Solved

site to sit vpn

Posted on 2011-03-14
10
479 Views
Last Modified: 2012-05-11
i'm having some trouble with a site to site vpn configuration.  The vpn light is lit on the pix at the remote site and i can access the a folders on a pc at the main office (e.g. \\mainpc\c$) but i cant do that from a pc at the main office to the remote office.  is there anything i'm doing wrong here's the configuration.

       
Remote Office
name 10.240.1.0 Subnet-Peak10
access-list inside_outbound_nat0_acl permit ip 10.241.7.0 255.255.255.0 Subnet-Peak10 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.241.7.0 255.255.255.0 Subnet-Peak10 255.255.255.0
ip address outside 65.x.x.x 255.255.255.248
ip address inside 10.241.7.254 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 65.x.x.9 1
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 66.x.x.x crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key xxxxxxxxxxxxx address 66.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
console timeout 0
dhcpd address 10.241.7.30-10.241.7.59 inside
dhcpd dns 10.240.1.12 205.152.144.23
dhcpd wins 10.240.1.12
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain jaxul.org
dhcpd auto_config outside
dhcpd enable inside


Main Office
ip address outside 66.x.x.x 255.255.255.240
ip address inside 10.240.1.254 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 10.240.1.0 255.255.255.0 10.241.7.0 255.255.255.0
access-list outside_cryptomap_180 permit ip 10.240.1.0 255.255.255.0 10.241.7.0 255.255.255.0
crypto map outside_map 180 ipsec-isakmp
crypto map outside_map 180 match address outside_cryptomap_180
crypto map outside_map 180 set peer 65.x.x.x
crypto map outside_map 180 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key xxxxxxxxxxxxx address 65.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
0
Comment
Question by:y2kane4eva
  • 5
  • 5
10 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
The config seems ok, did you check the routing on the machines?

Also, when trying to connect, is anything showing in the logs of the firewall(s)?
0
 
LVL 1

Author Comment

by:y2kane4eva
Comment Utility
Thanks for the quick response.  The routing is correct on the machine.  there are multiple remote offices connected to the main office and working fine, this problem is only with this remote office.  I'll check the logs and post it.
0
 
LVL 1

Author Comment

by:y2kane4eva
Comment Utility
This is the log i'm getting from the remote pix when i try to browse to a folder from the main office to the remote office.

106014: Deny inbound icmp src outside:10.240.1.12 dst inside:10.241.7.30 (type 8, code 0)
106001: Inbound TCP connection denied from 10.240.1.12/1971 to 10.241.7.30/139 flags SYN  on interface outside
106014: Deny inbound icmp src outside:10.240.1.12 dst inside:10.241.7.30 (type 8, code 0)
106001: Inbound TCP connection denied from 10.240.1.12/1971 to 10.241.7.30/139 flags SYN  on interface outside
106001: Inbound TCP connection denied from 10.240.1.12/1970 to 10.241.7.30/445 flags SYN  on interface outside
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Ok, you might want to check to outside access list on the remote pix. It looks like a line is missing:
access-list outside extended permit ip 10.240.1.0 255.255.255.0 10.241.7.0 255.255.255.0
Assuming the name of the access list is 'outside'.

0
 
LVL 1

Author Comment

by:y2kane4eva
Comment Utility
when i type that in i get the this message: "Ambiguous command. Please enter more characters."  this stuff is really kicking my butt.  i'm running out of ideas.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
?
What exactly did you type?
0
 
LVL 1

Author Comment

by:y2kane4eva
Comment Utility
this is what i typed in:
access list inside_outbound_nat0_acl extended permit ip 10.240.1.0 255.255.255.0 10.241.7.0 255.255.255.0
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
Comment Utility
try: access-list instead of access list

Second, it's not the inside_outbound_nat0_acl.

Could you post all the access-list statements and the access-group statements so I (we) can see how it is set up?
0
 
LVL 1

Author Comment

by:y2kane4eva
Comment Utility
That worked, even without the access-group line.  I used access-list instead of access list.  I do have a question though just for information purpose.  The pix at the other remote sites do not have all 3 lines to work, only 2.  and they do not have the access-group command either.  Just curiouse I guess.  Thanks for your help.

other remote configs.
access-list inside_outbound_nat0_acl permit ip 10.241.5.0 255.255.255.0 Subnet-Peak10 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.241.5.0 255.255.255.0 Subnet-Peak10 255.255.255.0

new remote config
access-list inside_outbound_nat0_acl permit ip 10.241.7.0 255.255.255.0 Subnet-Peak10 255.255.255.0
access-list inside_outbound_nat0_acl permit ip Subnet-Peak10 255.255.255.0 10.241.7.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.241.7.0 255.255.255.0 Subnet-Peak10 255.255.255.0





They only have
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Well you can ignore the part about the acces-group, that's for ASA's not PIXes (got mixed up there).

The access-list inside_outbound_nat0_acl permit ip Subnet-Peak10 255.255.255.0 10.241.7.0 255.255.255.0 exempts traffic from Subnet-Peak10 to 10.241.7.0 from NAT. You don't want traffic to be natted when going through the VPN. However there isn't a similar statement in access-list outside_cryptomap_20. This access list matches the traffic that is being sent through the tunnel. So as a result traffic from Subnet-Peak10 to 10.241.7.0 won't pass through the VPN.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now