Solved

PIX to PIX VPN Problems

Posted on 2008-10-09
2
290 Views
Last Modified: 2010-04-12
Hi,

We are trying to establish a site-2-site VPN tunnel between 2 locations. One location has a PIX 501 and the other has a PIX 515. The problem we are facing is that the VPN tunnel establishes successfully, however the traffic only flows one way (not entirely)

PIX 501 (192.168.61.0 / 255.255.255.0)
Machine A: 192.168.61.100


PIX 515: (198.246.233.0 / 255.255.255.0 ) <--- YES THIS IS A PUBLIC SUBNET
Machine B: 198.246.233.55

We need to have the workstations (Machine A) to be able to connect to (Machine B). The problem is, Machine A can not reach the subnet of Machine B. Machine B however is able to reach the subnet of Machine A. Here's the weird part:

Machine B pings Machine A, or establish a RDP connection to Machine A.
User exited the RDP session to Machine A (without logging on, just exit at the logon Window)
Machine A is now able to "see Machine B", and able to RDP back to Machine B.

The same applies to other machines, as long as machines on the PIX 515 initiates the initial connection, machines on the PIX 501 subnet are now able to see the PIX515 machines. It seems like it has something to do with a NAT issue. Both PIXES have existing VPN tunnels to other locations. Both IT departments at both ends are saying that the PIX on their ends are working fine as other existing VPN tunnels are communicating properly.

The PIX 501 has existing VPN tunnels to other PIX, but the remote subnets are all private IP subnets. The 515 has existing VPN tunnels to other PIX, and the remote subnets are combination of both private/public subnets.

The VPN config for the PIXes are as follow:



PIX 501:

access-list nonat permit ip 192.168.61.0 255.255.255.0 198.246.233.0 255.255.255.0
access-list crypto6 permit ip 192.168.61.0 255.255.255.0 198.246.233.0 255.255.255.0
crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map myset 30 ipsec-isakmp
crypto map myset 30 match address crypto6
crypto map myset 30 set peer A.B.C.D
crypto map myset 30 set transform-set myset
crypto map myset interface outside

isakmp enable outside
isakmp key ******** address A.B.C.D netmask 255.255.255.255
isakmp identity address
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption des
isakmp policy 11 hash md5
isakmp policy 11 group 2
isakmp policy 11 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption 3des
isakmp policy 60 hash md5
isakmp policy 60 group 1
isakmp policy 60 lifetime 86400
isakmp policy 70 authentication pre-share
isakmp policy 70 encryption 3des
isakmp policy 70 hash sha
isakmp policy 70 group 1
isakmp policy 70 lifetime 86400

-----------------------------------------
PIX 515:

name W.X.Y.Z labatn-pix

access-list nonat permit ip InsideGLOBAL 255.255.255.0 192.168.61.0 255.255.255.0
access-list nonat permit ip TENdotSIXTY_network 255.255.255.0 192.168.61.0 255.255.255.0

access-list acl-labatn permit ip host WHCNET2 192.168.61.0 255.255.255.0
access-list acl-labatn permit ip host M1A-app1 192.168.61.0 255.255.255.0
access-list acl-labatn permit ip host M2A-app2 192.168.61.0 255.255.255.0
access-list acl-labatn permit ip host M3A-app4 192.168.61.0 255.255.255.0
access-list acl-labatn permit ip host M4A-app3 192.168.61.0 255.255.255.0
access-list acl-labatn permit ip host M5A-app-main 192.168.61.0 255.255.255.0
access-list acl-labatn permit ip host TechPC 192.168.61.0 255.255.255.0
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host WHCNET2 eq www
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host WHCNET2 eq https
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host M1A-app1 eq www
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host M1A-app1 eq https
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host M2A-app2 eq www
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host M2A-app2 eq https
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host M4A-app4 eq www
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host M4A-app4 eq https
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host M3A-app3 eq www
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host M3A-app3 eq https
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host M1A-app-main eq www
access-list acl-labatn permit tcp 192.168.61.0 255.255.255.0 host M1A-app-main eq https


crypto map whcmap 972 ipsec-isakmp
crypto map whcmap 972 match address acl-labatn
crypto map whcmap 972 set peer labatn-pix
crypto map whcmap 972 set transform-set sha3set md5set


*********************************************************
crypto ipsec transform-set sha3set esp-3des esp-sha-hmac
crypto ipsec transform-set md53set esp-3des esp-md5-hmac
*********************************************************

isakmp key ******** address labatn-pix netmask 255.255.255.255

isakmp keepalive 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400



0
Comment
Question by:iesolutions
2 Comments
 
LVL 3

Accepted Solution

by:
TAMSCODAN earned 500 total points
ID: 22682544
0
 

Author Comment

by:iesolutions
ID: 22713125
TAMSCODAN:

The URL article in your response basically provides a basic configuration on a site-2-site using 2 PIXES. As mentioned earlier, the VPNs are working, but just this specific tunnel aint working. The only difference with this tunnel is that one of the remote subnet is actually a PUBLIC routable IP subnet and not internal RFC private IPs.

Any ideas?
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
anyconnect password change 2 29
Quality settings for cisco routers 8 52
traffic flow without STP 9 45
BGP Code 12 41
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now