Solved

PIX to PIX VPN Problems

Posted on 2008-10-09
2
287 Views
Last Modified: 2010-04-12
Hi,

We are trying to establish a site-2-site VPN tunnel between 2 locations. One location has a PIX 501 and the other has a PIX 515. The problem we are facing is that the VPN tunnel establishes successfully, however the traffic only flows one way (not entirely)

PIX 501 (192.168.61.0 / 255.255.255.0)
Machine A: 192.168.61.100


PIX 515: (198.246.233.0 / 255.255.255.0 ) <--- YES THIS IS A PUBLIC SUBNET
Machine B: 198.246.233.55

We need to have the workstations (Machine A) to be able to connect to (Machine B). The problem is, Machine A can not reach the subnet of Machine B. Machine B however is able to reach the subnet of Machine A. Here's the weird part:

Machine B pings Machine A, or establish a RDP connection to Machine A.
User exited the RDP session to Machine A (without logging on, just exit at the logon Window)
Machine A is now able to "see Machine B", and able to RDP back to Machine B.

The same applies to other machines, as long as machines on the PIX 515 initiates the initial connection, machines on the PIX 501 subnet are now able to see the PIX515 machines. It seems like it has something to do with a NAT issue. Both PIXES have existing VPN tunnels to other locations. Both IT departments at both ends are saying that the PIX on their ends are working fine as other existing VPN tunnels are communicating properly.

The PIX 501 has existing VPN tunnels to other PIX, but the remote subnets are all private IP subnets. The 515 has existing VPN tunnels to other PIX, and the remote subnets are combination of both private/public subnets.

The VPN config for the PIXes are as follow:



PIX 501:

access-list nonat permit ip 192.168.61.0 255.255.255.0 198.246.233.0 255.255.255.0
access-list crypto6 permit ip 192.168.61.0 255.255.255.0 198.246.233.0 255.255.255.0
crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map myset 30 ipsec-isakmp
crypto map myset 30 match address crypto6
crypto map myset 30 set peer A.B.C.D
crypto map myset 30 set transform-set myset
crypto map myset interface outside

isakmp enable outside
isakmp key ******** address A.B.C.D netmask 255.255.255.255
isakmp identity address
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption des
isakmp policy 11 hash md5
isakmp policy 11 group 2
isakmp policy 11 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption 3des
isakmp policy 60 hash md5
isakmp policy 60 group 1
isakmp policy 60 lifetime 86400
isakmp policy 70 authentication pre-share
isakmp policy 70 encryption 3des
isakmp policy 70 hash sha
isakmp policy 70 group 1
isakmp policy 70 lifetime 86400

-----------------------------------------
PIX 515:

name W.X.Y.Z labatn-pix

access-list nonat permit ip InsideGLOBAL 255.255.255.0 192.168.61.0 255.255.255.0
access-list nonat permit ip TENdotSIXTY_network 255.255.255.0 192.168.61.0 255.255.255.0

access-list acl-labatn permit ip host WHCNET2 192.168.61.0 255.255.255.0
access-list acl-labatn permit ip host M1A-app1 192.168.61.0 255.255.255.0
access-list acl-labatn permit ip host M2A-app2 192.168.61.0 255.255.255.0
access-list acl-labatn permit ip host M3A-app4 192.168.61.0 255.255.255.0
access-list acl-labatn permit ip host M4A-app3 192.168.61.0 255.255.255.0
access-list acl-labatn permit ip host M5A-app-main 192.168.61.0 255.255.255.0
access-list acl-labatn permit ip host TechPC 192.168.61.0 255.255.255.0
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host WHCNET2 eq www
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host WHCNET2 eq https
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host M1A-app1 eq www
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host M1A-app1 eq https
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host M2A-app2 eq www
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host M2A-app2 eq https
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host M4A-app4 eq www
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host M4A-app4 eq https
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host M3A-app3 eq www
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host M3A-app3 eq https
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host M1A-app-main eq www
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host M1A-app-main eq https


crypto map whcmap 972 ipsec-isakmp
crypto map whcmap 972 match address acl-labatn
crypto map whcmap 972 set peer labatn-pix
crypto map whcmap 972 set transform-set sha3set md5set


*********************************************************
crypto ipsec transform-set sha3set esp-3des esp-sha-hmac
crypto ipsec transform-set md53set esp-3des esp-md5-hmac
*********************************************************

isakmp key ******** address labatn-pix netmask 255.255.255.255

isakmp keepalive 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400



0
Comment
Question by:iesolutions
2 Comments
 
LVL 3

Accepted Solution

by:
TAMSCODAN earned 500 total points
ID: 22682544
0
 

Author Comment

by:iesolutions
ID: 22713125
TAMSCODAN:

The URL article in your response basically provides a basic configuration on a site-2-site using 2 PIXES. As mentioned earlier, the VPNs are working, but just this specific tunnel aint working. The only difference with this tunnel is that one of the remote subnet is actually a PUBLIC routable IP subnet and not internal RFC private IPs.

Any ideas?
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now