PIX lan-to-lan IPSEC comes up...no traffic passes tunnel

Discussion in 'Cisco' started by Arjan, Nov 2, 2005.

  1. Arjan

    Arjan Guest

    I am looking for some help on this problem.

    I managed to setup a LAN-to-LAN IPSEC tunnel between PIX 515 (IOS 6.3)
    on one end and a back-to-back ISA2004 on the other end.

    I can initiate a tunnel at both ends however the following happens:

    When I initate a tunnel from the ISA site the tunnel comes up and all
    wanted traffic flows through the tunnel (RDP, HTTP, ICMP etc)
    At that same moment I can also create the same traffic from the PIX
    site.

    When I initiate a tunnel from the PIX site the tunnel comes up but NO
    traffic is passed through the tunnel.
    Creating traffic on the ISA site causes the creation of another
    tunnel.

    My guess is ACL listst not being what they should be. Can anyone tell
    me what I am missing in the config of my PIX config?
    Traffic to LAN 10.1.0.0 /16 should go through the tunnel

    This is my current config (some lines deleted):

    PIX Version 6.3(4)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security50
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    ...
    ...
    names
    name 192.168.10.1 AAADC01
    name 192.168.10.2 AAAFS01
    name 192.168.100.1 AAADZ01
    name zzz.zzz.zzz.17 remote_AAT
    name 192.168.50.0 BBBDMZ
    name 192.168.1.0 BBBFWLAN
    name 10.1.0.0 BBBLAN
    access-list inside_access_in permit ip 192.168.10.0 255.255.255.0
    BBBDMZ 255.255.255.0
    access-list inside_access_in permit ip 192.168.10.0 255.255.255.0
    BBBLAN 255.255.0.0
    access-list inside_access_in permit udp host AAADC01 any eq domain
    access-list inside_access_in permit ip 192.168.10.0 255.255.255.0 host
    AAADZ01
    access-list inside_access_in permit tcp 192.168.10.0 255.255.255.0
    host remote_AAT eq 15948
    access-list outside_cryptomap_dyn_10 permit ip any 192.168.10.240
    255.255.255.240
    access-list DMZ_access_in permit udp host AAADZ01 any eq domain
    access-list DMZ_access_in permit tcp host AAADZ01 any eq www
    access-list DMZ_access_in permit tcp host AAADZ01 any eq https
    access-list DMZ_access_in permit tcp host AAADZ01 any eq ftp
    access-list DMZ_access_in permit tcp host AAADZ01 any eq ftp-data
    access-list inside_outbound_nat0_acl permit ip 192.168.10.0
    255.255.255.0 BBBLAN 255.255.0.0
    access-list inside_outbound_nat0_acl permit ip 192.168.10.0
    255.255.255.0 BBBDMZ 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any 192.168.10.240
    255.255.255.240
    access-list inside_outbound_nat0_acl permit ip 192.168.10.0
    255.255.255.0 BBBFWLAN 255.255.255.0
    access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0
    BBBLAN 255.255.0.0
    access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0
    BBBDMZ 255.255.255.0
    access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0
    BBBFWLAN 255.255.255.0
    pager lines 24
    logging on
    logging standby
    icmp permit any outside
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    ip address outside yyy.yyy.yyy.194 255.255.255.240
    ip address inside 192.168.10.254 255.255.255.0
    ip address DMZ 192.168.100.254 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool AAAVPNPOOL 192.168.10.241-192.168.10.250 mask
    255.255.255.0
    pdm location 192.168.10.11 255.255.255.255 inside
    pdm location AAADC01 255.255.255.255 inside
    pdm location AAAFS01 255.255.255.255 inside
    pdm location 192.168.10.0 255.255.255.240 outside
    pdm location 192.168.10.241 255.255.255.255 inside
    pdm location AAADZ01 255.255.255.255 DMZ
    pdm location 192.168.10.61 255.255.255.255 inside
    pdm location remote_AAT 255.255.255.255 outside
    pdm location BBBDMZ 255.255.255.0 outside
    pdm location BBBFWLAN 255.255.255.0 outside
    pdm location BBBLAN 255.255.0.0 outside
    pdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    nat (DMZ) 10 AAADZ01 255.255.255.255 0 0
    static (inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 0
    0
    access-group inside_access_in in interface inside
    access-group DMZ_access_in in interface DMZ
    route outside 0.0.0.0 0.0.0.0 195.86.239.193 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server RADIUS (inside) host AAADC01 AAAVPN timeout 5
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.10.11 255.255.255.255 inside
    http AAADC01 255.255.255.255 inside
    http 192.168.10.241 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 10 match address
    outside_cryptomap_dyn_10
    crypto dynamic-map outside_dyn_map 10 set transform-set ESP-DES-MD5
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set pfs group2
    crypto map outside_map 20 set peer xxx.xxx.xxx.172
    crypto map outside_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 20 set security-association lifetime seconds
    3600 kilobytes 100000
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client authentication RADIUS
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ** address xxx.xxx.xxx.172 netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp identity address
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    isakmp policy 40 authentication pre-share
    isakmp policy 40 encryption 3des
    isakmp policy 40 hash sha
    isakmp policy 40 group 2
    isakmp policy 40 lifetime 28800
    vpngroup AAAVPN address-pool AAAVPNPOOL
    vpngroup AAAVPN dns-server AAADC01 AAAFS01
    vpngroup AAAVPN wins-server AAADC01 AAAFS01
    vpngroup AAAVPN default-domain PIX.local
    vpngroup AAAVPN idle-time 1800
    vpngroup AAAVPN password ********
    telnet AAADC01 255.255.255.255 inside
    telnet timeout 5
    ssh 192.168.10.61 255.255.255.255 inside
    ssh timeout 5
    console timeout 0
    terminal width 80

    : end
    [OK]



    ===============================
    remove no.spam. to send me an e-mail
    ===============================
    Arjan, Nov 2, 2005
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a.nonny mouse
    Replies:
    2
    Views:
    1,096
  2. Replies:
    1
    Views:
    2,589
    Walter Roberson
    Sep 11, 2006
  3. Greg
    Replies:
    0
    Views:
    471
  4. Greg
    Replies:
    3
    Views:
    637
  5. George A.
    Replies:
    5
    Views:
    8,697
    Mikhael47
    May 7, 2007
Loading...

Share This Page