0
terminal width 80
This is my pix configuration for the pc 192.168.51.100
: Written by enable_15 at 05:40:43.744 UTC Wed Mar 2 2005
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password iccctrl
passwd iccctrl
hostname sani-mtl
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.51.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 101 permit ip 192.168.51.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list 110 permit ip 192.168.51.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list msn-login remark BLOCK MESSENGER LOGIN
access-list msn-login deny tcp any any eq 1863
access-list msn-login deny ip any 65.54.239.0 255.255.255.0
access-list msn-login deny ip any host 65.54.179.203
access-list msn-login deny ip any host 65.55.152.124
access-list msn-login permit ip any any
access-list msn-login permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe
ip address inside 192.168.51.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool iccpool 192.168.10.1-192.168.10.10
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 101 in interface outside
access-group msn-login in interface inside
conduit permit icmp any any
conduit permit tcp any any
route outside 0.0.0.0 0.0.0.0 204.1.1.2 1
timeout xlate 0:05:00
timeout conn 48:00:00 half-closed 3:00:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.51.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map sylvain 10 ipsec-isakmp
crypto map sylvain 10 match address 110
crypto map sylvain 10 set peer 70.12.25.41
crypto map sylvain 10 set transform-set myset
crypto map sylvain 20 ipsec-isakmp dynamic cisco
crypto map sylvain interface outside
isakmp enable outside
isakmp key souris address 70.12.25.41 netmask 255.255.255.255
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpntest address-pool iccpool
vpngroup vpntest split-tunnel 101
vpngroup vpntest idle-time 86400
vpngroup vpntest password souris
telnet 192.168.51.0 255.255.255.0 inside
telnet timeout 5
ssh 69.70.107.234 255.255.255.255 outside
ssh 69.159.244.96 255.255.255.255 outside
ssh 70.12.25.41 255.255.255.255 outside
ssh timeout 5
console timeout 0
vpdn group web request dialout pppoe
vpdn group web localname sanit@dslqzstcom.com
vpdn group web ppp authentication pap
vpdn username sanit@dslqzstcom.com password ********
dhcpd address 192.168.51.150-192.168.51.
dhcpd dns 192.168.16.2 66.234.16.12
dhcpd wins 192.168.16.2
dhcpd lease 86000
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
What is my problem ?
Thank's in advance
I have 2 pix 501, 1 local and other remote business. When the pc with adress 192.168.51.100 in the remote site call \\192.168. 16.10\share all is ok. But if i try to connect with my server with adress 192.168.16.10 on pc in other site with command: \\192.168.51.100\share that's not work.
This is my pix configuration for the server 192.168.16.10
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password i6UxfZXAJDRy0dDX encrypted
passwd i6UxfZXAJDRy0dDX encrypted
hostname sani-qc
domain-name sani-tech
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.16.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 101 permit ip 192.168.16.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list 101 remark OUVERTURE DU PORT SSH SUR LE SCO-UNIX
access-list 101 permit tcp host 199.243.181.75 host 70.12.25.41 eq 1022
access-list 101 permit tcp host 69.70.107.234 host 70.12.25.41 eq 1022
access-list 101 permit tcp host 69.159.244.96 host 70.12.25.41 eq 1022
access-list 101 remark OUVERTURE PORT POUR LE MAIL
access-list 101 permit tcp any host 70.12.25.41 eq 10025
access-list 101 remark OUVERTURE PORT POUR HTPPS
access-list 101 permit tcp any host 70.12.25.41 eq https
access-list 101 remark OUVERTURE PORT POUR VPN MICROSOFT
access-list 101 permit tcp any host 70.12.25.41 eq pptp
access-list 101 remark OUVERTURE PORT HTTP
access-list 101 permit tcp any host 70.12.25.41 eq www
access-list splitter permit ip 192.168.16.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list msn-login remark BLOCK MESSENGER LOGIN
access-list msn-login permit ip host 192.168.16.2 any
access-list msn-login deny tcp any any eq 1863
access-list msn-login deny ip any 65.54.239.0 255.255.255.0
access-list msn-login deny ip any host 65.55.152.124
access-list msn-login deny ip any host 65.54.179.203
access-list msn-login deny ip any host 204.15.20.27
access-list msn-login deny ip any host 65.55.195.250
access-list msn-login deny ip any host 72.232.96.74
access-list msn-login permit ip any any
access-list msn-login permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 70.12.25.41 255.255.255.252
ip address inside 192.168.16.99 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool iccpool 192.168.10.1-192.168.10.10
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 10025 192.168.16.2 10025 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp 192.168.16.2 pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1022 192.168.16.1 1022 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.16.2 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.16.13 www netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group msn-login in interface inside
conduit permit icmp any any
conduit permit tcp any any
route outside 0.0.0.0 0.0.0.0 70.12.25.40 1
timeout xlate 0:05:00
timeout conn 48:00:00 half-closed 3:00:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.16.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key souris address 0.0.0.0 netmask 0.0.0.0
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpnicc address-pool iccpool
vpngroup vpntest split-tunnel splitter
vpngroup vpntest idle-time 86400
vpngroup vpntest password souris
telnet 192.168.16.0 255.255.255.0 inside
telnet timeout 5
ssh 69.70.107.234 255.255.255.255 outside
ssh 69.159.244.96 255.255.255.255 outside
ssh timeout 5
console timeout 0
terminal width 80
This is my pix configuration for the pc 192.168.51.100
: Written by enable_15 at 05:40:43.744 UTC Wed Mar 2 2005
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password iccctrl
passwd iccctrl
hostname sani-mtl
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 192.168.51.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 101 permit ip 192.168.51.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list 110 permit ip 192.168.51.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list msn-login remark BLOCK MESSENGER LOGIN
access-list msn-login deny tcp any any eq 1863
access-list msn-login deny ip any 65.54.239.0 255.255.255.0
access-list msn-login deny ip any host 65.54.179.203
access-list msn-login deny ip any host 65.55.152.124
access-list msn-login permit ip any any
access-list msn-login permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe
ip address inside 192.168.51.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool iccpool 192.168.10.1-192.168.10.10
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 101 in interface outside
access-group msn-login in interface inside
conduit permit icmp any any
conduit permit tcp any any
route outside 0.0.0.0 0.0.0.0 204.1.1.2 1
timeout xlate 0:05:00
timeout conn 48:00:00 half-closed 3:00:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.51.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map sylvain 10 ipsec-isakmp
crypto map sylvain 10 match address 110
crypto map sylvain 10 set peer 70.12.25.41
crypto map sylvain 10 set transform-set myset
crypto map sylvain 20 ipsec-isakmp dynamic cisco
crypto map sylvain interface outside
isakmp enable outside
isakmp key souris address 70.12.25.41 netmask 255.255.255.255
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpntest address-pool iccpool
vpngroup vpntest split-tunnel 101
vpngroup vpntest idle-time 86400
vpngroup vpntest password souris
telnet 192.168.51.0 255.255.255.0 inside
telnet timeout 5
ssh 69.70.107.234 255.255.255.255 outside
ssh 69.159.244.96 255.255.255.255 outside
ssh 70.12.25.41 255.255.255.255 outside
ssh timeout 5
console timeout 0
vpdn group web request dialout pppoe
vpdn group web localname sanit@dslqzstcom.com
vpdn group web ppp authentication pap
vpdn username sanit@dslqzstcom.com password ********
dhcpd address 192.168.51.150-192.168.51.
dhcpd dns 192.168.16.2 66.234.16.12
dhcpd wins 192.168.16.2
dhcpd lease 86000
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
What is my problem ?
Thank's in advance
On the first pix config, you don't have a crypto map configured, as you do on the 2nd pix, with a match address and set peer statement. These are needed to identify the traffic to be sent over the vpn tunnel, and where to send the traffic. I would tweak your first pix vpn config to be like the 2nd pix listed above, which looks correct.
ASKER
If my first pix he as dynamic ip address outside? Do you have un solution for me?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Forced accept.
Computer101
EE Admin
Computer101
EE Admin