Solved

Pix 506 to 501 site to site vpn won't pass traffic

Posted on 2010-09-10
8
566 Views
Last Modified: 2012-05-10
I finally got the tunnel to come up and establish, but I can't get it to pass any traffic.  Thought some more eyes on it might find something wrong.  thanks for the help!

Pix 506e
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname Pix506e
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
access-list acl_out permit icmp any any echo
access-list acl_out permit icmp any any echo-reply
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.1 255.255.255.252
ip address inside 10.1.1.1 255.255.255.252
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
route inside 192.168.2.0 255.255.255.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.1.1.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set pixtopix esp-des esp-md5-hmac
crypto map vpnmap 1 ipsec-isakmp
crypto map vpnmap 1 match address 101
crypto map vpnmap 1 set peer 2.2.2.2
crypto map vpnmap 1 set transform-set pixtopix
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:e3f955a62102d75d6ecf7c6940854dd6
: end
-----------------------------------------------------------------------------------

Pix 501
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname PIX501
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
access-list acl_out permit icmp any any echo
access-list acl_out permit icmp any any echo-reply
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.124.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 2.2.2.2 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.124.1-192.168.124.10
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpnclient esp-des esp-md5-hmac
crypto ipsec transform-set pixtopix esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set vpnclient
crypto map vpnmap 1 ipsec-isakmp
crypto map vpnmap 1 match address 101
crypto map vpnmap 1 set peer 1.1.1.1
crypto map vpnmap 1 set transform-set pixtopix
crypto map vpnmap 30 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address 1.1.1.1 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup THE address-pool vpnpool
vpngroup THE dns-server 192.168.1.100
vpngroup THE wins-server 192.168.1.100
vpngroup THE split-tunnel nonat
vpngroup THE idle-time 86400
vpngroup THE password
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:34d6e387062fb3271f9f32ccb692214a
: end
0
Comment
Question by:jplagens
  • 4
  • 4
8 Comments
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
from "access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 "

I trust you are trying to pass traffic from a host on the 192.168.2.0 subnet ?

if you are testing from the router at the 506 site, or the either of the PIXs, you would need to add cypto maps an NAT 0 options for them as well.

0
 
LVL 4

Author Comment

by:jplagens
Comment Utility
Yes.  I'm trying to access the server at 192.168.1.100 from a workstation with ip 192.168.2.37
0
 
LVL 4

Author Comment

by:jplagens
Comment Utility
I've also discoverd that I can ping from the 192.168.1.0 network and the tunnel will establish with a QM_IDLE.  When I clear crypto isakmp sa and ping from the 192.168.2.0 network the tunnel will not come up and establish.  Seems to maybe be a routing issue on the 192.168.2.0 side.

The 506e sits in front of  a UC560 router.  Here's the router config:

version 15.0
parser config cache interface
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
service compress-config
service sequence-numbers
!
hostname UC560
!
boot-start-marker
boot-end-marker
!
card type t1 0 3
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone CST -6
clock summer-time CDT recurring
network-clock-participate wic 3
network-clock-select 1 T1 0/3/0
!        
crypto pki trustpoint TP-self-signed-3899896954
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3899896954
 revocation-check none
 rsakeypair TP-self-signed-3899896954
!
!
crypto pki certificate chain TP-self-signed-3899896954
 certificate self-signed 01
  30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33383939 38393639 3534301E 170D3130 30383330 31343536
  32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38393938
  39363935 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B9FC 20F85EBE 6DCE8A8D F7B0F7F4 B61D329F C772955B E592E752 D2379E69
  8F192D76 AC3C7DC9 20302578 AAB0DD0E 392204AE D230D5F5 ACACB124 1BF4E0B0
  89F21C5B DF4728F7 770CA529 44A3F6DC F73D13D0 B315EEA9 5877A616 EB96B507
  7771AED2 CB2AF1F7 EEAEEB33 204DA012 E95900E4 00731A83 0B35B433 C762EFD6
  D6A30203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603
  551D1104 12301082 0E546865 466F7267 655F5543 35363030 1F060355 1D230418
  30168014 A7EB548C 28C34AB8 CD850A1D C55A9E19 8FA7EDFD 301D0603 551D0E04
  160414A7 EB548C28 C34AB8CD 850A1DC5 5A9E198F A7EDFD30 0D06092A 864886F7
  0D010104 05000381 81008088 A6E7E310 83B2CC36 232869B7 3243BA48 0456941A
  0A3C421E 3AE5D7A5 B992A7A0 41B28BE2 8AC73C17 CA70DD7F 73BC8081 6F1E81E2
  D14D6ACA 6C9697C2 14349317 44992095 8162745B 5BC06900 C679F89A 35352060
  AC06BD26 37C60019 4C383FCC 3420FB3A 56A2F9CA E30CC7B4 916C52C9 EEEEB8FE
  03F4AED2 604D3F4C 7AF8
        quit
dot11 syslog
ip source-route
ip cef
!
!
ip dhcp relay information trust-all
ip dhcp excluded-address 172.16.2.1 172.16.2.9
ip dhcp excluded-address 172.16.2.241 172.16.2.255
ip dhcp excluded-address 192.168.2.1 192.168.2.9
ip dhcp excluded-address 192.168.2.241 192.168.2.255
!
ip dhcp pool phone
   network 172.16.2.0 255.255.255.0
   default-router 172.16.2.1
   option 150 ip 172.16.2.1
!
ip dhcp pool data
   import all
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
   dns-server 66.180.96.12 8.8.8.8
!
!
ip domain name
ip name-server 66.180.96.12
ip name-server 8.8.8.8
no ipv6 cef
!
!
stcapp ccm-group 1
stcapp
!
stcapp feature access-code
!
!
!
!
multilink bundle-name authenticated
isdn switch-type primary-ni
!
!
trunk group ALL_FXO
 max-retry 5
 voice-class cause-code 1
 hunt-scheme longest-idle
!
!
trunk group ALL_T1E1
 hunt-scheme longest-idle
 translation-profile outgoing PROFILE_ALL_T1E1
!
!
voice call send-alert
voice rtp send-recv
!        
voice service voip
 allow-connections h323 to h323
 allow-connections h323 to sip
 allow-connections sip to h323
 allow-connections sip to sip
 supplementary-service h450.12
 sip
  no update-callerid
!
voice class codec 1
 codec preference 1 g711ulaw
 codec preference 2 g729r8
!
!
voice class cause-code 1
 no-circuit
!
voice register global
!
!
!
!
voice translation-rule 6
 rule 1 /1860/ /1860/
 rule 2 /1861/ /1861/
 rule 3 /1862/ /1862/
 rule 4 /1863/ /1863/
 rule 5 /1864/ /1864/
 rule 6 /1865/ /1865/
 rule 7 /1866/ /1866/
 rule 8 /1867/ /1867/
 rule 9 /1868/ /1868/
 rule 10 /1869/ /1869/
!
voice translation-rule 7
 rule 1 /1870/ /1870/
 rule 2 /1871/ /1871/
 rule 3 /1872/ /1872/
 rule 4 /1873/ /1873/
 rule 5 /1874/ /1874/
 rule 6 /1875/ /1875/
 rule 7 /1876/ /1876/
 rule 8 /1877/ /1877/
 rule 9 /1878/ /1878/
 rule 10 /1879/ /1879/
!
voice translation-rule 1000
 rule 1 /.*/ //
!
voice translation-rule 1112
 rule 1 /^9/ //
!
voice translation-rule 2001
!
voice translation-rule 2002
 rule 1 /^8/ //
!
voice translation-rule 2222
 rule 1 /^91900......./ //
 rule 2 /^91976......./ //
!
!
voice translation-profile CALLER_ID_TRANSLATION_PROFILE
 translate calling 1111
!
voice translation-profile CallBlocking
 translate called 2222
!
voice translation-profile OUTGOING_TRANSLATION_PROFILE
 translate called 1112
!
voice translation-profile PRI0_Called_6
 translate called 6
!
voice translation-profile PRI0_Called_7
 translate called 7
!
voice translation-profile PROFILE_ALL_T1E1
 translate calling 4
!
voice translation-profile XFER_TO_VM_PROFILE
 translate redirect-called 2002
!
voice translation-profile nondialable
 translate called 1000
!
!
voice-card 0
!
!
!
license udi pid UC560-T1E1-K9 sn FHK1420F1T9
archive
 log config
  logging enable
  logging size 600
  hidekeys
username administrator privilege 15 secret 5
!
!
controller T1 0/3/0
 pri-group timeslots 1-14,24
!
ip tftp source-interface Vlan90
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 10.1.1.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 load-interval 30
 duplex auto
 speed auto
 !
!
interface Integrated-Service-Engine0/0
 ip unnumbered Vlan90
 ip nat inside
 ip virtual-reassembly
 service-module ip address 10.1.10.1 255.255.255.252
 service-module ip default-gateway 10.1.10.2
 !
!
interface GigabitEthernet0/1/0
 switchport mode trunk
 macro description cisco-switch
 !
!
interface GigabitEthernet0/1/1
 switchport mode trunk
 macro description cisco-switch
 !
!
interface GigabitEthernet0/1/2
 macro description cisco-desktop
 spanning-tree portfast
 !
!
interface GigabitEthernet0/1/3
 description Interface used to communicate with integrated service module
 switchport access vlan 90
 service-module ip address 10.1.10.1 255.255.255.252
 service-module ip default-gateway 10.1.10.2
 !
!
interface Serial0/3/0:23
 no ip address
 encapsulation hdlc
 isdn switch-type primary-ni
 isdn incoming-voice voice
 isdn supp-service name calling
 isdn sending-complete
 trunk-group ALL_T1E1
 no cdp enable
 !
!
interface Vlan1
 description Management VLAN
 ip address 172.16.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
interface Vlan90
 ip address 10.1.10.2 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 !
!
interface Vlan100
 ip address 172.16.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
interface Vlan200
 description Data Vlan
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/gui
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 10.1.10.1 255.255.255.255 Vlan90
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.16.2.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 10.1.10.0 0.0.0.3
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 192.168.10.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
0
 
LVL 36

Accepted Solution

by:
ArneLovius earned 500 total points
Comment Utility
the config for the router doesn't match the config for the PIX as the routing statements don't match

you also appear to have NAT running on the router, and the access lists do not appear to be attached to any interfaces.

I don't see how traffic goes between the two, did you obfuscate the PIX config ?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 4

Author Comment

by:jplagens
Comment Utility
I removed NAT from the router as it's not needed anymore.  The router used to be the edge device.  Now it's the Pix 506.

the outside interface of the router is 10.1.1.2.  The default route of the router sends all traffice to the inside interface of the Pix at 10.1.1.1.

I only removed the public IP addresses and the passwords from the Pix configs.  Here is the current router config after the changes:

version 15.0
parser config cache interface
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
service compress-config
service sequence-numbers
!
hostname UC560
!
boot-start-marker
boot-end-marker
!
card type t1 0 3
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone CST -6
clock summer-time CDT recurring
network-clock-participate wic 3
network-clock-select 1 T1 0/3/0
!        
crypto pki trustpoint TP-self-signed-3899896954
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3899896954
 revocation-check none
 rsakeypair TP-self-signed-3899896954
!
!
crypto pki certificate chain TP-self-signed-3899896954
 certificate self-signed 01
  30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33383939 38393639 3534301E 170D3130 30383330 31343536
  32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38393938
  39363935 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B9FC 20F85EBE 6DCE8A8D F7B0F7F4 B61D329F C772955B E592E752 D2379E69
  8F192D76 AC3C7DC9 20302578 AAB0DD0E 392204AE D230D5F5 ACACB124 1BF4E0B0
  89F21C5B DF4728F7 770CA529 44A3F6DC F73D13D0 B315EEA9 5877A616 EB96B507
  7771AED2 CB2AF1F7 EEAEEB33 204DA012 E95900E4 00731A83 0B35B433 C762EFD6
  D6A30203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603
  551D1104 12301082 0E546865 466F7267 655F5543 35363030 1F060355 1D230418
  30168014 A7EB548C 28C34AB8 CD850A1D C55A9E19 8FA7EDFD 301D0603 551D0E04
  160414A7 EB548C28 C34AB8CD 850A1DC5 5A9E198F A7EDFD30 0D06092A 864886F7
  0D010104 05000381 81008088 A6E7E310 83B2CC36 232869B7 3243BA48 0456941A
  0A3C421E 3AE5D7A5 B992A7A0 41B28BE2 8AC73C17 CA70DD7F 73BC8081 6F1E81E2
  D14D6ACA 6C9697C2 14349317 44992095 8162745B 5BC06900 C679F89A 35352060
  AC06BD26 37C60019 4C383FCC 3420FB3A 56A2F9CA E30CC7B4 916C52C9 EEEEB8FE
  03F4AED2 604D3F4C 7AF8
        quit
dot11 syslog
ip source-route
ip cef
!
!
ip dhcp relay information trust-all
ip dhcp excluded-address 172.16.2.1 172.16.2.9
ip dhcp excluded-address 172.16.2.241 172.16.2.255
ip dhcp excluded-address 192.168.2.1 192.168.2.9
ip dhcp excluded-address 192.168.2.241 192.168.2.255
!
ip dhcp pool phone
   network 172.16.2.0 255.255.255.0
   default-router 172.16.2.1
   option 150 ip 172.16.2.1
!
ip dhcp pool data
   import all
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
   dns-server 66.180.96.12 8.8.8.8
!
!
ip domain name
ip name-server 66.180.96.12
ip name-server 8.8.8.8
no ipv6 cef
!
!
stcapp ccm-group 1
stcapp
!
stcapp feature access-code
!
!
!
!
multilink bundle-name authenticated
isdn switch-type primary-ni
!
!
trunk group ALL_FXO
 max-retry 5
 voice-class cause-code 1
 hunt-scheme longest-idle
!
!
trunk group ALL_T1E1
 hunt-scheme longest-idle
 translation-profile outgoing PROFILE_ALL_T1E1
!
voice-card 0
!
!
!
license udi pid UC560-T1E1-K9 sn FHK1420F1T9
archive
 log config
  logging enable
  logging size 600
  hidekeys
username administrator privilege 15 secret 5 $1$Ruo9$bgKB6x/3BnsrHJOSM.sT01
!
!
controller T1 0/3/0
 pri-group timeslots 1-14,24
!
ip tftp source-interface Vlan90
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 10.1.1.2 255.255.255.252
 ip virtual-reassembly
 load-interval 30
 duplex auto
 speed auto
 !
!
interface Integrated-Service-Engine0/0
 ip unnumbered Vlan90
 ip nat inside
 ip virtual-reassembly
 service-module ip address 10.1.10.1 255.255.255.252
 service-module ip default-gateway 10.1.10.2
 !
!
interface GigabitEthernet0/1/0
 switchport mode trunk
 macro description cisco-switch
 !
!
interface GigabitEthernet0/1/1
 switchport mode trunk
 macro description cisco-switch
 !
!
interface GigabitEthernet0/1/2
 macro description cisco-desktop
 spanning-tree portfast
 !
!
interface GigabitEthernet0/1/3
 description Interface used to communicate with integrated service module
 switchport access vlan 90
 service-module ip address 10.1.10.1 255.255.255.252
 service-module ip default-gateway 10.1.10.2
 !
!
interface Serial0/3/0:23
 no ip address
 encapsulation hdlc
 isdn switch-type primary-ni
 isdn incoming-voice voice
 isdn supp-service name calling
 isdn sending-complete
 trunk-group ALL_T1E1
 no cdp enable
 !
!
interface Vlan1
 description Management VLAN
 ip address 172.16.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !        
!        
interface Vlan90
 ip address 10.1.10.2 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 !
!
interface Vlan100
 ip address 172.16.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
interface Vlan200
 description Data Vlan
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/gui
ip dns server
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 10.1.10.1 255.255.255.255 Vlan90
!




0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
oops I had't seen that you had an address on a physical interface as well as the VLAN interfaces

you still have "ip nat inside" on interface Vlan200

with the traffic being nated by the router, it won't pass the cryptomap acl...

if you want to keep the NAT rule, you need to add the router 10.1.1.2 address to the cyptomap ACL on both ends
0
 
LVL 4

Author Comment

by:jplagens
Comment Utility
Got it!  Nat enabled on the router was the issue.  The tunnel wouldn't establish because when I cleared out the tunnel using "clear cryto isakmp sa" I didn't put the isakmp policy back into the Pix 506e.

When I put the isakmp policy back in the tunnel came up and I can ping across now.

thanks!
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
excellent, your PIX config was correct, it was the router behind it !

I'd hope that if you had posted both, I'd have answered it in one :-)
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now