?
Solved

site to sit vpn

Posted on 2011-03-14
10
Medium Priority
?
490 Views
Last Modified: 2012-05-11
i'm having some trouble with a site to site vpn configuration.  The vpn light is lit on the pix at the remote site and i can access the a folders on a pc at the main office (e.g. \\mainpc\c$) but i cant do that from a pc at the main office to the remote office.  is there anything i'm doing wrong here's the configuration.

       
Remote Office
name 10.240.1.0 Subnet-Peak10
access-list inside_outbound_nat0_acl permit ip 10.241.7.0 255.255.255.0 Subnet-Peak10 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.241.7.0 255.255.255.0 Subnet-Peak10 255.255.255.0
ip address outside 65.x.x.x 255.255.255.248
ip address inside 10.241.7.254 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 65.x.x.9 1
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 66.x.x.x crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key xxxxxxxxxxxxx address 66.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
console timeout 0
dhcpd address 10.241.7.30-10.241.7.59 inside
dhcpd dns 10.240.1.12 205.152.144.23
dhcpd wins 10.240.1.12
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain jaxul.org
dhcpd auto_config outside
dhcpd enable inside


Main Office
ip address outside 66.x.x.x 255.255.255.240
ip address inside 10.240.1.254 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 10.240.1.0 255.255.255.0 10.241.7.0 255.255.255.0
access-list outside_cryptomap_180 permit ip 10.240.1.0 255.255.255.0 10.241.7.0 255.255.255.0
crypto map outside_map 180 ipsec-isakmp
crypto map outside_map 180 match address outside_cryptomap_180
crypto map outside_map 180 set peer 65.x.x.x
crypto map outside_map 180 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key xxxxxxxxxxxxx address 65.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
0
Comment
Question by:y2kane4eva
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35129810
The config seems ok, did you check the routing on the machines?

Also, when trying to connect, is anything showing in the logs of the firewall(s)?
0
 
LVL 1

Author Comment

by:y2kane4eva
ID: 35129942
Thanks for the quick response.  The routing is correct on the machine.  there are multiple remote offices connected to the main office and working fine, this problem is only with this remote office.  I'll check the logs and post it.
0
 
LVL 1

Author Comment

by:y2kane4eva
ID: 35130298
This is the log i'm getting from the remote pix when i try to browse to a folder from the main office to the remote office.

106014: Deny inbound icmp src outside:10.240.1.12 dst inside:10.241.7.30 (type 8, code 0)
106001: Inbound TCP connection denied from 10.240.1.12/1971 to 10.241.7.30/139 flags SYN  on interface outside
106014: Deny inbound icmp src outside:10.240.1.12 dst inside:10.241.7.30 (type 8, code 0)
106001: Inbound TCP connection denied from 10.240.1.12/1971 to 10.241.7.30/139 flags SYN  on interface outside
106001: Inbound TCP connection denied from 10.240.1.12/1970 to 10.241.7.30/445 flags SYN  on interface outside
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35131750
Ok, you might want to check to outside access list on the remote pix. It looks like a line is missing:
access-list outside extended permit ip 10.240.1.0 255.255.255.0 10.241.7.0 255.255.255.0
Assuming the name of the access list is 'outside'.

0
 
LVL 1

Author Comment

by:y2kane4eva
ID: 35132029
when i type that in i get the this message: "Ambiguous command. Please enter more characters."  this stuff is really kicking my butt.  i'm running out of ideas.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35132061
?
What exactly did you type?
0
 
LVL 1

Author Comment

by:y2kane4eva
ID: 35132141
this is what i typed in:
access list inside_outbound_nat0_acl extended permit ip 10.240.1.0 255.255.255.0 10.241.7.0 255.255.255.0
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 35132361
try: access-list instead of access list

Second, it's not the inside_outbound_nat0_acl.

Could you post all the access-list statements and the access-group statements so I (we) can see how it is set up?
0
 
LVL 1

Author Comment

by:y2kane4eva
ID: 35132992
That worked, even without the access-group line.  I used access-list instead of access list.  I do have a question though just for information purpose.  The pix at the other remote sites do not have all 3 lines to work, only 2.  and they do not have the access-group command either.  Just curiouse I guess.  Thanks for your help.

other remote configs.
access-list inside_outbound_nat0_acl permit ip 10.241.5.0 255.255.255.0 Subnet-Peak10 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.241.5.0 255.255.255.0 Subnet-Peak10 255.255.255.0

new remote config
access-list inside_outbound_nat0_acl permit ip 10.241.7.0 255.255.255.0 Subnet-Peak10 255.255.255.0
access-list inside_outbound_nat0_acl permit ip Subnet-Peak10 255.255.255.0 10.241.7.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.241.7.0 255.255.255.0 Subnet-Peak10 255.255.255.0





They only have
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35136189
Well you can ignore the part about the acces-group, that's for ASA's not PIXes (got mixed up there).

The access-list inside_outbound_nat0_acl permit ip Subnet-Peak10 255.255.255.0 10.241.7.0 255.255.255.0 exempts traffic from Subnet-Peak10 to 10.241.7.0 from NAT. You don't want traffic to be natted when going through the VPN. However there isn't a similar statement in access-list outside_cryptomap_20. This access list matches the traffic that is being sent through the tunnel. So as a result traffic from Subnet-Peak10 to 10.241.7.0 won't pass through the VPN.
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question