ACL issue with Cisco PIX VPN Tunnel

Hi Guys,

I've created an IPSec tunnel between two PIX 515E firewalls. I have opted to use the DMZ port from site A (192.168.7.1) to the outside port of site B (192.168.7.100).  I would like for users at both sites to tunnel to the "inside" interface at both sites.

Inside for Site A --> 192.168.1.0/24
Inside for Site B --> 192.168.8.0/24


I've got the tunnels setup. I'm now having an issue when trying to get from the "inside" network at Site B to the Inside Network on Site A.

Here is the error:

Inbound TCP connection denied from 192.168.8.51/1660 to 192.168.1.40/23 flags SYN  on interface DMZ

Any suggestions?
datgigrinchAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
JFrederick29Connect With a Mentor Commented:
Your crypto map ACL is wrong also.  Do this:

Site A:

conf t
access-list DMZ_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
no access-list DMZ_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 host 192.168.7.100
no crypto map Voice_map 20 set connection-type originate-only

Site B:

conf t
access-list outside_20_cryptomap extended permit ip 192.168.8.0 255.255.255.0 192.168.1.0 255.255.255.0
no access-list outside_20_cryptomap extended permit ip 192.168.8.0 255.255.255.0 host 192.168.7.1
no crypto map outside_map 20 set connection-type answer-only
0
 
JFrederick29Commented:
Do you have NAT setup?

Site A:

static (inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
0
 
lrmooreCommented:
Can you post your config? It looks like a NAT issue.
You should have something like
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound

And do you have sysopt connection permit-ipsec enabled?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
JFrederick29Commented:
That's another way to do it <8-]
0
 
datgigrinchAuthor Commented:
I have attached my scrubbed config @ both sites.

Thanks for the quick response guys. I need to get this resolved ASAP.
Site-A.txt
Site-B.txt
0
 
JFrederick29Commented:
Like lrmoore said, add this to the Site A Firewall.

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
0
 
datgigrinchAuthor Commented:
Thanks guys, the final hurdle @ this moment is to get to internet access working @ site B. I get the following error when trying to access public IP's from site B

Inbound TCP connection denied from 192.168.8.53/1173 to 65.55.12.249/80 (MSN.COM) flags SYN  on interface inside

Please adivse on which access rule to modify

Thanks
0
 
JFrederick29Commented:
Add this:

nat (inside) 1 0 0
0
 
datgigrinchAuthor Commented:
Sorry but I am still unable to get to the internet from Site B after running this command. Same error:

Inbound TCP connection denied from 192.168.8.53/1173 to 65.55.12.249/80 (MSN.COM) flags SYN  on interface inside
0
 
lrmooreCommented:
OK, So you want to tunnel ALL traffic from site B, through the VPN Tunnel, out through the Site A Internet connection?
0
 
datgigrinchAuthor Commented:
Correct
0
All Courses

From novice to tech pro — start learning today.