PIX to PIX: new subnet cannot ping to other side

Discussion in 'Cisco' started by RLM, Jun 29, 2006.

  1. RLM

    RLM Guest

    Hi Guys,

    http://www.xs4all.nl/~dbolderm/Tekening1.jpg

    I have 2 PIX's inplace. One end is a 192.168.1.x and 192.168.2.x
    network, the other end is a 192.168.3.x network.

    Ping/Acess to/from both sides is ok.

    Now I've installed an ISA2004 on the 192.168.1.x network. This server
    has a NIC with a 192.168.4.0 network. From this network I am unable to
    ping the 192.168.3.0 network. I think the problem is in the PIX setup,
    but I am pretty sure I created the correct access lists, allowed ICMP,
    etc.

    Logging on the pix shows ICMP request, but no replies.

    The ISA2004 server allows traffic, and the log file doesn't show any
    denied connections, so traffic is flowing freely.

    I am baffled about this, and not sure what to do next.

    Is there anyone with suggestions how to troubleshoot this issue ? I
    inserted a link with a pic to make things a bit more clear.

    I will be forever grateful :))

    --
    RLM, Jun 29, 2006
    #1
    1. Advertising

  2. RLM

    AM Guest

    RLM wrote:
    > Hi Guys,
    >
    > http://www.xs4all.nl/~dbolderm/Tekening1.jpg
    >
    > I have 2 PIX's inplace. One end is a 192.168.1.x and 192.168.2.x
    > network, the other end is a 192.168.3.x network.
    >
    > Ping/Acess to/from both sides is ok.
    >
    > Now I've installed an ISA2004 on the 192.168.1.x network. This server
    > has a NIC with a 192.168.4.0 network. From this network I am unable to
    > ping the 192.168.3.0 network. I think the problem is in the PIX setup,
    > but I am pretty sure I created the correct access lists, allowed ICMP,
    > etc.
    >
    > Logging on the pix shows ICMP request, but no replies.


    Even if you lost all the links in your picture, I can tell you you need to specify on both the interface which ICMP
    traffic is permitted. So don't treat ICP like udp or TCP, thinking to specified rules only on one side.

    HTH

    Alex.
    AM, Jun 29, 2006
    #2
    1. Advertising

  3. RLM

    RLM Guest

    On 2006-06-29, AM <> wrote:
    > RLM wrote:
    >> Hi Guys,
    >>
    >> http://www.xs4all.nl/~dbolderm/Tekening1.jpg
    >>
    >> I have 2 PIX's inplace. One end is a 192.168.1.x and 192.168.2.x
    >> network, the other end is a 192.168.3.x network.
    >>
    >> Ping/Acess to/from both sides is ok.
    >>
    >> Now I've installed an ISA2004 on the 192.168.1.x network. This server
    >> has a NIC with a 192.168.4.0 network. From this network I am unable to
    >> ping the 192.168.3.0 network. I think the problem is in the PIX setup,
    >> but I am pretty sure I created the correct access lists, allowed ICMP,
    >> etc.
    >>
    >> Logging on the pix shows ICMP request, but no replies.

    >
    > Even if you lost all the links in your picture, I can tell you you need to specify on both the interface which ICMP
    > traffic is permitted. So don't treat ICP like udp or TCP, thinking to specified rules only on one side.
    >

    Hi Alex,

    I have enabled ICMP on both interfaces:

    icmp permit any outside
    icmp permit any inside

    I don't see any denied errors when I debug the PIX.

    Thanks for the suggestion though. Any other things I could check ?


    -
    RLM, Jun 30, 2006
    #3
  4. RLM

    AM Guest

    RLM wrote:
    > On 2006-06-29, AM <> wrote:
    >
    > Hi Alex,
    >
    > I have enabled ICMP on both interfaces:
    >
    > icmp permit any outside
    > icmp permit any inside
    >
    > I don't see any denied errors when I debug the PIX.
    >
    > Thanks for the suggestion though. Any other things I could check ?


    Please update the picture with the correct links. It's quite hard to understand your network only by seeing its elements
    without knowing how their are connected.
    Moreover I suggest to have a look to the syslog server to see if you can find interesting messages like "no route to
    host" or something like that.

    Aelx
    AM, Jun 30, 2006
    #4
  5. RLM

    RLM Guest


    >> I have enabled ICMP on both interfaces:
    >>
    >> icmp permit any outside
    >> icmp permit any inside
    >>
    >> I don't see any denied errors when I debug the PIX.
    >>
    >> Thanks for the suggestion though. Any other things I could check ?

    >
    > Please update the picture with the correct links. It's quite hard to understand your network only by seeing its elements
    > without knowing how their are connected.
    > Moreover I suggest to have a look to the syslog server to see if you can find interesting messages like "no route to
    > host" or something like that.


    http://www.xs4all.nl/~dbolderm/Tekening1.jpg

    I've updated the diagram. Pinging from 192.168.3.2 to 192.168.4.1
    doesn't work. It seems the ping stops directly at the 501 pix. In the
    debug I can see a request for ping, but on the 506 it never arrives.

    Thanks,
    Dick
    --
    RLM, Jun 30, 2006
    #5
  6. RLM

    RC Guest

    I noticed the public IPs on your DSL connections, yet no mention of VPNs.
    Since private addresses aren't routed over the internet your ISP must be
    doing something to the traffic, VPN, or addresses, NAT, either way they
    might have their own rules in place that are preventing the traffic. Or
    maybe you are doing the VPN with the PIX, in which case you should post the
    config, it might just be a matter of adding a permit for the 192.168.4.x
    traffic for the VPN tunnel.


    --
    RC
    rcohen _ "at" _ cominc _ "dot" _ net remove all _ and spaces

    The only thing I guaranty about my free advice is that it's mine and it's
    free.
    "RLM" <> wrote in message
    news:4all.nl...
    >
    >>> I have enabled ICMP on both interfaces:
    >>>
    >>> icmp permit any outside
    >>> icmp permit any inside
    >>>
    >>> I don't see any denied errors when I debug the PIX.
    >>>
    >>> Thanks for the suggestion though. Any other things I could check ?

    >>
    >> Please update the picture with the correct links. It's quite hard to
    >> understand your network only by seeing its elements
    >> without knowing how their are connected.
    >> Moreover I suggest to have a look to the syslog server to see if you can
    >> find interesting messages like "no route to
    >> host" or something like that.

    >
    > http://www.xs4all.nl/~dbolderm/Tekening1.jpg
    >
    > I've updated the diagram. Pinging from 192.168.3.2 to 192.168.4.1
    > doesn't work. It seems the ping stops directly at the 501 pix. In the
    > debug I can see a request for ping, but on the 506 it never arrives.
    >
    > Thanks,
    > Dick
    > --




    --
    Posted via a free Usenet account from http://www.teranews.com
    RC, Jul 1, 2006
    #6
  7. RLM

    RLM Guest

    > I noticed the public IPs on your DSL connections, yet no mention of VPNs.
    > Since private addresses aren't routed over the internet your ISP must be
    > doing something to the traffic, VPN, or addresses, NAT, either way they
    > might have their own rules in place that are preventing the traffic. Or
    > maybe you are doing the VPN with the PIX, in which case you should post the
    > config, it might just be a matter of adding a permit for the 192.168.4.x
    > traffic for the VPN tunnel.



    Hi RC,

    The PIX is setting up the VPN, so here a the 2 configs of both devices:
    (I deleted some irrelevant info, such as pdm location, etc)

    Thanks !

    501 config

    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname pixbest-nl
    domain-name ourdomain.nl
    no names
    name 192.168.3.0 re
    name 192.168.1.0 Nederland
    name 192.168.2.0 Plant
    name 192.168.1.17 mitu1
    name 192.168.1.25 exchmitnl
    name 212.238.249.0 DemonNET
    name 192.168.2.16 mituplant1
    name 192.168.1.106 AdminPC
    name 192.168.3.251 switch
    name 192.168.3.2 mitubest1
    name 192.168.3.240 IT_Laptop1
    name 192.168.4.25 mail
    name 192.168.4.0 DMZ
    object-group service test udp
    port-object range 4500 4500
    object-group network IT_Laptops
    network-object 192.168.3.240 255.255.255.255
    object-group service IT tcp
    port-object eq www
    port-object eq ssh
    port-object eq https
    port-object eq ftp
    port-object eq nntp
    access-list inside_access_in permit tcp 192.168.3.0 255.255.255.0
    192.168.4.0 255.255.255.0
    access-list inside_access_in permit udp 192.168.3.0 255.255.255.0
    192.168.4.0 255.255.255.0
    access-list inside_access_in permit ip 192.168.3.0 255.255.255.0
    192.168.4.0 255.255.255.0
    access-list inside_access_in permit ip 192.168.3.0 255.255.255.0
    192.168.1.0 255.255.255.0
    access-list inside_access_in permit ip 192.168.3.0 255.255.255.0
    192.168.2.0 255.255.255.0
    access-list inside_access_in permit tcp 192.168.3.0 255.255.255.0
    192.168.1.0 255.255.255.0
    access-list inside_access_in permit tcp 192.168.3.0 255.255.255.0
    192.168.2.0 255.255.255.0
    access-list inside_access_in permit udp 192.168.3.0 255.255.255.0
    192.168.1.0 255.255.255.0
    access-list inside_access_in permit udp 192.168.3.0 255.255.255.0
    192.168.2.0 255.255.255.0
    access-list inside_access_in permit tcp host 192.168.3.2 host
    192.168.1.25 eq smtp
    access-list inside_access_in permit tcp object-group IT_Laptops any
    object-group IT
    access-list inside_access_in permit icmp any any
    access-list inside_access_in deny ip any any
    access-list outside_access_in remark
    access-list outside_access_in permit icmp any any
    access-list outside_access_in permit ip 192.168.4.0 255.255.255.0
    192.168.3.0 255.255.255.0
    access-list outside_access_in permit ip 192.168.1.0 255.255.255.0
    192.168.3.0 255.255.255.0
    access-list outside_access_in permit ip 192.168.2.0 255.255.255.0
    192.168.3.0 255.255.255.0
    access-list outside_access_in permit udp 192.168.4.0 255.255.255.0
    192.168.3.0 255.255.255.0
    access-list outside_access_in permit udp 192.168.1.0 255.255.255.0
    192.168.3.0 255.255.255.0
    access-list outside_access_in permit udp 192.168.2.0 255.255.255.0
    192.168.3.0 255.255.255.0
    access-list outside_access_in permit tcp 192.168.4.0 255.255.255.0
    192.168.3.0 255.255.255.0
    access-list outside_access_in permit tcp 192.168.1.0 255.255.255.0
    192.168.3.0 255.255.255.0
    access-list outside_access_in permit tcp 192.168.2.0 255.255.255.0
    192.168.3.0 255.255.255.0
    access-list outside_access_in deny ip any any
    access-list inside_nat0_outbound permit ip 192.168.3.0 255.255.255.0
    192.168.1.0 255.255.255.0
    access-list inside_nat0_outbound permit ip 192.168.3.0 255.255.255.0
    192.168.2.0 255.255.255.0
    access-list inside_nat0_outbound permit ip 192.168.3.0 255.255.255.0
    192.168.4.0 255.255.255.0
    access-list outside_cryptomap_30 permit ip 192.168.3.0 255.255.255.0
    192.168.1.0 255.255.255.0
    access-list outside_cryptomap_30 permit ip 192.168.3.0 255.255.255.0
    192.168.2.0 255.255.255.0
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside 10.250.1.1 255.255.255.240
    ip address inside 192.168.3.254 255.255.255.0
    ip audit name inside_attack attack action alarm
    ip audit name outside_info info action alarm
    ip audit name outside_attack attack action alarm reset
    ip audit name inside_info info action alarm
    ip audit interface outside outside_info
    ip audit interface outside outside_attack
    ip audit interface inside inside_info
    ip audit interface inside inside_attack
    ip audit info action alarm
    ip audit attack action alarm
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 212.238.249.2 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication http console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    aaa authorization command LOCAL
    floodguard enable
    crypto ipsec transform-set pix_501-VPN esp-aes-192 esp-md5-hmac
    crypto map outside_map 30 ipsec-isakmp
    crypto map outside_map 30 match address outside_cryptomap_30
    crypto map outside_map 30 set pfs group2
    crypto map outside_map 30 set peer 82.161.13.162
    crypto map outside_map 30 set transform-set pix_501-VPN
    crypto map outside_map 30 set security-association lifetime seconds 3600
    kilobytes 4608000
    crypto map outside_map client authentication LOCAL
    crypto map outside_map interface outside
    management-access outside
    console timeout 0
    vpdn enable outside
    terminal width 80
    : end


    506 config

    X Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 10full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname PIX-NL
    domain-name ourdomain.nl
    names
    name 10.49.43.2 MITDEVT
    name 10.49.40.1 Server1
    name 62.225.102.178 RemoteAdmin
    name 10.49.40.0 ness
    name 192.168.1.25 ProxyServer
    name 192.168.1.17 Mitu1
    name 62.225.102.180 RemotePDM
    name 82.161.13.160 DemonNET
    name 192.168.1.16 MITNL
    name 192.168.1.0 Nederland
    name 192.168.10.0 Belgie
    name 192.168.10.5 Server
    name 192.168.100.1 mi-Server
    name 192.168.100.0 Japan
    name 192.168.2.0 Plant
    name 192.168.3.0 re_bst
    name 10.250.2.0 pool
    name 192.168.1.18 sqlmitnl
    name 192.168.3.2 mitubst1
    name 192.168.2.16 mituplant1
    name 10.49.43.0 AS400_Subnet
    name 10.250.1.1 GateWay
    name 192.168.1.15 samserver
    name 192.168.5.0 testpool
    name 192.168.1.240 IT_Laptop1
    name 192.168.1.241 IT_Laptop2
    name 192.168.4.0 DMZ
    name 192.168.4.25 mail
    object-group service IT tcp
    port-object eq ssh
    port-object eq nntp
    port-object eq ftp
    port-object eq www
    port-object eq https
    object-group service Proxy_TCP tcp
    description General TCP services for proxy server
    port-object eq www
    port-object eq pop3
    port-object eq ftp
    port-object eq https
    port-object eq smtp
    port-object eq nntp
    port-object range 8801 8801
    object-group service Proxy_UDP udp
    description General UDP services for proxy server
    port-object eq domain
    port-object eq ntp
    object-group service Streaming tcp
    description Streaming Protocols
    port-object range 1755 1755
    port-object range 554 554
    object-group service Streaming_UDP udp
    port-object range 1755 1755
    port-object range 5005 5005
    port-object range 2460 2460
    port-object range 5004 5004
    object-group service ADP tcp
    description FInancial Program
    port-object range 5758 5758
    port-object range 5756 5756
    object-group network Networks_Vdaal
    description Networks Sales and Plant
    network-object Nederland 255.255.255.0
    network-object Plant 255.255.255.0
    object-group network IT_Laptops
    network-object IT_Laptop1 255.255.255.255
    network-object IT_Laptop2 255.255.255.255
    access-list compiled
    access-list inside_outbound_nat0_acl permit ip Nederland 255.255.255.0
    ness 255.255.248.0
    access-list inside_outbound_nat0_acl permit ip Nederland 255.255.255.0
    Belgie 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip Nederland 255.255.255.0
    Japan 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any pool 255.255.255.128
    access-list inside_outbound_nat0_acl permit ip Plant 255.255.255.0 Japan
    255.255.255.0
    access-list inside_outbound_nat0_acl permit ip Plant 255.255.255.0
    Belgie 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip Nederland 255.255.255.0
    re_bst 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip Plant 255.255.255.0
    re_bst 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip DMZ 255.255.255.0 re_bst
    255.255.255.0
    access-list inside_outbound_nat0_acl permit ip Plant 255.255.255.0
    AS400_Subnet 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip Plant 255.255.255.0 ness
    255.255.248.0
    access-list outside_cryptomap_20 permit ip Nederland 255.255.255.0 ness
    255.255.248.0
    access-list outside_cryptomap_20 permit ip Nederland 255.255.255.0 Japan
    255.255.255.0
    access-list outside_cryptomap_20 permit ip Plant 255.255.255.0 ness
    255.255.248.0
    access-list outside_cryptomap_20 permit ip Plant 255.255.255.0 Japan
    255.255.255.0
    access-list outside_inbound_nat0_acl permit ip ness 255.255.248.0
    Nederland 255.255.255.0
    access-list outside_inbound_nat0_acl permit ip ness 255.255.248.0 Plant
    255.255.255.0
    access-list outside_inbound_nat0_acl permit ip Belgie 255.255.255.0
    Nederland 255.255.255.0
    access-list outside_inbound_nat0_acl permit ip Belgie 255.255.255.0
    Plant 255.255.255.0
    access-list outside_access_in deny tcp host RemoteAdmin interface
    outside eq telnet
    access-list outside_access_in permit ip any interface outside
    access-list outside_access_in permit tcp any host 82.161.13.162 eq smtp
    access-list outside_access_in permit icmp any any
    access-list outside_access_in permit ip host mitubst1 object-group
    Networks_Vdaal
    access-list outside_access_in permit ip host mitubst1 DMZ 255.255.255.0
    access-list outside_access_in permit ip ness 255.255.248.0 Plant
    255.255.255.0
    access-list outside_access_in permit tcp host mitubst1 object-group
    Networks_Vdaal
    access-list outside_access_in permit udp host mitubst1 object-group
    Networks_Vdaal
    access-list outside_access_in deny ip any any
    access-list inside_access_in permit tcp DMZ 255.255.255.0 re_bst
    255.255.255.0
    access-list inside_access_in permit udp DMZ 255.255.255.0 re_bst
    255.255.255.0
    access-list inside_access_in permit icmp DMZ 255.255.255.0 re_bst
    255.255.255.0
    access-list inside_access_in permit ip DMZ 255.255.255.0 re_bst
    255.255.255.0
    access-list inside_access_in permit ip object-group Networks_Vdaal ness
    255.255.248.0
    access-list inside_access_in permit ip Nederland 255.255.255.0 Belgie
    255.255.255.0
    access-list inside_access_in permit ip object-group Networks_Vdaal
    re_bst 255.255.255.0
    access-list inside_access_in permit tcp object-group Networks_Vdaal
    re_bst 255.255.255.0
    access-list inside_access_in permit udp object-group Networks_Vdaal
    re_bst 255.255.255.0
    access-list inside_access_in permit tcp Nederland 255.255.255.0 Japan
    255.255.255.0 eq www
    access-list inside_access_in permit tcp Nederland 255.255.255.0 Japan
    255.255.255.0 object-group Streaming
    access-list inside_access_in permit udp Nederland 255.255.255.0 Japan
    255.255.255.0 object-group Streaming_UDP
    access-list inside_access_in permit tcp Plant 255.255.255.0 Japan
    255.255.255.0 eq www
    access-list inside_access_in permit tcp host ProxyServer any
    object-group Proxy_TCP
    access-list inside_access_in permit udp host ProxyServer any
    object-group Proxy_UDP
    access-list inside_access_in permit tcp object-group IT_Laptops any
    object-group IT
    access-list inside_access_in permit udp host Mitu1 any eq ntp
    access-list inside_access_in permit udp host Mitu1 any eq domain
    access-list inside_access_in permit icmp any any
    access-list inside_access_in permit tcp Nederland 255.255.255.0 any
    object-group ADP
    access-list inside_access_in permit tcp any any eq telnet
    access-list inside_access_in deny ip any any
    access-list outside_cryptomap_30 permit ip Nederland 255.255.255.0
    Belgie 255.255.255.0
    access-list outside_cryptomap_30 permit ip Plant 255.255.255.0 Belgie
    255.255.255.0
    access-list outside_cryptomap_40 permit ip Nederland 255.255.255.0
    re_bst 255.255.255.0
    access-list outside_cryptomap_40 permit ip Plant 255.255.255.0 re_bst
    255.255.255.0
    access-list outside_cryptomap_40 permit ip DMZ 255.255.255.0 re_bst
    255.255.255.0
    access-list outside_cryptomap_10 permit ip Nederland 255.255.255.0
    AS400_Subnet 255.255.255.0
    access-list outside_cryptomap_10 permit ip Plant 255.255.255.0
    AS400_Subnet 255.255.255.0
    pager lines 24
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside 82.161.13.162 255.255.255.240
    ip address inside 10.250.1.254 255.255.255.0
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip audit name outside_attack attack action alarm drop reset
    ip audit name inside_attack attack action alarm
    ip audit name inside_info info action alarm
    ip audit name outside_info info action alarm
    ip audit interface outside outside_info
    ip audit interface outside outside_attack
    ip audit interface inside inside_info
    ip audit interface inside inside_attack
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool HomeOffice 10.250.2.11-10.250.2.99
    arp timeout 14400
    global (outside) 1 interface
    nat (outside) 0 access-list outside_inbound_nat0_acl outside
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface telnet 10.250.3.1 telnet netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface smtp ProxyServer smtp netmask
    255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 82.161.13.161 1
    route inside Nederland 255.255.255.0 GateWay 1
    route inside Plant 255.255.255.0 GateWay 1
    route inside DMZ 255.255.255.0 GateWay 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication http console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    aaa authorization command LOCAL
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set pix_506-VPN esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map pix_506Map 10 ipsec-isakmp
    crypto map pix_506Map 10 match address outside_cryptomap_10
    crypto map pix_506Map 10 set pfs group2
    crypto map pix_506Map 10 set peer 80.146.171.220
    crypto map pix_506Map 10 set transform-set pix_506-VPN
    crypto map pix_506Map 10 set security-association lifetime seconds 3600
    kilobytes 4608000
    crypto map pix_506Map 20 ipsec-isakmp
    crypto map pix_506Map 20 match address outside_cryptomap_20
    crypto map pix_506Map 20 set pfs group2
    crypto map pix_506Map 20 set peer 62.225.102.177
    crypto map pix_506Map 20 set transform-set pix_506-VPN
    crypto map pix_506Map 20 set security-association lifetime seconds 3600
    kilobytes 4608000
    crypto map pix_506Map 30 ipsec-isakmp
    crypto map pix_506Map 30 match address outside_cryptomap_30
    crypto map pix_506Map 30 set pfs group2
    crypto map pix_506Map 30 set peer 217.136.233.232
    crypto map pix_506Map 30 set transform-set pix_506-VPN
    crypto map pix_506Map 30 set security-association lifetime seconds 3600
    kilobytes 4608000
    crypto map pix_506Map 40 ipsec-isakmp
    crypto map pix_506Map 40 match address outside_cryptomap_40
    crypto map pix_506Map 40 set pfs group2
    crypto map pix_506Map 40 set peer 212.238.249.2
    crypto map pix_506Map 40 set transform-set pix_506-VPN
    crypto map pix_506Map 40 set security-association lifetime seconds 3600
    kilobytes 4608000
    crypto map pix_506Map 50 ipsec-isakmp dynamic dynmap
    crypto map pix_506Map client authentication LOCAL
    crypto map pix_506Map interface outside
    management-access inside
    console timeout 0
    terminal width 80
    :end
    RLM, Jul 3, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    16
    Views:
    4,702
  2. BoBi
    Replies:
    0
    Views:
    318
  3. BoBi
    Replies:
    2
    Views:
    343
  4. BoBi
    Replies:
    0
    Views:
    280
  5. BoBi
    Replies:
    2
    Views:
    336
Loading...

Share This Page