asked on Pix 506 to 501 site to site vpn won't pass traffic
I finally got the tunnel to come up and establish, but I can't get it to pass any traffic. Thought some more eyes on it might find something wrong. thanks for the help!
Pix 506e
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname Pix506e
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any echo
access-list acl_out permit icmp any any echo-reply
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.1 255.255.255.252
ip address inside 10.1.1.1 255.255.255.252
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
route inside 192.168.2.0 255.255.255.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.1.1.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set pixtopix esp-des esp-md5-hmac
crypto map vpnmap 1 ipsec-isakmp
crypto map vpnmap 1 match address 101
crypto map vpnmap 1 set peer 2.2.2.2
crypto map vpnmap 1 set transform-set pixtopix
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:e3f955a6210
: end
--------------------------
Pix 501
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname PIX501
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any echo
access-list acl_out permit icmp any any echo-reply
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.124.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 2.2.2.2 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.124.1-192.168.124.
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpnclient esp-des esp-md5-hmac
crypto ipsec transform-set pixtopix esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set vpnclient
crypto map vpnmap 1 ipsec-isakmp
crypto map vpnmap 1 match address 101
crypto map vpnmap 1 set peer 1.1.1.1
crypto map vpnmap 1 set transform-set pixtopix
crypto map vpnmap 30 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address 1.1.1.1 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup THE address-pool vpnpool
vpngroup THE dns-server 192.168.1.100
vpngroup THE wins-server 192.168.1.100
vpngroup THE split-tunnel nonat
vpngroup THE idle-time 86400
vpngroup THE password
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:34d6e387062
: end
Pix 506e
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname Pix506e
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any echo
access-list acl_out permit icmp any any echo-reply
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.1 255.255.255.252
ip address inside 10.1.1.1 255.255.255.252
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
route inside 192.168.2.0 255.255.255.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.1.1.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set pixtopix esp-des esp-md5-hmac
crypto map vpnmap 1 ipsec-isakmp
crypto map vpnmap 1 match address 101
crypto map vpnmap 1 set peer 2.2.2.2
crypto map vpnmap 1 set transform-set pixtopix
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:e3f955a6210
: end
--------------------------
Pix 501
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname PIX501
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit icmp any any echo
access-list acl_out permit icmp any any echo-reply
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.124.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 2.2.2.2 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.124.1-192.168.124.
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpnclient esp-des esp-md5-hmac
crypto ipsec transform-set pixtopix esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set vpnclient
crypto map vpnmap 1 ipsec-isakmp
crypto map vpnmap 1 match address 101
crypto map vpnmap 1 set peer 1.1.1.1
crypto map vpnmap 1 set transform-set pixtopix
crypto map vpnmap 30 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address 1.1.1.1 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup THE address-pool vpnpool
vpngroup THE dns-server 192.168.1.100
vpngroup THE wins-server 192.168.1.100
vpngroup THE split-tunnel nonat
vpngroup THE idle-time 86400
vpngroup THE password
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 10
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:34d6e387062
: end
Cisco
Last Comment
ArneLovius
ASKER
Yes. I'm trying to access the server at 192.168.1.100 from a workstation with ip 192.168.2.37
ASKER
I've also discoverd that I can ping from the 192.168.1.0 network and the tunnel will establish with a QM_IDLE. When I clear crypto isakmp sa and ping from the 192.168.2.0 network the tunnel will not come up and establish. Seems to maybe be a routing issue on the 192.168.2.0 side.
The 506e sits in front of a UC560 router. Here's the router config:
version 15.0
parser config cache interface
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
service compress-config
service sequence-numbers
!
hostname UC560
!
boot-start-marker
boot-end-marker
!
card type t1 0 3
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone CST -6
clock summer-time CDT recurring
network-clock-participate wic 3
network-clock-select 1 T1 0/3/0
!
crypto pki trustpoint TP-self-signed-3899896954
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-3899896954
!
!
crypto pki certificate chain TP-self-signed-3899896954
certificate self-signed 01
30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383939 38393639 3534301E 170D3130 30383330 31343536
32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38393938
39363935 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B9FC 20F85EBE 6DCE8A8D F7B0F7F4 B61D329F C772955B E592E752 D2379E69
8F192D76 AC3C7DC9 20302578 AAB0DD0E 392204AE D230D5F5 ACACB124 1BF4E0B0
89F21C5B DF4728F7 770CA529 44A3F6DC F73D13D0 B315EEA9 5877A616 EB96B507
7771AED2 CB2AF1F7 EEAEEB33 204DA012 E95900E4 00731A83 0B35B433 C762EFD6
D6A30203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603
551D1104 12301082 0E546865 466F7267 655F5543 35363030 1F060355 1D230418
30168014 A7EB548C 28C34AB8 CD850A1D C55A9E19 8FA7EDFD 301D0603 551D0E04
160414A7 EB548C28 C34AB8CD 850A1DC5 5A9E198F A7EDFD30 0D06092A 864886F7
0D010104 05000381 81008088 A6E7E310 83B2CC36 232869B7 3243BA48 0456941A
0A3C421E 3AE5D7A5 B992A7A0 41B28BE2 8AC73C17 CA70DD7F 73BC8081 6F1E81E2
D14D6ACA 6C9697C2 14349317 44992095 8162745B 5BC06900 C679F89A 35352060
AC06BD26 37C60019 4C383FCC 3420FB3A 56A2F9CA E30CC7B4 916C52C9 EEEEB8FE
03F4AED2 604D3F4C 7AF8
quit
dot11 syslog
ip source-route
ip cef
!
!
ip dhcp relay information trust-all
ip dhcp excluded-address 172.16.2.1 172.16.2.9
ip dhcp excluded-address 172.16.2.241 172.16.2.255
ip dhcp excluded-address 192.168.2.1 192.168.2.9
ip dhcp excluded-address 192.168.2.241 192.168.2.255
!
ip dhcp pool phone
network 172.16.2.0 255.255.255.0
default-router 172.16.2.1
option 150 ip 172.16.2.1
!
ip dhcp pool data
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 66.180.96.12 8.8.8.8
!
!
ip domain name
ip name-server 66.180.96.12
ip name-server 8.8.8.8
no ipv6 cef
!
!
stcapp ccm-group 1
stcapp
!
stcapp feature access-code
!
!
!
!
multilink bundle-name authenticated
isdn switch-type primary-ni
!
!
trunk group ALL_FXO
max-retry 5
voice-class cause-code 1
hunt-scheme longest-idle
!
!
trunk group ALL_T1E1
hunt-scheme longest-idle
translation-profile outgoing PROFILE_ALL_T1E1
!
!
voice call send-alert
voice rtp send-recv
!
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
supplementary-service h450.12
sip
no update-callerid
!
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g729r8
!
!
voice class cause-code 1
no-circuit
!
voice register global
!
!
!
!
voice translation-rule 6
rule 1 /1860/ /1860/
rule 2 /1861/ /1861/
rule 3 /1862/ /1862/
rule 4 /1863/ /1863/
rule 5 /1864/ /1864/
rule 6 /1865/ /1865/
rule 7 /1866/ /1866/
rule 8 /1867/ /1867/
rule 9 /1868/ /1868/
rule 10 /1869/ /1869/
!
voice translation-rule 7
rule 1 /1870/ /1870/
rule 2 /1871/ /1871/
rule 3 /1872/ /1872/
rule 4 /1873/ /1873/
rule 5 /1874/ /1874/
rule 6 /1875/ /1875/
rule 7 /1876/ /1876/
rule 8 /1877/ /1877/
rule 9 /1878/ /1878/
rule 10 /1879/ /1879/
!
voice translation-rule 1000
rule 1 /.*/ //
!
voice translation-rule 1112
rule 1 /^9/ //
!
voice translation-rule 2001
!
voice translation-rule 2002
rule 1 /^8/ //
!
voice translation-rule 2222
rule 1 /^91900......./ //
rule 2 /^91976......./ //
!
!
voice translation-profile CALLER_ID_TRANSLATION_PROF
translate calling 1111
!
voice translation-profile CallBlocking
translate called 2222
!
voice translation-profile OUTGOING_TRANSLATION_PROFI
translate called 1112
!
voice translation-profile PRI0_Called_6
translate called 6
!
voice translation-profile PRI0_Called_7
translate called 7
!
voice translation-profile PROFILE_ALL_T1E1
translate calling 4
!
voice translation-profile XFER_TO_VM_PROFILE
translate redirect-called 2002
!
voice translation-profile nondialable
translate called 1000
!
!
voice-card 0
!
!
!
license udi pid UC560-T1E1-K9 sn FHK1420F1T9
archive
log config
logging enable
logging size 600
hidekeys
username administrator privilege 15 secret 5
!
!
controller T1 0/3/0
pri-group timeslots 1-14,24
!
ip tftp source-interface Vlan90
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 10.1.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
!
!
interface Integrated-Service-Engine0
ip unnumbered Vlan90
ip nat inside
ip virtual-reassembly
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
!
!
interface GigabitEthernet0/1/0
switchport mode trunk
macro description cisco-switch
!
!
interface GigabitEthernet0/1/1
switchport mode trunk
macro description cisco-switch
!
!
interface GigabitEthernet0/1/2
macro description cisco-desktop
spanning-tree portfast
!
!
interface GigabitEthernet0/1/3
description Interface used to communicate with integrated service module
switchport access vlan 90
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
!
!
interface Serial0/3/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
isdn supp-service name calling
isdn sending-complete
trunk-group ALL_T1E1
no cdp enable
!
!
interface Vlan1
description Management VLAN
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan90
ip address 10.1.10.2 255.255.255.252
ip nat inside
ip virtual-reassembly
!
!
interface Vlan100
ip address 172.16.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan200
description Data Vlan
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/gui
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 10.1.10.1 255.255.255.255 Vlan90
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.16.2.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 10.1.10.0 0.0.0.3
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 192.168.10.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
The 506e sits in front of a UC560 router. Here's the router config:
version 15.0
parser config cache interface
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
service compress-config
service sequence-numbers
!
hostname UC560
!
boot-start-marker
boot-end-marker
!
card type t1 0 3
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone CST -6
clock summer-time CDT recurring
network-clock-participate wic 3
network-clock-select 1 T1 0/3/0
!
crypto pki trustpoint TP-self-signed-3899896954
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-3899896954
!
!
crypto pki certificate chain TP-self-signed-3899896954
certificate self-signed 01
30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383939 38393639 3534301E 170D3130 30383330 31343536
32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38393938
39363935 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B9FC 20F85EBE 6DCE8A8D F7B0F7F4 B61D329F C772955B E592E752 D2379E69
8F192D76 AC3C7DC9 20302578 AAB0DD0E 392204AE D230D5F5 ACACB124 1BF4E0B0
89F21C5B DF4728F7 770CA529 44A3F6DC F73D13D0 B315EEA9 5877A616 EB96B507
7771AED2 CB2AF1F7 EEAEEB33 204DA012 E95900E4 00731A83 0B35B433 C762EFD6
D6A30203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603
551D1104 12301082 0E546865 466F7267 655F5543 35363030 1F060355 1D230418
30168014 A7EB548C 28C34AB8 CD850A1D C55A9E19 8FA7EDFD 301D0603 551D0E04
160414A7 EB548C28 C34AB8CD 850A1DC5 5A9E198F A7EDFD30 0D06092A 864886F7
0D010104 05000381 81008088 A6E7E310 83B2CC36 232869B7 3243BA48 0456941A
0A3C421E 3AE5D7A5 B992A7A0 41B28BE2 8AC73C17 CA70DD7F 73BC8081 6F1E81E2
D14D6ACA 6C9697C2 14349317 44992095 8162745B 5BC06900 C679F89A 35352060
AC06BD26 37C60019 4C383FCC 3420FB3A 56A2F9CA E30CC7B4 916C52C9 EEEEB8FE
03F4AED2 604D3F4C 7AF8
quit
dot11 syslog
ip source-route
ip cef
!
!
ip dhcp relay information trust-all
ip dhcp excluded-address 172.16.2.1 172.16.2.9
ip dhcp excluded-address 172.16.2.241 172.16.2.255
ip dhcp excluded-address 192.168.2.1 192.168.2.9
ip dhcp excluded-address 192.168.2.241 192.168.2.255
!
ip dhcp pool phone
network 172.16.2.0 255.255.255.0
default-router 172.16.2.1
option 150 ip 172.16.2.1
!
ip dhcp pool data
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 66.180.96.12 8.8.8.8
!
!
ip domain name
ip name-server 66.180.96.12
ip name-server 8.8.8.8
no ipv6 cef
!
!
stcapp ccm-group 1
stcapp
!
stcapp feature access-code
!
!
!
!
multilink bundle-name authenticated
isdn switch-type primary-ni
!
!
trunk group ALL_FXO
max-retry 5
voice-class cause-code 1
hunt-scheme longest-idle
!
!
trunk group ALL_T1E1
hunt-scheme longest-idle
translation-profile outgoing PROFILE_ALL_T1E1
!
!
voice call send-alert
voice rtp send-recv
!
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
supplementary-service h450.12
sip
no update-callerid
!
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g729r8
!
!
voice class cause-code 1
no-circuit
!
voice register global
!
!
!
!
voice translation-rule 6
rule 1 /1860/ /1860/
rule 2 /1861/ /1861/
rule 3 /1862/ /1862/
rule 4 /1863/ /1863/
rule 5 /1864/ /1864/
rule 6 /1865/ /1865/
rule 7 /1866/ /1866/
rule 8 /1867/ /1867/
rule 9 /1868/ /1868/
rule 10 /1869/ /1869/
!
voice translation-rule 7
rule 1 /1870/ /1870/
rule 2 /1871/ /1871/
rule 3 /1872/ /1872/
rule 4 /1873/ /1873/
rule 5 /1874/ /1874/
rule 6 /1875/ /1875/
rule 7 /1876/ /1876/
rule 8 /1877/ /1877/
rule 9 /1878/ /1878/
rule 10 /1879/ /1879/
!
voice translation-rule 1000
rule 1 /.*/ //
!
voice translation-rule 1112
rule 1 /^9/ //
!
voice translation-rule 2001
!
voice translation-rule 2002
rule 1 /^8/ //
!
voice translation-rule 2222
rule 1 /^91900......./ //
rule 2 /^91976......./ //
!
!
voice translation-profile CALLER_ID_TRANSLATION_PROF
translate calling 1111
!
voice translation-profile CallBlocking
translate called 2222
!
voice translation-profile OUTGOING_TRANSLATION_PROFI
translate called 1112
!
voice translation-profile PRI0_Called_6
translate called 6
!
voice translation-profile PRI0_Called_7
translate called 7
!
voice translation-profile PROFILE_ALL_T1E1
translate calling 4
!
voice translation-profile XFER_TO_VM_PROFILE
translate redirect-called 2002
!
voice translation-profile nondialable
translate called 1000
!
!
voice-card 0
!
!
!
license udi pid UC560-T1E1-K9 sn FHK1420F1T9
archive
log config
logging enable
logging size 600
hidekeys
username administrator privilege 15 secret 5
!
!
controller T1 0/3/0
pri-group timeslots 1-14,24
!
ip tftp source-interface Vlan90
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 10.1.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
!
!
interface Integrated-Service-Engine0
ip unnumbered Vlan90
ip nat inside
ip virtual-reassembly
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
!
!
interface GigabitEthernet0/1/0
switchport mode trunk
macro description cisco-switch
!
!
interface GigabitEthernet0/1/1
switchport mode trunk
macro description cisco-switch
!
!
interface GigabitEthernet0/1/2
macro description cisco-desktop
spanning-tree portfast
!
!
interface GigabitEthernet0/1/3
description Interface used to communicate with integrated service module
switchport access vlan 90
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
!
!
interface Serial0/3/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
isdn supp-service name calling
isdn sending-complete
trunk-group ALL_T1E1
no cdp enable
!
!
interface Vlan1
description Management VLAN
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan90
ip address 10.1.10.2 255.255.255.252
ip nat inside
ip virtual-reassembly
!
!
interface Vlan100
ip address 172.16.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan200
description Data Vlan
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/gui
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 10.1.10.1 255.255.255.255 Vlan90
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.16.2.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 10.1.10.0 0.0.0.3
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 192.168.10.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I removed NAT from the router as it's not needed anymore. The router used to be the edge device. Now it's the Pix 506.
the outside interface of the router is 10.1.1.2. The default route of the router sends all traffice to the inside interface of the Pix at 10.1.1.1.
I only removed the public IP addresses and the passwords from the Pix configs. Here is the current router config after the changes:
version 15.0
parser config cache interface
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
service compress-config
service sequence-numbers
!
hostname UC560
!
boot-start-marker
boot-end-marker
!
card type t1 0 3
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone CST -6
clock summer-time CDT recurring
network-clock-participate wic 3
network-clock-select 1 T1 0/3/0
!
crypto pki trustpoint TP-self-signed-3899896954
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-3899896954
!
!
crypto pki certificate chain TP-self-signed-3899896954
certificate self-signed 01
30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383939 38393639 3534301E 170D3130 30383330 31343536
32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38393938
39363935 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B9FC 20F85EBE 6DCE8A8D F7B0F7F4 B61D329F C772955B E592E752 D2379E69
8F192D76 AC3C7DC9 20302578 AAB0DD0E 392204AE D230D5F5 ACACB124 1BF4E0B0
89F21C5B DF4728F7 770CA529 44A3F6DC F73D13D0 B315EEA9 5877A616 EB96B507
7771AED2 CB2AF1F7 EEAEEB33 204DA012 E95900E4 00731A83 0B35B433 C762EFD6
D6A30203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603
551D1104 12301082 0E546865 466F7267 655F5543 35363030 1F060355 1D230418
30168014 A7EB548C 28C34AB8 CD850A1D C55A9E19 8FA7EDFD 301D0603 551D0E04
160414A7 EB548C28 C34AB8CD 850A1DC5 5A9E198F A7EDFD30 0D06092A 864886F7
0D010104 05000381 81008088 A6E7E310 83B2CC36 232869B7 3243BA48 0456941A
0A3C421E 3AE5D7A5 B992A7A0 41B28BE2 8AC73C17 CA70DD7F 73BC8081 6F1E81E2
D14D6ACA 6C9697C2 14349317 44992095 8162745B 5BC06900 C679F89A 35352060
AC06BD26 37C60019 4C383FCC 3420FB3A 56A2F9CA E30CC7B4 916C52C9 EEEEB8FE
03F4AED2 604D3F4C 7AF8
quit
dot11 syslog
ip source-route
ip cef
!
!
ip dhcp relay information trust-all
ip dhcp excluded-address 172.16.2.1 172.16.2.9
ip dhcp excluded-address 172.16.2.241 172.16.2.255
ip dhcp excluded-address 192.168.2.1 192.168.2.9
ip dhcp excluded-address 192.168.2.241 192.168.2.255
!
ip dhcp pool phone
network 172.16.2.0 255.255.255.0
default-router 172.16.2.1
option 150 ip 172.16.2.1
!
ip dhcp pool data
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 66.180.96.12 8.8.8.8
!
!
ip domain name
ip name-server 66.180.96.12
ip name-server 8.8.8.8
no ipv6 cef
!
!
stcapp ccm-group 1
stcapp
!
stcapp feature access-code
!
!
!
!
multilink bundle-name authenticated
isdn switch-type primary-ni
!
!
trunk group ALL_FXO
max-retry 5
voice-class cause-code 1
hunt-scheme longest-idle
!
!
trunk group ALL_T1E1
hunt-scheme longest-idle
translation-profile outgoing PROFILE_ALL_T1E1
!
voice-card 0
!
!
!
license udi pid UC560-T1E1-K9 sn FHK1420F1T9
archive
log config
logging enable
logging size 600
hidekeys
username administrator privilege 15 secret 5 $1$Ruo9$bgKB6x/3BnsrHJOSM.
!
!
controller T1 0/3/0
pri-group timeslots 1-14,24
!
ip tftp source-interface Vlan90
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 10.1.1.2 255.255.255.252
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
!
!
interface Integrated-Service-Engine0
ip unnumbered Vlan90
ip nat inside
ip virtual-reassembly
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
!
!
interface GigabitEthernet0/1/0
switchport mode trunk
macro description cisco-switch
!
!
interface GigabitEthernet0/1/1
switchport mode trunk
macro description cisco-switch
!
!
interface GigabitEthernet0/1/2
macro description cisco-desktop
spanning-tree portfast
!
!
interface GigabitEthernet0/1/3
description Interface used to communicate with integrated service module
switchport access vlan 90
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
!
!
interface Serial0/3/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
isdn supp-service name calling
isdn sending-complete
trunk-group ALL_T1E1
no cdp enable
!
!
interface Vlan1
description Management VLAN
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan90
ip address 10.1.10.2 255.255.255.252
ip nat inside
ip virtual-reassembly
!
!
interface Vlan100
ip address 172.16.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan200
description Data Vlan
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/gui
ip dns server
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 10.1.10.1 255.255.255.255 Vlan90
!
the outside interface of the router is 10.1.1.2. The default route of the router sends all traffice to the inside interface of the Pix at 10.1.1.1.
I only removed the public IP addresses and the passwords from the Pix configs. Here is the current router config after the changes:
version 15.0
parser config cache interface
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
service compress-config
service sequence-numbers
!
hostname UC560
!
boot-start-marker
boot-end-marker
!
card type t1 0 3
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone CST -6
clock summer-time CDT recurring
network-clock-participate wic 3
network-clock-select 1 T1 0/3/0
!
crypto pki trustpoint TP-self-signed-3899896954
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-3899896954
!
!
crypto pki certificate chain TP-self-signed-3899896954
certificate self-signed 01
30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383939 38393639 3534301E 170D3130 30383330 31343536
32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38393938
39363935 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B9FC 20F85EBE 6DCE8A8D F7B0F7F4 B61D329F C772955B E592E752 D2379E69
8F192D76 AC3C7DC9 20302578 AAB0DD0E 392204AE D230D5F5 ACACB124 1BF4E0B0
89F21C5B DF4728F7 770CA529 44A3F6DC F73D13D0 B315EEA9 5877A616 EB96B507
7771AED2 CB2AF1F7 EEAEEB33 204DA012 E95900E4 00731A83 0B35B433 C762EFD6
D6A30203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603
551D1104 12301082 0E546865 466F7267 655F5543 35363030 1F060355 1D230418
30168014 A7EB548C 28C34AB8 CD850A1D C55A9E19 8FA7EDFD 301D0603 551D0E04
160414A7 EB548C28 C34AB8CD 850A1DC5 5A9E198F A7EDFD30 0D06092A 864886F7
0D010104 05000381 81008088 A6E7E310 83B2CC36 232869B7 3243BA48 0456941A
0A3C421E 3AE5D7A5 B992A7A0 41B28BE2 8AC73C17 CA70DD7F 73BC8081 6F1E81E2
D14D6ACA 6C9697C2 14349317 44992095 8162745B 5BC06900 C679F89A 35352060
AC06BD26 37C60019 4C383FCC 3420FB3A 56A2F9CA E30CC7B4 916C52C9 EEEEB8FE
03F4AED2 604D3F4C 7AF8
quit
dot11 syslog
ip source-route
ip cef
!
!
ip dhcp relay information trust-all
ip dhcp excluded-address 172.16.2.1 172.16.2.9
ip dhcp excluded-address 172.16.2.241 172.16.2.255
ip dhcp excluded-address 192.168.2.1 192.168.2.9
ip dhcp excluded-address 192.168.2.241 192.168.2.255
!
ip dhcp pool phone
network 172.16.2.0 255.255.255.0
default-router 172.16.2.1
option 150 ip 172.16.2.1
!
ip dhcp pool data
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 66.180.96.12 8.8.8.8
!
!
ip domain name
ip name-server 66.180.96.12
ip name-server 8.8.8.8
no ipv6 cef
!
!
stcapp ccm-group 1
stcapp
!
stcapp feature access-code
!
!
!
!
multilink bundle-name authenticated
isdn switch-type primary-ni
!
!
trunk group ALL_FXO
max-retry 5
voice-class cause-code 1
hunt-scheme longest-idle
!
!
trunk group ALL_T1E1
hunt-scheme longest-idle
translation-profile outgoing PROFILE_ALL_T1E1
!
voice-card 0
!
!
!
license udi pid UC560-T1E1-K9 sn FHK1420F1T9
archive
log config
logging enable
logging size 600
hidekeys
username administrator privilege 15 secret 5 $1$Ruo9$bgKB6x/3BnsrHJOSM.
!
!
controller T1 0/3/0
pri-group timeslots 1-14,24
!
ip tftp source-interface Vlan90
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 10.1.1.2 255.255.255.252
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
!
!
interface Integrated-Service-Engine0
ip unnumbered Vlan90
ip nat inside
ip virtual-reassembly
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
!
!
interface GigabitEthernet0/1/0
switchport mode trunk
macro description cisco-switch
!
!
interface GigabitEthernet0/1/1
switchport mode trunk
macro description cisco-switch
!
!
interface GigabitEthernet0/1/2
macro description cisco-desktop
spanning-tree portfast
!
!
interface GigabitEthernet0/1/3
description Interface used to communicate with integrated service module
switchport access vlan 90
service-module ip address 10.1.10.1 255.255.255.252
service-module ip default-gateway 10.1.10.2
!
!
interface Serial0/3/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
isdn supp-service name calling
isdn sending-complete
trunk-group ALL_T1E1
no cdp enable
!
!
interface Vlan1
description Management VLAN
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan90
ip address 10.1.10.2 255.255.255.252
ip nat inside
ip virtual-reassembly
!
!
interface Vlan100
ip address 172.16.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan200
description Data Vlan
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http path flash:/gui
ip dns server
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 10.1.10.1 255.255.255.255 Vlan90
!
oops I had't seen that you had an address on a physical interface as well as the VLAN interfaces
you still have "ip nat inside" on interface Vlan200
with the traffic being nated by the router, it won't pass the cryptomap acl...
if you want to keep the NAT rule, you need to add the router 10.1.1.2 address to the cyptomap ACL on both ends
you still have "ip nat inside" on interface Vlan200
with the traffic being nated by the router, it won't pass the cryptomap acl...
if you want to keep the NAT rule, you need to add the router 10.1.1.2 address to the cyptomap ACL on both ends
ASKER
Got it! Nat enabled on the router was the issue. The tunnel wouldn't establish because when I cleared out the tunnel using "clear cryto isakmp sa" I didn't put the isakmp policy back into the Pix 506e.
When I put the isakmp policy back in the tunnel came up and I can ping across now.
thanks!
When I put the isakmp policy back in the tunnel came up and I can ping across now.
thanks!
excellent, your PIX config was correct, it was the router behind it !
I'd hope that if you had posted both, I'd have answered it in one :-)
I'd hope that if you had posted both, I'd have answered it in one :-)
I trust you are trying to pass traffic from a host on the 192.168.2.0 subnet ?
if you are testing from the router at the 506 site, or the either of the PIXs, you would need to add cypto maps an NAT 0 options for them as well.