Solved

site to sit vpn

Posted on 2011-03-14
10
482 Views
Last Modified: 2012-05-11
i'm having some trouble with a site to site vpn configuration.  The vpn light is lit on the pix at the remote site and i can access the a folders on a pc at the main office (e.g. \\mainpc\c$) but i cant do that from a pc at the main office to the remote office.  is there anything i'm doing wrong here's the configuration.

       
Remote Office
name 10.240.1.0 Subnet-Peak10
access-list inside_outbound_nat0_acl permit ip 10.241.7.0 255.255.255.0 Subnet-Peak10 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.241.7.0 255.255.255.0 Subnet-Peak10 255.255.255.0
ip address outside 65.x.x.x 255.255.255.248
ip address inside 10.241.7.254 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 65.x.x.9 1
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 66.x.x.x crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key xxxxxxxxxxxxx address 66.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
console timeout 0
dhcpd address 10.241.7.30-10.241.7.59 inside
dhcpd dns 10.240.1.12 205.152.144.23
dhcpd wins 10.240.1.12
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain jaxul.org
dhcpd auto_config outside
dhcpd enable inside


Main Office
ip address outside 66.x.x.x 255.255.255.240
ip address inside 10.240.1.254 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 10.240.1.0 255.255.255.0 10.241.7.0 255.255.255.0
access-list outside_cryptomap_180 permit ip 10.240.1.0 255.255.255.0 10.241.7.0 255.255.255.0
crypto map outside_map 180 ipsec-isakmp
crypto map outside_map 180 match address outside_cryptomap_180
crypto map outside_map 180 set peer 65.x.x.x
crypto map outside_map 180 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key xxxxxxxxxxxxx address 65.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
0
Comment
Question by:y2kane4eva
  • 5
  • 5
10 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35129810
The config seems ok, did you check the routing on the machines?

Also, when trying to connect, is anything showing in the logs of the firewall(s)?
0
 
LVL 1

Author Comment

by:y2kane4eva
ID: 35129942
Thanks for the quick response.  The routing is correct on the machine.  there are multiple remote offices connected to the main office and working fine, this problem is only with this remote office.  I'll check the logs and post it.
0
 
LVL 1

Author Comment

by:y2kane4eva
ID: 35130298
This is the log i'm getting from the remote pix when i try to browse to a folder from the main office to the remote office.

106014: Deny inbound icmp src outside:10.240.1.12 dst inside:10.241.7.30 (type 8, code 0)
106001: Inbound TCP connection denied from 10.240.1.12/1971 to 10.241.7.30/139 flags SYN  on interface outside
106014: Deny inbound icmp src outside:10.240.1.12 dst inside:10.241.7.30 (type 8, code 0)
106001: Inbound TCP connection denied from 10.240.1.12/1971 to 10.241.7.30/139 flags SYN  on interface outside
106001: Inbound TCP connection denied from 10.240.1.12/1970 to 10.241.7.30/445 flags SYN  on interface outside
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35131750
Ok, you might want to check to outside access list on the remote pix. It looks like a line is missing:
access-list outside extended permit ip 10.240.1.0 255.255.255.0 10.241.7.0 255.255.255.0
Assuming the name of the access list is 'outside'.

0
 
LVL 1

Author Comment

by:y2kane4eva
ID: 35132029
when i type that in i get the this message: "Ambiguous command. Please enter more characters."  this stuff is really kicking my butt.  i'm running out of ideas.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35132061
?
What exactly did you type?
0
 
LVL 1

Author Comment

by:y2kane4eva
ID: 35132141
this is what i typed in:
access list inside_outbound_nat0_acl extended permit ip 10.240.1.0 255.255.255.0 10.241.7.0 255.255.255.0
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35132361
try: access-list instead of access list

Second, it's not the inside_outbound_nat0_acl.

Could you post all the access-list statements and the access-group statements so I (we) can see how it is set up?
0
 
LVL 1

Author Comment

by:y2kane4eva
ID: 35132992
That worked, even without the access-group line.  I used access-list instead of access list.  I do have a question though just for information purpose.  The pix at the other remote sites do not have all 3 lines to work, only 2.  and they do not have the access-group command either.  Just curiouse I guess.  Thanks for your help.

other remote configs.
access-list inside_outbound_nat0_acl permit ip 10.241.5.0 255.255.255.0 Subnet-Peak10 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.241.5.0 255.255.255.0 Subnet-Peak10 255.255.255.0

new remote config
access-list inside_outbound_nat0_acl permit ip 10.241.7.0 255.255.255.0 Subnet-Peak10 255.255.255.0
access-list inside_outbound_nat0_acl permit ip Subnet-Peak10 255.255.255.0 10.241.7.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.241.7.0 255.255.255.0 Subnet-Peak10 255.255.255.0





They only have
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35136189
Well you can ignore the part about the acces-group, that's for ASA's not PIXes (got mixed up there).

The access-list inside_outbound_nat0_acl permit ip Subnet-Peak10 255.255.255.0 10.241.7.0 255.255.255.0 exempts traffic from Subnet-Peak10 to 10.241.7.0 from NAT. You don't want traffic to be natted when going through the VPN. However there isn't a similar statement in access-list outside_cryptomap_20. This access list matches the traffic that is being sent through the tunnel. So as a result traffic from Subnet-Peak10 to 10.241.7.0 won't pass through the VPN.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question