Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX lan-to-lan IPSEC comes traffic passes tunnel

Thread Tools

PIX lan-to-lan IPSEC comes traffic passes tunnel

Posts: n/a
I am looking for some help on this problem.

I managed to setup a LAN-to-LAN IPSEC tunnel between PIX 515 (IOS 6.3)
on one end and a back-to-back ISA2004 on the other end.

I can initiate a tunnel at both ends however the following happens:

When I initate a tunnel from the ISA site the tunnel comes up and all
wanted traffic flows through the tunnel (RDP, HTTP, ICMP etc)
At that same moment I can also create the same traffic from the PIX

When I initiate a tunnel from the PIX site the tunnel comes up but NO
traffic is passed through the tunnel.
Creating traffic on the ISA site causes the creation of another

My guess is ACL listst not being what they should be. Can anyone tell
me what I am missing in the config of my PIX config?
Traffic to LAN /16 should go through the tunnel

This is my current config (some lines deleted):

PIX Version 6.3(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
name AAADC01
name AAAFS01
name AAADZ01
name zzz.zzz.zzz.17 remote_AAT
access-list inside_access_in permit ip
access-list inside_access_in permit ip
access-list inside_access_in permit udp host AAADC01 any eq domain
access-list inside_access_in permit ip host
access-list inside_access_in permit tcp
host remote_AAT eq 15948
access-list outside_cryptomap_dyn_10 permit ip any
access-list DMZ_access_in permit udp host AAADZ01 any eq domain
access-list DMZ_access_in permit tcp host AAADZ01 any eq www
access-list DMZ_access_in permit tcp host AAADZ01 any eq https
access-list DMZ_access_in permit tcp host AAADZ01 any eq ftp
access-list DMZ_access_in permit tcp host AAADZ01 any eq ftp-data
access-list inside_outbound_nat0_acl permit ip BBBLAN
access-list inside_outbound_nat0_acl permit ip BBBDMZ
access-list inside_outbound_nat0_acl permit ip any
access-list inside_outbound_nat0_acl permit ip BBBFWLAN
access-list outside_cryptomap_20 permit ip
access-list outside_cryptomap_20 permit ip
access-list outside_cryptomap_20 permit ip
pager lines 24
logging on
logging standby
icmp permit any outside
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside yyy.yyy.yyy.194
ip address inside
ip address DMZ
ip audit info action alarm
ip audit attack action alarm
ip local pool AAAVPNPOOL mask
pdm location inside
pdm location AAADC01 inside
pdm location AAAFS01 inside
pdm location outside
pdm location inside
pdm location AAADZ01 DMZ
pdm location inside
pdm location remote_AAT outside
pdm location BBBDMZ outside
pdm location BBBFWLAN outside
pdm location BBBLAN outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0 0
nat (DMZ) 10 AAADZ01 0 0
static (inside,DMZ) netmask 0
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host AAADC01 AAAVPN timeout 5
aaa-server LOCAL protocol local
http server enable
http inside
http AAADC01 inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 match address
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set security-association lifetime seconds
3600 kilobytes 100000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp key ** address netmask no-xauth
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 28800
vpngroup AAAVPN address-pool AAAVPNPOOL
vpngroup AAAVPN dns-server AAADC01 AAAFS01
vpngroup AAAVPN wins-server AAADC01 AAAFS01
vpngroup AAAVPN default-domain PIX.local
vpngroup AAAVPN idle-time 1800
vpngroup AAAVPN password ********
telnet AAADC01 inside
telnet timeout 5
ssh inside
ssh timeout 5
console timeout 0
terminal width 80

: end

remove no.spam. to send me an e-mail
Reply With Quote

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX Ipsec VPN - SA established, no traffic passes George A. Cisco 5 05-07-2007 07:05 PM
PIX VPN Client connects but not traffic passes through rambur Cisco 5 04-25-2007 03:52 AM
IPsec tunnel: PIX to VPN concentratror behind the PIX John Strow Cisco 1 11-07-2006 03:45 AM
PIX-to-PIX IPSec VPN Tunnel Aaron Gitlin Cisco 3 07-24-2006 05:05 PM
Split Tunnel Blocks http through tunnel but passes http around tunnel a.nonny mouse Cisco 2 09-19-2004 12:10 AM