PIX 501 VPN/Default Gateway

Discussion in 'Cisco' started by GlasWolf, Jul 5, 2005.

  1. GlasWolf

    GlasWolf Guest

    I'm tearing my hair out here! I've been trying to get a PIX501 IPSec
    VPN at a remote site up and running for the last few days, and I thought
    I was just about there. However, I seem to have run into a problem. We
    have a lot of locations on our network, and I've been specifying them as
    separate subnets on the PIX (all accessed via the same endpoint, the ISA
    server at our central site). This works, but I noticed the VPN
    connections seemed to be dropping for no reason. What I think is
    happening is that the machines are using up one of the IPSec tunnels for
    each remote subnet they talk to - it doesn't take long before it reaches
    the limit (10) and the PIX starts dropping things.

    I think all I need to get round this is a way to specify a default
    gateway for all VPN-bound traffic (which will be everything the PIX
    receives) at our central site. That way if the PIX doesn't have an
    explicit entry for a subnet, it can forward it through the VPN to our
    central router which can take care of it.

    Is this possible, or am I in trouble? Thanks in advance.

    Colin
    GlasWolf, Jul 5, 2005
    #1
    1. Advertising

  2. In article <>,
    GlasWolf <> wrote:
    >PIX501 IPSec VPN


    :This works, but I noticed the VPN
    :connections seemed to be dropping for no reason. What I think is
    :happening is that the machines are using up one of the IPSec tunnels for
    :each remote subnet they talk to - it doesn't take long before it reaches
    :the limit (10) and the PIX starts dropping things.

    No, the limit of 10 is on the number of peers, not on the number
    of Security Associations. There is one security association per
    'permit' crypto map ACL entry.


    :I think all I need to get round this is a way to specify a default
    :gateway for all VPN-bound traffic (which will be everything the PIX
    :receives) at our central site. That way if the PIX doesn't have an
    :explicit entry for a subnet, it can forward it through the VPN to our
    :central router which can take care of it.

    :Is this possible, or am I in trouble? Thanks in advance.

    The PIX will only forward traffic if the traffic matches a crypto map
    ACL entry. The destination in a crypto map ACL entry can be 'any';
    if so then you have to be quite careful on the other end.

    Note that if a crypto map ACL entry -is- 'any' then unless you take
    care, you will not be able to contact your outside router itself from
    your inside LAN -- because 'any' includes the IP address of your
    outside local equipment.
    --
    "Mathematics? I speak it like a native." -- Spike Milligan
    Walter Roberson, Jul 5, 2005
    #2
    1. Advertising

  3. GlasWolf

    GlasWolf Guest

    Many thanks for your reply, Walter.

    > No, the limit of 10 is on the number of peers, not on the number
    > of Security Associations. There is one security association per
    > 'permit' crypto map ACL entry.


    OK, I'll discount this. The 10-tunnel limit is stated on a few reseller
    sites (http://www.b-f.co.uk/computer/info_2.htm), but is absent from the
    actual Cisco 501 page.

    > The PIX will only forward traffic if the traffic matches a crypto map
    > ACL entry. The destination in a crypto map ACL entry can be 'any';
    > if so then you have to be quite careful on the other end.
    >
    > Note that if a crypto map ACL entry -is- 'any' then unless you take
    > care, you will not be able to contact your outside router itself from
    > your inside LAN -- because 'any' includes the IP address of your
    > outside local equipment.


    Can you clarify this please? Maybe if I give you a bit more information
    you'll be able to put it into context.

    The remote site is a single private subnet of 5 machines on a switch
    (DHCP from the PIX). That is going via the PIX and an ADSL line to our
    central site, where it connects to the public address of our dual-homed
    ISA server. This has static routes to all our other site subnets. Our
    WAN provider has added a route for the PIX's subnet (pointing to the ISA
    server), so everything else on our network can route traffic
    accordingly.

    So even though the crypto map entries aren't the limitation (and
    therefore the source of the connection dropping problem), it would still
    be very useful to use an "any" crypto map rule for the sake of a
    simpler, standardised config, plus future-proofing against addressing
    changes.

    Meanwhile (with my one-crypto-map-per-site config), the PIX still drops
    frequently drops tunnels, sometimes for a ping or two and sometimes
    until it's rebooted. The short dropouts tend to be for all connected
    sites (which is understandable), the longer ones are independant.

    Thanks again.

    Colin
    GlasWolf, Jul 5, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andre
    Replies:
    7
    Views:
    718
    Andre
    Feb 20, 2005
  2. Christian Winter

    PIX 501 dhcpd and default gateway

    Christian Winter, Sep 1, 2005, in forum: Cisco
    Replies:
    6
    Views:
    11,662
    Walter Roberson
    Sep 3, 2005
  3. Jim Willsher
    Replies:
    1
    Views:
    4,597
    Jim Willsher
    May 5, 2006
  4. Replies:
    2
    Views:
    5,528
    Walter Roberson
    Jan 22, 2007
  5. adp kumar
    Replies:
    1
    Views:
    605
    Bartosz Gagat
    Oct 19, 2008
Loading...

Share This Page