datgigrinch
asked on
ACL issue with Cisco PIX VPN Tunnel
Hi Guys,
I've created an IPSec tunnel between two PIX 515E firewalls. I have opted to use the DMZ port from site A (192.168.7.1) to the outside port of site B (192.168.7.100). I would like for users at both sites to tunnel to the "inside" interface at both sites.
Inside for Site A --> 192.168.1.0/24
Inside for Site B --> 192.168.8.0/24
I've got the tunnels setup. I'm now having an issue when trying to get from the "inside" network at Site B to the Inside Network on Site A.
Here is the error:
Inbound TCP connection denied from 192.168.8.51/1660 to 192.168.1.40/23 flags SYN on interface DMZ
Any suggestions?
I've created an IPSec tunnel between two PIX 515E firewalls. I have opted to use the DMZ port from site A (192.168.7.1) to the outside port of site B (192.168.7.100). I would like for users at both sites to tunnel to the "inside" interface at both sites.
Inside for Site A --> 192.168.1.0/24
Inside for Site B --> 192.168.8.0/24
I've got the tunnels setup. I'm now having an issue when trying to get from the "inside" network at Site B to the Inside Network on Site A.
Here is the error:
Inbound TCP connection denied from 192.168.8.51/1660 to 192.168.1.40/23 flags SYN on interface DMZ
Any suggestions?
Can you post your config? It looks like a NAT issue.
You should have something like
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
And do you have sysopt connection permit-ipsec enabled?
You should have something like
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
And do you have sysopt connection permit-ipsec enabled?
That's another way to do it <8-]
ASKER
I have attached my scrubbed config @ both sites.
Thanks for the quick response guys. I need to get this resolved ASAP.
Site-A.txt
Site-B.txt
Thanks for the quick response guys. I need to get this resolved ASAP.
Site-A.txt
Site-B.txt
Like lrmoore said, add this to the Site A Firewall.
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys, the final hurdle @ this moment is to get to internet access working @ site B. I get the following error when trying to access public IP's from site B
Inbound TCP connection denied from 192.168.8.53/1173 to 65.55.12.249/80 (MSN.COM) flags SYN on interface inside
Please adivse on which access rule to modify
Thanks
Inbound TCP connection denied from 192.168.8.53/1173 to 65.55.12.249/80 (MSN.COM) flags SYN on interface inside
Please adivse on which access rule to modify
Thanks
Add this:
nat (inside) 1 0 0
nat (inside) 1 0 0
ASKER
Sorry but I am still unable to get to the internet from Site B after running this command. Same error:
Inbound TCP connection denied from 192.168.8.53/1173 to 65.55.12.249/80 (MSN.COM) flags SYN on interface inside
Inbound TCP connection denied from 192.168.8.53/1173 to 65.55.12.249/80 (MSN.COM) flags SYN on interface inside
OK, So you want to tunnel ALL traffic from site B, through the VPN Tunnel, out through the Site A Internet connection?
ASKER
Correct
Site A:
static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0