PIX to PIX VPN connectivity issue

Scenario:
Two branch offices. Each with PIX firewall and using VPN for remote access. Remote users at both branch offices can connect properly with their VPN clients but only to their own designated office. We have tried to connect from one branch office to another using the VPN client. We can get a confirmed connection but cannot access the Windows resources, shared drive(s) by either trying to map a drive or using Remote Desktop Connection. We get messages of The network path could not be found and The specified computer could not be found respectively. I can ping the remote PIX firewall from our firewall but cannot ping the same remote firewall from the same desktop PC that is successfully connecting using the VPN client. I put in a route to send traffic to the remote PIX via our firewall but still cannot get physical connectivity. Our respective LANS are on different subnets. I have read Ciscos PIX 6.X: Simple PIX to PIX VPN Tunnel configuration example which uses IPSEC. I want to have temporary connectivity availability for 1 or 2 users to look at some hosted software until we have a vendor installed link. Do we need to setup both PIX firewalls as per the IKE instructions in the article to achieve some temporary connectivity?  What have I not done to achieve physical connectivity?
TIA
bfear3Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rsivanandanCommented:
If I understand your question correctly, then it is not possible with PIX. The U-turn which you're trying to make is not supported until version 7.x on ASA.

The only way to resolve this would be to have 2 profiles for the user and connect to the respective profile whenever a resource is needed.

Or else, the other way would be; have the user first VPN into one of the office. Then remote desktop into his designated office's desk machine. From there you can access the other office.

Cheers,
Rajesh
0
bfear3Author Commented:
Thanks Rajesh for the input. I am just trying to get 2 users from our office to be able to VPN from behind our Firewall  through the 'net to and through the other Firewall into some Windows based resources, i.e. run an application to evaluate it. If I have not made myself clear enough for your help, please comment back.
Thanks
0
rsivanandanCommented:
Oh, so you have the vpn users using the cisco vpn client behind 1st pix firewall and you want to connect to the other pix server to access resources?

if yes, can at least one user able to connect to the pix firewall ? What is the stage where it is blocked?

Cheers,
Rajesh
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

bfear3Author Commented:
Rajesh,
           Sorry for the delay. Internet access on the weekend is spotty. Anyway, we can successfully connect with the VPN client through both firewalls. No problem. At that point though we cannot access the Windows resources either through trying to map a drive or using remote desktop connection. It is exactly as I described in the original question with the corresponding error messages. From home, not going through a PIX firewall I can access the "branch" office using a VPN and connect to a shared drive no problem. We are having the issue going from one PIX firewall to another PIX firewall to use shared Windows resources.

Thanks
0
rsivanandanCommented:
Ok, can you post the sanitized config of the pix firewall ? Both sides.

Cheers,
Rajesh
0
bfear3Author Commented:
Will do, but will have to do on Monday as they are at work. Thanks for your patience. Talk to you soon.
0
bfear3Author Commented:
Rajesh,

APYR

Local BO

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXX encrypted
hostname XX
domain-name XX.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name X.X.X.X Internal_Net_GP
name X.X.X.X XXXXXXXX
name X.X.X.X XX
name X.X.X.X Remote_PIX
name X.X.X.X XX
access-list 102 permit ip X.X.X.X 255.0.0.0 X.X.X.X 255.255.255.0
access-list 102 permit ip X.X.X.X 255.255.255.0 X.0.0.0 255.0.0.0
access-list 103 permit ip X.X.X.X 255.0.0.0 X.x.X.X 255.255.255.0
access-list 103 permit ip X.X.X.0 255.255.255.0 X.0.0.0 255.0.0.0
access-list 104 permit ip Remote_PIX 255.255.255.254 X.0.0.0 255.0.0.0
access-list 104 permit ip X.0.0.0 255.0.0.0 Remote_PIX 255.255.255.254
pager lines 23
logging on
logging buffered warnings
no logging message 305012
no logging message 302014
no logging message 302016
mtu outside 1500
mtu inside 1500
ip address outside X.X.X.X 255.255.255.X
ip address inside X.X.X.X 255.255.0.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL X.X.X.X-X.X.X.X
pdm location X.X.x.X 255.255.255.255 outside
pdm location X.X.X.x 255.255.255.255 outside
pdm location x.X.x.X 255.255.255.255 outside
pdm location X.X.X.X 255.255.0.0 outside
pdm location XX 255.255.255.255 inside
pdm location X.X.X.X 255.255.255.255 inside
pdm location XX 255.255.255.255 inside
pdm location X.X.X.x 255.255.255.255 inside
pdm location Remote_PIX 255.255.255.254 outside
pdm location XX 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list 102
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community XX
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set VPN esp-3des esp-sha-hmac
crypto dynamic-map XX 10 set transform-set VPN
crypto map IPSECVPN 20 ipsec-isakmp dynamic XX
crypto map IPSECVPN client configuration address initiate
crypto map IPSECVPN client configuration address respond
crypto map IPSECVPN interface outside
isakmp enable outside
isakmp key XXXXX address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp keepalive 30 3
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup XX address-pool VPNPOOL
vpngroup XX dns-server XX XX
vpngroup XX default-domain XX.com
vpngroup XX split-tunnel 103
vpngroup XX idle-time 1800
vpngroup XX password XXXXXXX
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh X.X.X.X 255.255.255.255 outside
ssh X.X.0.0 255.255.0.0 outside
ssh X.X.X.X 255.255.255.255 outside
ssh Remote_PIX 255.255.255.254 outside
ssh timeout 20
console timeout 0
terminal width 80
Cryptochecksum:XX
: end


Remote BO

pixfirewall# show run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXX encrypted
hostname XXXXXXXXXXXXXX
domain-name XXXXXXXXXXXXX.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name X.X.X.X XXXXXXXx
name X.X.X.X XXXXXXXX
name X.X.X.X XXXXXXXX
name X.X.X.X XXXXXXXXX
name X.X.X.X XXXXXXXXX
name x.X.X.X XXXXXXXX
name X.X.X.X XXXXXXXX
name X.X.X.X XXXXXXXXX
name X.X.X.X XXXXXXX
object-group service XXXXXXXXXServices tcp
  port-object eq www
  port-object eq https
object-group network RDP-Remote
  network-object XXXXXXXXX 255.255.255.240
  network-object XXXXXXXXX 255.255.255.255
object-group service XXXXXXXXXXServices tcp
  port-object eq www
  port-object eq XX
  port-object eq ftp-data
  port-object eq domain
  port-object eq https
  port-object eq ftp
  port-object eq ssh
access-list outside_access_in permit gre any host X.X.X.X
access-list outside_access_in permit tcp any host X.X.X.X eq pptp
access-list outside_access_in permit tcp any host X.X.X.X object-group XXXXXX
access-list outside_access_in permit tcp XX 255.255.255.240 host
 X.X.X.X eq X
access-list outside_access_in permit tcp any host X.X.X.X eq smtp
access-list outside_access_in permit tcp object-group RDP-Remote host X.X.X
.X eq X
access-list outside_access_in permit tcp object-group RDP-Remote host x.X.X
.X eq X
access-list outside_access_in permit tcp any host x.X.X.X object-group XXXXXXXXX
access-list outside_access_in permit udp any host X.X.X.X eq domain
access-list xxxxxxxxxx_splitTunnelAcl permit ip X.X.X.x 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip X.X.X.X 255.255.255.0 x.x.
X.X 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any X.x.X.X 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside x.X.x. 255.255.255.XX
ip address inside X.X.X.X 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool x.x.x.x-x.x.x.x
pdm location XX 255.255.255.XX outside
pdm location x.x.x.x 255.255.255.0 inside
pdm location xxxxxxx 255.255.255.255 inside
pdm location xxxxxxx 255.255.255.255 inside
pdm location xxxxxxxx 255.255.255.255 inside
pdm location xxxxxxxx 255.255.255.255 inside
pdm location xxxxxxxx 255.255.255.255 inside
pdm location xxxxxxx 255.255.255.255 outside
pdm location xxxxxxxx 255.255.255.255 inside
pdm group RDP-Remote outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 x.x.x.x 255.255.255.0 0 0
static (inside,outside) tcp x.x.x.x smtp xxxxxxxx smtp netmask 255.255.255
.255 0 0
static (inside,outside) tcp x.x.x.x www xxxxxxxxx www netmask 255.255.2
55.255 0 0
static (inside,outside) tcp x.x.x.x https xxxxxxxxxxxxx https netmask 255.2
55.255.255 0 0
static (inside,outside) tcp x.x.x.x xxxx xxxxxxxxxx xxxx netmask 255.255
.255.255 0 0
static (inside,outside) x.x.x.x xxxxxxx netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x xxxxxxx netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host xxxxxxxxx password timeout 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http x.x.x.x 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside xxxxxxxxxxxx /
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup xxxxxxDetached address-pool VPNPool
vpngroup xxxxxxDetached dns-server xxxxxxxxx xxxxxxxxxxxxx
vpngroup xxxxxxDetached wins-server xxxxx xxxxxx
vpngroup xxxxxxDetached default-domain xxx.x
vpngroup xxxxxxDetached split-tunnel xx_splitTunnelAcl
vpngroup xxxxxxDetached idle-time 1800
vpngroup xxxxxxDetached password XXXXXXX
telnet x.x.x.x 255.255.255.0 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username xxxxxxxx password xxxxxxxxxxxxxxxxxxxxxxxxxxxx
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxx
: end
pixfirewall#
0
rsivanandanCommented:
Too much security ;-) You have masked all the ip addresses and based on that I won't be able to see what is where info?

Provide the config like this;

1. Remove password lines.
2. Keep the private addresses as it is.
3. Remove the last 2 octects from the public ip addresses.

Keep everything else in there.

Cheers,
Rajesh
0
bfear3Author Commented:
Rajesh,

           Paranoia reigns supreme in the heartland...
Once more from the top. If you still need more detail, shout back.
Thanks

Local BO

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname XXX
domain-name XXX.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.1.0.0 Internal_Net_GP
name 10.1.1.8 NS
name 10.1.1.40 WA
name 69.178.X.X Remote_FW
name 10.1.1.23 W2K3
access-list 102 permit ip 10.0.0.0 255.0.0.0 172.31.1.0 255.255.255.0
access-list 102 permit ip 172.31.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 103 permit ip 10.0.0.0 255.0.0.0 172.31.1.0 255.255.255.0
access-list 103 permit ip 172.31.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 104 permit ip Remote_FW 255.255.255.X 10.0.0.0 255.0.0.0
access-list 104 permit ip 10.0.0.0 255.0.0.0 Remote_FW 255.255.255.X
pager lines 23
logging on
logging buffered warnings
no logging message 305012
no logging message 302014
no logging message 302016
mtu outside 1500
mtu inside 1500
ip address outside 209.226.X.X 255.255.255.X
ip address inside 10.1.1.20 255.255.0.0
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 172.31.1.1-172.31.1.254
pdm location 69.157.X.X 255.255.255.255 outside
pdm location 69.156.X.X 255.255.255.255 outside
pdm location 69.157.X.X 255.255.255.255 outside
pdm location 69.157.X.X 255.255.X.X outside
pdm location NS 255.255.255.255 inside
pdm location 10.1.1.29 255.255.255.255 inside
pdm location WA 255.255.255.255 inside
pdm location 10.1.1.42 255.255.255.255 inside
pdm location Remote_FW 255.255.255.X outside
pdm location W2K 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list 102
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 209.226.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community XXXXXXXXX
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set VPN esp-3des esp-sha-hmac
crypto dynamic-map XX 10 set transform-set VPN
crypto map IPSECVPN 20 ipsec-isakmp dynamic XX
crypto map IPSECVPN client configuration address initiate
crypto map IPSECVPN client configuration address respond
crypto map IPSECVPN interface outside
isakmp enable outside
isakmp key XX address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp keepalive 30 3
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup A_VPN address-pool VPNPOOL
vpngroup A_VPN dns-server WA N_S
vpngroup A_VPN default-domain XX.com
vpngroup A_VPN split-tunnel 103
vpngroup A_VPN idle-time 1800
vpngroup A_VPN password
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 69.157.X.X 255.255.255.255 outside
ssh 69.157.X.X 255.255.0.0 outside
ssh 69.156.X.X 255.255.255.255 outside
ssh Remote_FW 255.255.255.X outside
ssh timeout 20
console timeout 0
terminal width 80
Cryptochecksum:
: end


Remote BO

pixfirewall# show run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname XX
domain-name XX.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.27.72.26 sb
name 10.27.72.22 TS
name 10.27.72.21 SL
name 10.27.72.20 File
name 10.27.72.23 F
name 10.27.72.28 cuda
name 67.188.X.X BR
name 66.17.X.X ActSub
name 10.27.72.25 Ac
object-group service FServices tcp
  port-object eq www
  port-object eq https
object-group network RDP-Remote
  network-object ActSub 255.255.255.X
  network-object BR 255.255.255.255
object-group service Services tcp
  port-object eq www
  port-object eq XXXX
  port-object eq ftp-data
  port-object eq domain
  port-object eq https
  port-object eq ftp
  port-object eq ssh
access-list outside_access_in permit gre any host 69.178.x.x
access-list outside_access_in permit tcp any host 69.178.x.x eq pptp
access-list outside_access_in permit tcp any host 69.178.x.x object-group eS
access-list outside_access_in permit tcp ActSub 255.255.255.X host
 69.178.x.x eq XXXX
access-list outside_access_in permit tcp any host 69.178.x.x eq smtp
access-list outside_access_in permit tcp object-group RDP-Remote host 69.178.x
.x eq XXXX
access-list outside_access_in permit tcp object-group RDP-Remote host 69.178.x
.x eq XXXX
access-list outside_access_in permit tcp any host 69.178.x.x object-group Services
access-list outside_access_in permit udp any host 69.178.x.x eq domain
access-list Detached_splitTunnelAcl permit ip 10.27.72.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 10.27.72.0 255.255.255.0 192.168.
81.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.81.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside 69.178.x.x 255.255.255.X
ip address inside 10.27.72.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPool 192.168.81.1-192.168.81.200
pdm location ASubnet 255.255.255.X outside
pdm location 10.27.72.0 255.255.255.0 inside
pdm location File 255.255.255.255 inside
pdm location SL 255.255.255.255 inside
pdm location Srv 255.255.255.255 inside
pdm location F 255.255.255.255 inside
pdm location cuda 255.255.255.255 inside
pdm location BR 255.255.255.255 outside
pdm location Acc 255.255.255.255 inside
pdm group RDP-Remote outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.27.72.0 255.255.255.0 0 0
static (inside,outside) tcp 69.178.x.x smtp cuda smtp netmask 255.255.255
.X 0 0
static (inside,outside) tcp 69.178.x.x www F www netmask 255.255.2
55.X 0 0
static (inside,outside) tcp 69.178.x.x https F https netmask 255.2
55.255.255 0 0
static (inside,outside) tcp 69.178.x.x XXXX F XXX netmask 255.255
.255.255 0 0
static (inside,outside) 69.178.X.X SL netmask 255.255.255.255 0 0
static (inside,outside) 69.178.X.X Ac netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.178.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host Fl password timeout 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.27.72.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside A /
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Detached address-pool VPNPool
vpngroup Detached dns-server File A
vpngroup Detached wins-server File A
vpngroup Detached default-domain corp.local
vpngroup Detached split-tunnel Detached_splitTunnelAcl
vpngroup Detached idle-time 1800
vpngroup Detached password
telnet 10.27.72.0 255.255.255.0 inside
telnet timeout 5
ssh 10.27.72.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username
terminal width 80
Cryptochecksum:
: end
pixfirewall#
0
rsivanandanCommented:
The post you have posted on "ID:20805959Author:bfear3Date:02.03.2008 at 02:49AM IST"


Can you say that again, because I think I'm missing something.

1. You can connect to both offices using VPN -> Works fine
2. You can connect to both offices using VPN and access resources -> Works fine

3. When you connect to one branch office via VPN and then try accessing the other PIX side resources -> If this is what you're trying to achieve then it is not possible as I said before.

Can you describe it.

Cheers,
Rajesh
0
bfear3Author Commented:
Rajesh,

           The users at the local BO can login and access their respective resources from outside their business walls. The users at the remote BO can login and access their respective resources from outside their business walls. I can logon from home to both BO's, using the VPN client. At home I am not behind a PIX firewall. I can then map a drive and use Remote Desktop to get to the app. I want.
At work, behind the PIX firewall I can form a secure connection from within the local BO to the remote BO. But, I cannot map a drive or remote desktop to the Windows resources we wish to evaluate through the secured VPN connection, as it is going from within the local PIX to within the remote PIX. If we are going back to what you had surmised a few missifs ago in your evaluation then what hardware supports the software rev. you are discussing? What do I have to do to enable a one way PIX to PIX VPN and shared Windows resources scenario? We may want two way later but that will be setup with a dedicated line, Telco and QOS.
Thanks
0
rsivanandanCommented:
Okay, if the site to site access is for more than one person then a site to site vpn is suggested e=which ca be easily achieved in the present pix scenario. I would suggest to go with this method.

1. If it is just one person trying to connect then after connecting, then after connecting, take an output of route print from that machine to post it.

2. After connecting if you try to access the windows resource are you able to map drive or ping using ip address instead of the name?

Cheers,
Rajesh
0
bfear3Author Commented:
Rajesh,

           APYR. This is after securely connecting with the VPN client. As I pointed out in my original posting I cannot ping the remote firewall from the local, securely connected PC. I can ping the remote firewall from our local firewall. This is why I added a route to the remote firewall. You can see this on line 1 and 7. I have always tried to ping using an IP as opposed to a name.
Thanks

 Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.1.1.20       10.1.9.24       20
          0.0.0.0          0.0.0.0       10.1.1.149       10.1.9.24       20
         10.1.0.0      255.255.0.0        10.1.9.24       10.1.9.24       20
        10.1.9.24  255.255.255.255        127.0.0.1       127.0.0.1       20
       10.27.72.0    255.255.255.0     192.168.81.2    192.168.81.1       1
   10.255.255.255  255.255.255.255        10.1.9.24       10.1.9.24       20
    69.178.X.X  255.255.255.255        10.1.1.20       10.1.9.24       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
     192.168.81.0    255.255.255.0     192.168.81.1    192.168.81.1       20
     192.168.81.1  255.255.255.255        127.0.0.1       127.0.0.1       20
   192.168.81.255  255.255.255.255     192.168.81.1    192.168.81.1       20
        224.0.0.0        240.0.0.0        10.1.9.24       10.1.9.24       20
        224.0.0.0        240.0.0.0     192.168.81.1    192.168.81.1       20
  255.255.255.255  255.255.255.255        10.1.9.24       10.1.9.24       1
  255.255.255.255  255.255.255.255     192.168.81.1    192.168.81.1       1
Default Gateway:        10.1.1.149
===========================================================================
Persistent Routes:
  None
0
rsivanandanCommented:
hmm. There seems to be a problem.

>>access-list Detached_splitTunnelAcl permit ip 10.27.72.0 255.255.255.0 any
access-list inside_outbound_nat0_acl permit ip 10.27.72.0 255.255.255.0 192.168.
81.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.81.0 255.255.255.0

On the remote BO, change the above as below;Rule-1=>Never use 'any' keyword in a vpn access-list

access-list Detached_splitTunnelAcl permit ip 10.27.72.0 255.255.255.0 192.168.81.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.27.72.0 255.255.255.0 192.168.81.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip 10.27.72.0 255.255.255.0 192.168.81.0 255.255.255.0

Then try connecting again. Take a route print and ipconfig/all, paste it here

Cheers,
Rajesh

0
bfear3Author Commented:
Rajesh,
           I will attempt to facilitate but there are politics involved here, i.e. I do not control the remote BO and they may be sensitive to any tweaking proposed by me. I may have to get their consultant or support vendor to enact this and it probably won't happen overnight. I will post any updates as soon as I can. Apologies for the delay. Thanks for your patience.
0
rsivanandanCommented:
No issues, lemme know when you have some update.

Cheers,
Rajesh
0
bfear3Author Commented:
Rajesh,

           The remote BO decided to call in a PIX expert. This gentleman did not agree with the removal of the "any's" and said they were not part of the VPN pool allotment statement. He opened up the FW to RDP from a selected IP address. We can now get in. I am not privy to what lines he added/changed so the excercise has not helped me at all in understanding what makes the thing tick at all. I am sure you are just as frustrated after going through the process of trying to help. Is there anyway I can give you points without causing some other person false hope in following down the postings only to discover we/you did not find a solution? Sorry about the outcome...
0
rsivanandanCommented:
Hi bfear3,

  Giving the points or not is actually up to you, but there is something I'd like to tell you in regards to the configuration;

1. If you search the entire site for PIX VPN issues, you can find most of the problems related to 'PIX" having 'any' statement in vpn or vpn-split-tunnel rules.

  Another thing is, at any cost you should be asking him to tell you what change he made. Otherwise you'll still be not able to know what he did.

A simple example would be, removing the crypto map from the interface and reapplying it had brought VPNs up, now the reason? I don't know :-)

Cheers,
Rajesh

PS: If you think I at least helped you to go through the area a bit better, you could award the points, if not and you want to close the question and redeem the points you can do so by posting a request in the community support area.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bfear3Author Commented:
Thanks for your time and patience.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.