Changed Inside IP subnet on PIX 501, cant VPN to PIX 515

Discussion in 'Cisco' started by Scott Townsend, Mar 3, 2008.

  1. So I have a PIX 501 that I configured to use the 10.14.0.0/16 subnet.
    Outside Interface is DHCP, ComCast Internet
    All is well, connects, traffic passes and we are good.

    I have a 1600 series router with Firewall IOS, that I configured to use the
    10.11.0.0/16 subnet
    Outside interface it DHCP/PPPoE, AT&T DSL Internet
    All is well, connects, traffic passes and we are good.

    Both are connected via preshared-keys, DefaultRAGroup.
    All of the ACLs include both 10.11.0.0/16 subnet and 10.14.0.0/16 subnet

    So I want to Replace the Router with the PIX.
    I Disconnect the Router,
    Reconfigure PIX with 10.11.0.0/16 addresses.
    Reboot everything so the MAC addresses are flushed
    and it wont connect.

    I've turned on all the debugging on the 501 PIX and its like its not seeing
    any Interesting traffic to initiate the VPN Link.

    doing the show cry map, I see the ACL with the Source/Dest Subnets and they
    are correct. though the hitcnt is 0

    Seems like if there was an Issue on the PIX 515 side not liking the new
    client on the old subnet at least I would see the connection attempt on the
    PIX 501 side..


    Suggestions?

    Scott<-
     
    Scott Townsend, Mar 3, 2008
    #1
    1. Advertising

  2. Scott Townsend

    Darren Green Guest

    Scott Townsend wrote:
    > So I have a PIX 501 that I configured to use the 10.14.0.0/16 subnet.
    > Outside Interface is DHCP, ComCast Internet
    > All is well, connects, traffic passes and we are good.
    >
    > I have a 1600 series router with Firewall IOS, that I configured to use the
    > 10.11.0.0/16 subnet
    > Outside interface it DHCP/PPPoE, AT&T DSL Internet
    > All is well, connects, traffic passes and we are good.
    >
    > Both are connected via preshared-keys, DefaultRAGroup.
    > All of the ACLs include both 10.11.0.0/16 subnet and 10.14.0.0/16 subnet
    >
    > So I want to Replace the Router with the PIX.
    > I Disconnect the Router,
    > Reconfigure PIX with 10.11.0.0/16 addresses.
    > Reboot everything so the MAC addresses are flushed
    > and it wont connect.
    >
    > I've turned on all the debugging on the 501 PIX and its like its not seeing
    > any Interesting traffic to initiate the VPN Link.
    >
    > doing the show cry map, I see the ACL with the Source/Dest Subnets and they
    > are correct. though the hitcnt is 0
    >
    > Seems like if there was an Issue on the PIX 515 side not liking the new
    > client on the old subnet at least I would see the connection attempt on the
    > PIX 501 side..
    >
    >
    > Suggestions?
    >
    > Scott<-
    >
    >

    If I understand you correctly, the 1600 router is being swapped out for
    a PIX 501. The PIX 501 should create a VPN connection to a PIX 515. You
    are not seeing any hits on the PIX 501.

    Other than post a config, my initial guess would be to check your No
    NAT. You should be seeing hits on your crypto ACL's, if not this would
    tend to suggest that the address you are coming from is incorrect.

    Remember NAT happens before encryption. You need to ensure you exempt
    you network from NAT first. You will then have a matching crypto acl for
    encrypting the traffic after NO-NAT/ NAT, do not use the same ACL for both.

    Post your config anyway.

    Regards

    Darren
     
    Darren Green, Mar 3, 2008
    #2
    1. Advertising

  3. What looks like happened and I'm not sure how. was my nat (inside) 0 was
    wipped out. )-;

    nat (inside) 0 access-list inside_nat0_outbound

    nat (inside) 1 10.11.0.0 255.255.0.0 0 0


    I reconfigured the unit back with the 10.44.0.0/16 addressing config and it
    worked again. So I went through the 2 Configs line by line. the
    10.11.0.0/16 was missing the nat (inside) 0 statement.

    Thanks!

    So for my Next trick is to get the 1600 as a backup. Having issues with just
    the Nat, but that will be another post....

    Scott<-

    "Darren Green" <> wrote in message
    news:47cc6ad2$...
    > Scott Townsend wrote:
    >> So I have a PIX 501 that I configured to use the 10.14.0.0/16 subnet.
    >> Outside Interface is DHCP, ComCast Internet
    >> All is well, connects, traffic passes and we are good.
    >>
    >> I have a 1600 series router with Firewall IOS, that I configured to use
    >> the 10.11.0.0/16 subnet
    >> Outside interface it DHCP/PPPoE, AT&T DSL Internet
    >> All is well, connects, traffic passes and we are good.
    >>
    >> Both are connected via preshared-keys, DefaultRAGroup.
    >> All of the ACLs include both 10.11.0.0/16 subnet and 10.14.0.0/16 subnet
    >>
    >> So I want to Replace the Router with the PIX.
    >> I Disconnect the Router,
    >> Reconfigure PIX with 10.11.0.0/16 addresses.
    >> Reboot everything so the MAC addresses are flushed
    >> and it wont connect.
    >>
    >> I've turned on all the debugging on the 501 PIX and its like its not
    >> seeing any Interesting traffic to initiate the VPN Link.
    >>
    >> doing the show cry map, I see the ACL with the Source/Dest Subnets and
    >> they are correct. though the hitcnt is 0
    >>
    >> Seems like if there was an Issue on the PIX 515 side not liking the new
    >> client on the old subnet at least I would see the connection attempt on
    >> the PIX 501 side..
    >>
    >>
    >> Suggestions?
    >>
    >> Scott<-

    > If I understand you correctly, the 1600 router is being swapped out for a
    > PIX 501. The PIX 501 should create a VPN connection to a PIX 515. You are
    > not seeing any hits on the PIX 501.
    >
    > Other than post a config, my initial guess would be to check your No NAT.
    > You should be seeing hits on your crypto ACL's, if not this would tend to
    > suggest that the address you are coming from is incorrect.
    >
    > Remember NAT happens before encryption. You need to ensure you exempt you
    > network from NAT first. You will then have a matching crypto acl for
    > encrypting the traffic after NO-NAT/ NAT, do not use the same ACL for
    > both.
    >
    > Post your config anyway.
    >
    > Regards
    >
    > Darren
     
    Scott Townsend, Mar 4, 2008
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Guest
    Replies:
    5
    Views:
    1,766
    Romme
    Jun 15, 2004
  2. Tim Fortea
    Replies:
    2
    Views:
    1,028
  3. Jay
    Replies:
    1
    Views:
    647
    Walter Roberson
    Nov 8, 2004
  4. Andre
    Replies:
    7
    Views:
    742
    Andre
    Feb 20, 2005
  5. Replies:
    0
    Views:
    645
Loading...

Share This Page