Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 497
  • Last Modified:

site to sit vpn

i'm having some trouble with a site to site vpn configuration.  The vpn light is lit on the pix at the remote site and i can access the a folders on a pc at the main office (e.g. \\mainpc\c$) but i cant do that from a pc at the main office to the remote office.  is there anything i'm doing wrong here's the configuration.

       
Remote Office
name 10.240.1.0 Subnet-Peak10
access-list inside_outbound_nat0_acl permit ip 10.241.7.0 255.255.255.0 Subnet-Peak10 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.241.7.0 255.255.255.0 Subnet-Peak10 255.255.255.0
ip address outside 65.x.x.x 255.255.255.248
ip address inside 10.241.7.254 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 65.x.x.9 1
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 66.x.x.x crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key xxxxxxxxxxxxx address 66.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
console timeout 0
dhcpd address 10.241.7.30-10.241.7.59 inside
dhcpd dns 10.240.1.12 205.152.144.23
dhcpd wins 10.240.1.12
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain jaxul.org
dhcpd auto_config outside
dhcpd enable inside


Main Office
ip address outside 66.x.x.x 255.255.255.240
ip address inside 10.240.1.254 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 10.240.1.0 255.255.255.0 10.241.7.0 255.255.255.0
access-list outside_cryptomap_180 permit ip 10.240.1.0 255.255.255.0 10.241.7.0 255.255.255.0
crypto map outside_map 180 ipsec-isakmp
crypto map outside_map 180 match address outside_cryptomap_180
crypto map outside_map 180 set peer 65.x.x.x
crypto map outside_map 180 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key xxxxxxxxxxxxx address 65.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
0
y2kane4eva
Asked:
y2kane4eva
  • 5
  • 5
1 Solution
 
Ernie BeekExpertCommented:
The config seems ok, did you check the routing on the machines?

Also, when trying to connect, is anything showing in the logs of the firewall(s)?
0
 
y2kane4evaAuthor Commented:
Thanks for the quick response.  The routing is correct on the machine.  there are multiple remote offices connected to the main office and working fine, this problem is only with this remote office.  I'll check the logs and post it.
0
 
y2kane4evaAuthor Commented:
This is the log i'm getting from the remote pix when i try to browse to a folder from the main office to the remote office.

106014: Deny inbound icmp src outside:10.240.1.12 dst inside:10.241.7.30 (type 8, code 0)
106001: Inbound TCP connection denied from 10.240.1.12/1971 to 10.241.7.30/139 flags SYN  on interface outside
106014: Deny inbound icmp src outside:10.240.1.12 dst inside:10.241.7.30 (type 8, code 0)
106001: Inbound TCP connection denied from 10.240.1.12/1971 to 10.241.7.30/139 flags SYN  on interface outside
106001: Inbound TCP connection denied from 10.240.1.12/1970 to 10.241.7.30/445 flags SYN  on interface outside
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Ernie BeekExpertCommented:
Ok, you might want to check to outside access list on the remote pix. It looks like a line is missing:
access-list outside extended permit ip 10.240.1.0 255.255.255.0 10.241.7.0 255.255.255.0
Assuming the name of the access list is 'outside'.

0
 
y2kane4evaAuthor Commented:
when i type that in i get the this message: "Ambiguous command. Please enter more characters."  this stuff is really kicking my butt.  i'm running out of ideas.
0
 
Ernie BeekExpertCommented:
?
What exactly did you type?
0
 
y2kane4evaAuthor Commented:
this is what i typed in:
access list inside_outbound_nat0_acl extended permit ip 10.240.1.0 255.255.255.0 10.241.7.0 255.255.255.0
0
 
Ernie BeekExpertCommented:
try: access-list instead of access list

Second, it's not the inside_outbound_nat0_acl.

Could you post all the access-list statements and the access-group statements so I (we) can see how it is set up?
0
 
y2kane4evaAuthor Commented:
That worked, even without the access-group line.  I used access-list instead of access list.  I do have a question though just for information purpose.  The pix at the other remote sites do not have all 3 lines to work, only 2.  and they do not have the access-group command either.  Just curiouse I guess.  Thanks for your help.

other remote configs.
access-list inside_outbound_nat0_acl permit ip 10.241.5.0 255.255.255.0 Subnet-Peak10 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.241.5.0 255.255.255.0 Subnet-Peak10 255.255.255.0

new remote config
access-list inside_outbound_nat0_acl permit ip 10.241.7.0 255.255.255.0 Subnet-Peak10 255.255.255.0
access-list inside_outbound_nat0_acl permit ip Subnet-Peak10 255.255.255.0 10.241.7.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.241.7.0 255.255.255.0 Subnet-Peak10 255.255.255.0





They only have
0
 
Ernie BeekExpertCommented:
Well you can ignore the part about the acces-group, that's for ASA's not PIXes (got mixed up there).

The access-list inside_outbound_nat0_acl permit ip Subnet-Peak10 255.255.255.0 10.241.7.0 255.255.255.0 exempts traffic from Subnet-Peak10 to 10.241.7.0 from NAT. You don't want traffic to be natted when going through the VPN. However there isn't a similar statement in access-list outside_cryptomap_20. This access list matches the traffic that is being sent through the tunnel. So as a result traffic from Subnet-Peak10 to 10.241.7.0 won't pass through the VPN.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now