Solved

site to sit vpn

Posted on 2011-03-14
10
487 Views
Last Modified: 2012-05-11
i'm having some trouble with a site to site vpn configuration.  The vpn light is lit on the pix at the remote site and i can access the a folders on a pc at the main office (e.g. \\mainpc\c$) but i cant do that from a pc at the main office to the remote office.  is there anything i'm doing wrong here's the configuration.

       
Remote Office
name 10.240.1.0 Subnet-Peak10
access-list inside_outbound_nat0_acl permit ip 10.241.7.0 255.255.255.0 Subnet-Peak10 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.241.7.0 255.255.255.0 Subnet-Peak10 255.255.255.0
ip address outside 65.x.x.x 255.255.255.248
ip address inside 10.241.7.254 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 65.x.x.9 1
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 66.x.x.x crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key xxxxxxxxxxxxx address 66.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
console timeout 0
dhcpd address 10.241.7.30-10.241.7.59 inside
dhcpd dns 10.240.1.12 205.152.144.23
dhcpd wins 10.240.1.12
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain jaxul.org
dhcpd auto_config outside
dhcpd enable inside


Main Office
ip address outside 66.x.x.x 255.255.255.240
ip address inside 10.240.1.254 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 10.240.1.0 255.255.255.0 10.241.7.0 255.255.255.0
access-list outside_cryptomap_180 permit ip 10.240.1.0 255.255.255.0 10.241.7.0 255.255.255.0
crypto map outside_map 180 ipsec-isakmp
crypto map outside_map 180 match address outside_cryptomap_180
crypto map outside_map 180 set peer 65.x.x.x
crypto map outside_map 180 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key xxxxxxxxxxxxx address 65.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
0
Comment
Question by:y2kane4eva
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35129810
The config seems ok, did you check the routing on the machines?

Also, when trying to connect, is anything showing in the logs of the firewall(s)?
0
 
LVL 1

Author Comment

by:y2kane4eva
ID: 35129942
Thanks for the quick response.  The routing is correct on the machine.  there are multiple remote offices connected to the main office and working fine, this problem is only with this remote office.  I'll check the logs and post it.
0
 
LVL 1

Author Comment

by:y2kane4eva
ID: 35130298
This is the log i'm getting from the remote pix when i try to browse to a folder from the main office to the remote office.

106014: Deny inbound icmp src outside:10.240.1.12 dst inside:10.241.7.30 (type 8, code 0)
106001: Inbound TCP connection denied from 10.240.1.12/1971 to 10.241.7.30/139 flags SYN  on interface outside
106014: Deny inbound icmp src outside:10.240.1.12 dst inside:10.241.7.30 (type 8, code 0)
106001: Inbound TCP connection denied from 10.240.1.12/1971 to 10.241.7.30/139 flags SYN  on interface outside
106001: Inbound TCP connection denied from 10.240.1.12/1970 to 10.241.7.30/445 flags SYN  on interface outside
0
Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35131750
Ok, you might want to check to outside access list on the remote pix. It looks like a line is missing:
access-list outside extended permit ip 10.240.1.0 255.255.255.0 10.241.7.0 255.255.255.0
Assuming the name of the access list is 'outside'.

0
 
LVL 1

Author Comment

by:y2kane4eva
ID: 35132029
when i type that in i get the this message: "Ambiguous command. Please enter more characters."  this stuff is really kicking my butt.  i'm running out of ideas.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35132061
?
What exactly did you type?
0
 
LVL 1

Author Comment

by:y2kane4eva
ID: 35132141
this is what i typed in:
access list inside_outbound_nat0_acl extended permit ip 10.240.1.0 255.255.255.0 10.241.7.0 255.255.255.0
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35132361
try: access-list instead of access list

Second, it's not the inside_outbound_nat0_acl.

Could you post all the access-list statements and the access-group statements so I (we) can see how it is set up?
0
 
LVL 1

Author Comment

by:y2kane4eva
ID: 35132992
That worked, even without the access-group line.  I used access-list instead of access list.  I do have a question though just for information purpose.  The pix at the other remote sites do not have all 3 lines to work, only 2.  and they do not have the access-group command either.  Just curiouse I guess.  Thanks for your help.

other remote configs.
access-list inside_outbound_nat0_acl permit ip 10.241.5.0 255.255.255.0 Subnet-Peak10 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.241.5.0 255.255.255.0 Subnet-Peak10 255.255.255.0

new remote config
access-list inside_outbound_nat0_acl permit ip 10.241.7.0 255.255.255.0 Subnet-Peak10 255.255.255.0
access-list inside_outbound_nat0_acl permit ip Subnet-Peak10 255.255.255.0 10.241.7.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.241.7.0 255.255.255.0 Subnet-Peak10 255.255.255.0





They only have
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35136189
Well you can ignore the part about the acces-group, that's for ASA's not PIXes (got mixed up there).

The access-list inside_outbound_nat0_acl permit ip Subnet-Peak10 255.255.255.0 10.241.7.0 255.255.255.0 exempts traffic from Subnet-Peak10 to 10.241.7.0 from NAT. You don't want traffic to be natted when going through the VPN. However there isn't a similar statement in access-list outside_cryptomap_20. This access list matches the traffic that is being sent through the tunnel. So as a result traffic from Subnet-Peak10 to 10.241.7.0 won't pass through the VPN.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Liquid Web and Plesk discuss how to simplify server management with a single tool  in their webinar.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question