Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX lan-to-lan IPSEC comes up...no traffic passes tunnel

Reply
Thread Tools

PIX lan-to-lan IPSEC comes up...no traffic passes tunnel

 
 
Arjan
Guest
Posts: n/a
 
      11-02-2005
I am looking for some help on this problem.

I managed to setup a LAN-to-LAN IPSEC tunnel between PIX 515 (IOS 6.3)
on one end and a back-to-back ISA2004 on the other end.

I can initiate a tunnel at both ends however the following happens:

When I initate a tunnel from the ISA site the tunnel comes up and all
wanted traffic flows through the tunnel (RDP, HTTP, ICMP etc)
At that same moment I can also create the same traffic from the PIX
site.

When I initiate a tunnel from the PIX site the tunnel comes up but NO
traffic is passed through the tunnel.
Creating traffic on the ISA site causes the creation of another
tunnel.

My guess is ACL listst not being what they should be. Can anyone tell
me what I am missing in the config of my PIX config?
Traffic to LAN 10.1.0.0 /16 should go through the tunnel

This is my current config (some lines deleted):

PIX Version 6.3(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
...
...
names
name 192.168.10.1 AAADC01
name 192.168.10.2 AAAFS01
name 192.168.100.1 AAADZ01
name zzz.zzz.zzz.17 remote_AAT
name 192.168.50.0 BBBDMZ
name 192.168.1.0 BBBFWLAN
name 10.1.0.0 BBBLAN
access-list inside_access_in permit ip 192.168.10.0 255.255.255.0
BBBDMZ 255.255.255.0
access-list inside_access_in permit ip 192.168.10.0 255.255.255.0
BBBLAN 255.255.0.0
access-list inside_access_in permit udp host AAADC01 any eq domain
access-list inside_access_in permit ip 192.168.10.0 255.255.255.0 host
AAADZ01
access-list inside_access_in permit tcp 192.168.10.0 255.255.255.0
host remote_AAT eq 15948
access-list outside_cryptomap_dyn_10 permit ip any 192.168.10.240
255.255.255.240
access-list DMZ_access_in permit udp host AAADZ01 any eq domain
access-list DMZ_access_in permit tcp host AAADZ01 any eq www
access-list DMZ_access_in permit tcp host AAADZ01 any eq https
access-list DMZ_access_in permit tcp host AAADZ01 any eq ftp
access-list DMZ_access_in permit tcp host AAADZ01 any eq ftp-data
access-list inside_outbound_nat0_acl permit ip 192.168.10.0
255.255.255.0 BBBLAN 255.255.0.0
access-list inside_outbound_nat0_acl permit ip 192.168.10.0
255.255.255.0 BBBDMZ 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.10.240
255.255.255.240
access-list inside_outbound_nat0_acl permit ip 192.168.10.0
255.255.255.0 BBBFWLAN 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0
BBBLAN 255.255.0.0
access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0
BBBDMZ 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0
BBBFWLAN 255.255.255.0
pager lines 24
logging on
logging standby
icmp permit any outside
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside yyy.yyy.yyy.194 255.255.255.240
ip address inside 192.168.10.254 255.255.255.0
ip address DMZ 192.168.100.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool AAAVPNPOOL 192.168.10.241-192.168.10.250 mask
255.255.255.0
pdm location 192.168.10.11 255.255.255.255 inside
pdm location AAADC01 255.255.255.255 inside
pdm location AAAFS01 255.255.255.255 inside
pdm location 192.168.10.0 255.255.255.240 outside
pdm location 192.168.10.241 255.255.255.255 inside
pdm location AAADZ01 255.255.255.255 DMZ
pdm location 192.168.10.61 255.255.255.255 inside
pdm location remote_AAT 255.255.255.255 outside
pdm location BBBDMZ 255.255.255.0 outside
pdm location BBBFWLAN 255.255.255.0 outside
pdm location BBBLAN 255.255.0.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 10 AAADZ01 255.255.255.255 0 0
static (inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 0
0
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 195.86.239.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host AAADC01 AAAVPN timeout 5
aaa-server LOCAL protocol local
http server enable
http 192.168.10.11 255.255.255.255 inside
http AAADC01 255.255.255.255 inside
http 192.168.10.241 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 match address
outside_cryptomap_dyn_10
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer xxx.xxx.xxx.172
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set security-association lifetime seconds
3600 kilobytes 100000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp key ** address xxx.xxx.xxx.172 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 28800
vpngroup AAAVPN address-pool AAAVPNPOOL
vpngroup AAAVPN dns-server AAADC01 AAAFS01
vpngroup AAAVPN wins-server AAADC01 AAAFS01
vpngroup AAAVPN default-domain PIX.local
vpngroup AAAVPN idle-time 1800
vpngroup AAAVPN password ********
telnet AAADC01 255.255.255.255 inside
telnet timeout 5
ssh 192.168.10.61 255.255.255.255 inside
ssh timeout 5
console timeout 0
terminal width 80

: end
[OK]



===============================
remove no.spam. to send me an e-mail
===============================
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX Ipsec VPN - SA established, no traffic passes George A. Cisco 5 05-07-2007 07:05 PM
PIX VPN Client connects but not traffic passes through rambur Cisco 5 04-25-2007 03:52 AM
IPsec tunnel: PIX to VPN concentratror behind the PIX John Strow Cisco 1 11-07-2006 03:45 AM
PIX-to-PIX IPSec VPN Tunnel Aaron Gitlin Cisco 3 07-24-2006 05:05 PM
Split Tunnel Blocks http through tunnel but passes http around tunnel a.nonny mouse Cisco 2 09-19-2004 12:10 AM



Advertisments