PIX 515 to PIX 515e not passing traffic

Discussion in 'Cisco' started by Scott Townsend, May 10, 2006.

  1. I have a PIX 515e 7.0(4) - (H) and PIX 515 7.1(2) - (S) and they are
    connected via IPSec Preshared Keys.

    I was Passing traffic just fine, went to lunch and it was no longer working.
    I'm sure I must of changed something...


    The VPN comes up as I can see the L2L in the Sessions. I can see outgoing
    traffic, though nothing coming back. the New PIX (S) can get out to the
    Internet too...

    On the New PIX (S), I see messages on the Console saying that it is denying
    traffic, though I thought I had all the ACL set up...
    What did I Miss?

    Thanks!


    Old PIX (H)
    Inside: 10.1.0.0/16 (NETWORK-H)
    Outside: 192.168.1.0/24

    access-list inside_nat extended permit ip NETWORK-H 255.255.0.0 NETWORK-S
    255.255.0.0
    access-list outside-H_cryptomap_40 extended permit ip NETWORK-H 255.255.0.0
    NETWORK-S 255.255.0.0
    access-list outside-H_cryptomap_40 extended permit icmp NETWORK-H
    255.255.0.0 NETWORK-S 255.255.0.0
    global (outside-H) 1 192.168.1.100-192.168.1.200 netmask 255.255.255.0
    nat (inside-H) 0 access-list inside_nat
    nat (inside-H) 1 10.0.0.0 255.0.0.0

    crypto ipsec transform-set vpnclient_set2 esp-3des esp-md5-hmac
    crypto ipsec transform-set vpnclient_set esp-des esp-md5-hmac
    crypto ipsec transform-set vpn-des-set esp-des esp-md5-hmac
    crypto ipsec transform-set olivet-set esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto dynamic-map dynmap 10 set transform-set vpnclient_set vpnclient_set2
    crypto dynamic-map olivet 1 set transform-set olivet-set
    crypto map my_cry_map 999 ipsec-isakmp dynamic dynmap
    crypto map vpn-des-dyn-map 21 ipsec-isakmp dynamic vpn-des
    crypto map olivet-dyn-map 40 match address outside-H_cryptomap_40
    crypto map olivet-dyn-map 40 set peer 192.168.3.2
    crypto map olivet-dyn-map 40 set transform-set ESP-3DES-SHA
    crypto map olivet-dyn-map 65535 ipsec-isakmp dynamic olivet
    crypto map olivet-dyn-map interface outside-H

    isakmp enable outside-H
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 1
    isakmp policy 20 lifetime 86400
    isakmp policy 22 authentication pre-share
    isakmp policy 22 encryption des
    isakmp policy 22 hash md5
    isakmp policy 22 group 2
    isakmp policy 22 lifetime 86400
    isakmp policy 23 authentication pre-share
    isakmp policy 23 encryption 3des
    isakmp policy 23 hash md5
    isakmp policy 23 group 2
    isakmp policy 23 lifetime 86400
    isakmp policy 24 authentication pre-share
    isakmp policy 24 encryption des
    isakmp policy 24 hash sha
    isakmp policy 24 group 2
    isakmp policy 24 lifetime 86400
    isakmp policy 26 authentication pre-share
    isakmp policy 26 encryption 3des
    isakmp policy 26 hash sha
    isakmp policy 26 group 2
    isakmp policy 26 lifetime 86400
    isakmp policy 65535 authentication pre-share
    isakmp policy 65535 encryption 3des
    isakmp policy 65535 hash sha
    isakmp policy 65535 group 2
    isakmp policy 65535 lifetime 86400
    isakmp nat-traversal 20


    tunnel-group DefaultL2LGroup ipsec-attributes
    trust-point enmvpnca
    tunnel-group 192.168.3.2 type ipsec-l2l
    tunnel-group 192.168.3.2 ipsec-attributes
    pre-shared-key *



    New PIX (S)
    Inside: 10.2.0.0/16 (NETWORK-S)
    Outside: 192.168.3.0/24


    access-list inside_nat extended permit ip NETWORK-H 255.255.0.0 NETWORK-S
    255.255.0.0

    access-list inside_nat extended permit ip NETWORK-H 255.255.0.0 NETWORK-S
    255.255.0.0
    access-list outside-S_cryptomap_40 extended permit ip NETWORK-S 255.255.0.0
    NETWORK-H 255.255.0.0
    access-list outside-S_cryptomap_40 extended permit icmp NETWORK-S
    255.255.0.0 NETWORK-H 255.255.0.0

    global (outside-H) 1 192.168.3.100-192.168.3.200 netmask 255.255.255.0
    nat (inside-S) 0 access-list inside_nat
    nat (inside-S) 1 10.0.0.0 255.0.0.0

    crypto ipsec transform-set vpnclient_set esp-des esp-md5-hmac
    crypto ipsec transform-set vpnclient_set2 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map dynmap 10 set transform-set vpnclient_set vpnclient_set2
    crypto dynamic-map outside-S_dyn_map 1 set transform-set vpnclient_set
    vpnclient_set2 ESP-3DES-SHA
    crypto map outside-S_map 40 match address outside-S_cryptomap_40
    crypto map outside-S_map 40 set peer 192.168.1.2
    crypto map outside-S_map 40 set transform-set ESP-3DES-SHA
    crypto map outside-S_map 65535 ipsec-isakmp dynamic outside-S_dyn_map
    crypto map outside-S_map interface outside-S

    isakmp enable outside-S
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 1
    isakmp policy 20 lifetime 86400
    isakmp policy 22 authentication pre-share
    isakmp policy 22 encryption des
    isakmp policy 22 hash md5
    isakmp policy 22 group 2
    isakmp policy 22 lifetime 86400
    isakmp policy 23 authentication pre-share
    isakmp policy 23 encryption 3des
    isakmp policy 23 hash md5
    isakmp policy 23 group 2
    isakmp policy 23 lifetime 86400
    isakmp policy 24 authentication pre-share
    isakmp policy 24 encryption des
    isakmp policy 24 hash sha
    isakmp policy 24 group 2
    isakmp policy 24 lifetime 86400
    isakmp policy 26 authentication pre-share
    isakmp policy 26 encryption 3des
    isakmp policy 26 hash sha
    isakmp policy 26 group 2
    isakmp policy 26 lifetime 86400
    isakmp policy 65535 authentication pre-share
    isakmp policy 65535 encryption 3des
    isakmp policy 65535 hash sha
    isakmp policy 65535 group 2
    isakmp policy 65535 lifetime 86400
    isakmp nat-traversal 20


    tunnel-group DefaultL2LGroup ipsec-attributes
    trust-point enmvpnca
    tunnel-group 192.168.1.2 type ipsec-l2l
    tunnel-group 192.168.1.2 ipsec-attributes
    pre-shared-key *
    Scott Townsend, May 10, 2006
    #1
    1. Advertising

  2. * Scott Townsend wrote:
    > What did I Miss?


    7.1(small) has a bug: It stops forwarding after some hours.
    Lutz Donnerhacke, May 10, 2006
    #2
    1. Advertising

  3. Hmmm... I've rebooted it. It never Came Back. Maybe I'll Try again.

    Should I just revert to 7.0(4)?

    Thanks!

    Scott<-
    "Lutz Donnerhacke" <> wrote in message
    news:-jena.de...
    >* Scott Townsend wrote:
    >> What did I Miss?

    >
    > 7.1(small) has a bug: It stops forwarding after some hours.
    Scott Townsend, May 10, 2006
    #3
  4. Ok, another reboot (warm-boot) I'm still getting the Following on the (S)
    PIX console:

    May 10 2006 09:45:10 moonrazor : %PIX-3-106014: Deny inbound icmp src
    outside-S:10.1.0.133 dst inside-S:10.2.3.0 (type 8, co)
    May 10 2006 09:45:13 moonrazor : %PIX-3-106014: Deny inbound icmp src
    inside-S:10.2.3.0 dst outside-SF:10.1.1.15 (type 8, code 0)
    May 10 2006 09:45:16 moonrazor : %PIX-3-106014: Deny inbound icmp src
    outside-S:10.1.0.133 dst inside-S:10.2.3.0 (type 8, co)
    May 10 2006 09:45:19 moonrazor : %PIX-3-106014: Deny inbound icmp src
    inside-S:10.2.3.0 dst outside-SF:10.1.1.15 (type 8, code 0)
    May 10 2006 09:45:21 moonrazor : %PIX-3-106014: Deny inbound icmp src
    outside-S:10.1.0.133 dst inside-S:10.2.3.0 (type 8, co)

    I have 2 Pings set up going over the link.

    On the (H) PIX I do not get anything. relavant to the Pings

    Thanks,
    Scott<=
    "Lutz Donnerhacke" <> wrote in message
    news:-jena.de...
    >* Scott Townsend wrote:
    >> What did I Miss?

    >
    > 7.1(small) has a bug: It stops forwarding after some hours.
    Scott Townsend, May 10, 2006
    #4
  5. Scott Townsend

    sampark Guest

    Can you paste
    sh cry ipsec sa output from both the pix here?

    Vikas
    sampark, May 24, 2006
    #5
  6. Turns out that I had a vpn-filter set. I think somewhere in the ASDM I set
    it. I did the following and am able to pass traffic.

    group-policy DfltGrpPolicy attributes
    vpn-filter none

    The Goofy thing was I was connected and the VPN was up! Aggravating!

    thanks!
    Scott<-

    "sampark" <> wrote in message
    news:...
    > Can you paste
    > sh cry ipsec sa output from both the pix here?
    >
    > Vikas
    >
    Scott Townsend, May 24, 2006
    #6
  7. Scott Townsend

    Vikas Guest

    great
    Vikas, May 25, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dustin
    Replies:
    3
    Views:
    622
    Matty M
    Nov 8, 2005
  2. Scott Townsend
    Replies:
    8
    Views:
    677
    Roman Nakhmanson
    Feb 22, 2006
  3. Scott Townsend
    Replies:
    2
    Views:
    2,274
    Scott Townsend
    Feb 21, 2006
  4. Scott Townsend

    Moving Config from PIX 515 to 515e

    Scott Townsend, Mar 23, 2006, in forum: Cisco
    Replies:
    3
    Views:
    3,194
    jsserver
    May 13, 2008
  5. matchew
    Replies:
    0
    Views:
    428
    matchew
    Aug 5, 2009
Loading...

Share This Page