Cisco PIX 501-515 Site-to-Site VPN Issue

Discussion in 'Cisco' started by pogopoole@gmail.com, Jul 5, 2007.

  1. Guest

    I'm deferring to the experts in this group to help me solve a
    nightmare of a PIX configuration issue.

    I have a PIX 501 located in Connecticut and a PIX 515 located in New
    York and am trying to put together a site-to-site VPN. The remote
    access on the 515 works like a charm, but I've been unable to make any
    headway with the site-to-site. The only way that I've been able to
    initiate the connection, in fact, is to launch the packet tracer on
    the 515 to 'send' a packet from an IP on the 515's network to an IP on
    the 501's. Everything comes back okay, but if I try to ping or
    connect to any machine on either of the networks from the other one,
    it doesn't go through, and no useful debugging information seems to be
    returned. If anyone has any insight into what might be going on, your
    advice would be tremendously appreciated. I've copied the
    configurations below and have removed only the clearly-irrelevant
    parts.

    PIX 501:
    Internal IP Range: 10.0.2.0/255.255.255.0
    External IP: x.x.123.29

    PIX 515:
    Internal IP Range: 10.0.0.0/255.255.255.0
    Remote Access: 10.0.1.0/255.255.255.0
    External IP: x.x.23.17


    CISCO PIX 501 IN CONNECTICUT

    PIX Version 6.3(5)
    access-list outside_access_in permit icmp any any
    access-list outside_access_in permit tcp any any object-group TCP
    access-list inside_outbound_nat0_acl permit ip 10.0.2.0 255.255.255.0
    10.0.0.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 10.0.2.0 255.255.255.0
    10.0.0.0 255.255.255.0
    ip address outside x.x.123.29 255.255.255.252
    ip address inside 10.0.2.1 255.255.255.0
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip audit info action alarm
    ip audit attack action alarm
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 x.x.123.30 1
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set pfs group2
    crypto map outside_map 20 set peer x.x.23.17
    crypto map outside_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key * address x.x.23.17 netmask 255.255.255.255 no-xauth no-
    config-mode
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    dhcpd address 10.0.2.200-10.0.2.231 inside
    dhcpd enable inside


    CISCO PIX 515 IN NEW YORK

    PIX Version 7.2(1)
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list outside_access_in extended permit icmp any any
    access-list outside_cryptomap extended permit ip 10.0.0.0
    255.255.255.0 10.0.2.0 255.255.255.0
    access-list outside_cryptomap extended permit ip any 10.0.1.0
    255.255.255.0
    access-list outside_20_cryptomap extended permit ip 10.0.0.0
    255.255.255.0 10.0.2.0 255.255.255.0
    ip local pool VPN 10.0.1.1-10.0.1.254 mask 255.255.0.0
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip audit info action alarm drop reset
    ip audit attack action alarm drop reset
    icmp permit any outside
    icmp permit any inside
    global (outside) 101 interface
    nat (inside) 0 access-list outside_cryptomap
    nat (inside) 101 0.0.0.0 0.0.0.0 dns
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 x.x.23.30 1
    no eou allow clientless
    group-policy DfltGrpPolicy attributes
    banner none
    wins-server none
    dns-server value 10.0.0.2 10.0.0.3
    dhcp-network-scope none
    vpn-access-hours none
    vpn-simultaneous-logins 5
    vpn-idle-timeout none
    vpn-session-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec l2tp-ipsec
    password-storage disable
    ip-comp disable
    re-xauth disable
    group-lock none
    pfs disable
    ipsec-udp disable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelall
    split-tunnel-network-list none
    default-domain value mydomain.net
    split-dns none
    intercept-dhcp 255.255.255.255 disable
    secure-unit-authentication disable
    user-authentication disable
    user-authentication-idle-timeout none
    ip-phone-bypass disable
    leap-bypass disable
    nem disable
    backup-servers keep-client-config
    msie-proxy server none
    msie-proxy method no-modify
    msie-proxy except-list none
    msie-proxy local-bypass disable
    nac disable
    nac-sq-period 300
    nac-reval-period 36000
    nac-default-acl none
    address-pools value VPN
    client-firewall none
    client-access-rule none
    sysopt connection tcpmss 0
    service resetinbound interface outside
    service resetinbound interface inside
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
    crypto dynamic-map outside_dyn_map 20 set transform-set
    TRANS_ESP_3DES_SHA
    crypto map outside_map 20 match address outside_20_cryptomap
    crypto map outside_map 20 set pfs
    crypto map outside_map 20 set peer x.x.123.29
    crypto map outside_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 40 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 3600
    crypto isakmp nat-traversal 20
    crypto isakmp ipsec-over-tcp port 10000
    crypto isakmp disconnect-notify
    tunnel-group DefaultL2LGroup ipsec-attributes
    pre-shared-key *
    peer-id-validate nocheck
    tunnel-group DefaultRAGroup general-attributes
    address-pool VPN
    authorization-dn-attributes use-entire-name
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    peer-id-validate nocheck
    tunnel-group DefaultRAGroup ppp-attributes
    no authentication chap
    authentication ms-chap-v2
    tunnel-group x.x.123.29 type ipsec-l2l
    tunnel-group x.x.123.29 ipsec-attributes
    pre-shared-key *
    no tunnel-group-map enable ou
    no tunnel-group-map enable ike-id
    no tunnel-group-map enable peer-ip
    no vpn-addr-assign aaa
    no vpn-addr-assign dhcp
    dhcpd address 10.0.0.100-10.0.0.149 inside
    dhcpd enable inside
     
    , Jul 5, 2007
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Robert
    Replies:
    3
    Views:
    2,185
    Robert
    Dec 14, 2005
  2. Replies:
    1
    Views:
    680
    Walter Roberson
    Nov 14, 2006
  3. Jeff
    Replies:
    5
    Views:
    1,116
  4. Dil
    Replies:
    0
    Views:
    1,050
  5. Scott Townsend
    Replies:
    2
    Views:
    570
    Scott Townsend
    Mar 4, 2008
Loading...

Share This Page