[Edit] VPN pix 506 to 501 ...

Discussion in 'Cisco' started by Fwed, Sep 2, 2005.

  1. Fwed

    Fwed Guest

    Hi,

    I have a vpn between 2 pix, one 506 and one 501.

    My problem is the vpn go down but we see the vpn is still up ...

    If i make a "sh crypto isakmp sa", we can see that 1 tunnel was create
    but I can't ping the other side. If a make a "ping inside 192.168.x.x",
    the connection go up ...

    The configuration seems good.

    Someone have an idea to resolve the problem ?

    Thanks a lot,

    Fwed

    -------crypto 506 conf-------------
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto map outside_map 30 ipsec-isakmp
    crypto map outside_map 30 match address outside_cryptomap_30
    crypto map outside_map 30 set pfs group5
    crypto map outside_map 30 set peer 2xx.xxx.xxx.xxx
    crypto map outside_map 30 set transform-set ESP-AES-256-SHA
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 2xx.xxx.xxx.xxx netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp policy 30 authentication pre-share
    isakmp policy 30 encryption aes-256
    isakmp policy 30 hash sha
    isakmp policy 30 group 5
    isakmp policy 30 lifetime 86400
    -------crypto 506 conf-------------

    -------crypto 501 conf-------------
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set pfs group5
    crypto map outside_map 20 set peer 1xx.xxx.xxx.xxx
    crypto map outside_map 20 set transform-set ESP-AES-256-SHA
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 1xx.xxx.xxx.xxx netmask 255.255.255.255
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption aes-256
    isakmp policy 20 hash sha
    isakmp policy 20 group 5
    isakmp policy 20 lifetime 86400
    -------crypto 501 conf-------------
     
    Fwed, Sep 2, 2005
    #1
    1. Advertisements

  2. Fwed

    Nick Ersdown Guest

    Do all users loose visibility of the other side or just some users? If just
    some then what user licence do you have on the 501? i.e. 10 users? could
    it be that you have more users on the PIX 501 side than the licence allows?

    If not, then could you post all of your configs - including NAT,
    Access-Lists etc

    Regards,

    Nick Ersdown
    www.ar53.com
     
    Nick Ersdown, Sep 2, 2005
    #2
    1. Advertisements

  3. Fwed

    Fwed Guest

    Nick Ersdown a écrit :
    I have 5 users behind the pix 501, so it's ok :)
    The configuration has changed and is not very clean now (I fastly
    configure VPN by cisco client and I change "isakmp policy 20 group 5" by
    "isakmp policy 20 group 2" on the 501).
    1.1.1.1 & 2.2.2.2 & 1.1.1.2 are, in fact, public address.

    ------------Pix 501------------
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ************ encrypted
    passwd ************* encrypted
    hostname PIX-VPN
    domain-name ********.fr
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.2.0 lan01
    name 192.168.0.0 lan02
    access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
    lan02 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
    lan01 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
    172.16.1.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
    lan02 255.255.255.0
    access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
    lan01 255.255.255.0
    access-list fwoutside permit icmp any any
    access-list fwoutside deny ip any any log
    access-list fwinside permit ip 192.168.5.0 255.255.255.0 lan01
    255.255.255.0
    access-list fwinside permit ip 192.168.5.0 255.255.255.0 lan02
    255.255.255.0
    access-list fwinside permit udp any any eq bootpc
    access-list fwinside permit udp 192.168.5.0 255.255.255.0 any eq domain
    access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq www
    access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq ftp
    access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq ftp-data
    access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq https
    access-list fwinside permit icmp any any
    access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq ssh
    access-list fwinside deny ip any any log
    pager lines 24
    logging on
    logging monitor debugging
    logging buffered debugging
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside pppoe setroute
    ip address inside 192.168.5.254 255.255.255.0
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip audit name IDS-INFO info action alarm
    ip audit name IDS-ATTACK attack action alarm drop reset
    ip audit interface outside IDS-INFO
    ip audit interface outside IDS-ATTACK
    ip audit interface inside IDS-INFO
    ip audit interface inside IDS-ATTACK
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool test 172.16.1.1-172.16.1.254
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group fwoutside in interface outside
    access-group fwinside in interface inside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication http console LOCAL
    aaa authentication serial console LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.5.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto dynamic-map dynmap 30 set transform-set ESP-AES-256-SHA
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set pfs group5
    crypto map outside_map 20 set peer 1.1.1.1
    crypto map outside_map 20 set transform-set ESP-AES-256-SHA
    crypto map outside_map 60 ipsec-isakmp dynamic dynmap
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp identity address
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption aes-256
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup address-pool idle-time 1800
    vpngroup nomade address-pool test
    vpngroup nomade idle-time 1800
    vpngroup nomade password ********
    telnet timeout 5
    ssh 192.168.5.0 255.255.255.0 inside
    ssh timeout 5
    management-access inside
    console timeout 0
    vpdn group pppoe_group request dialout pppoe
    vpdn group pppoe_group localname **********
    vpdn group pppoe_group ppp authentication pap
    vpdn username fti/rchzgxt password *********
    dhcpd address 192.168.5.15-192.168.5.14 inside
    dhcpd dns 194.2.0.20
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    username admin password *********** encrypted privilege 15
    terminal width 80




    --------pix506-------------
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ********** encrypted
    passwd ************ encrypted
    hostname PIX-VPN
    domain-name **********.fr
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.5.0 lan
    access-list outside_cryptomap_30 permit ip 192.168.0.0 255.255.255.0 lan
    255.255.255.0
    access-list outside_cryptomap_30 permit ip 192.168.2.0 255.255.255.0 lan
    255.255.255.0
    access-list fwoutside permit icmp any any
    access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0
    lan 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0
    lan 255.255.255.0
    access-list fwinside permit ip any any
    pager lines 24
    logging console debugging
    logging monitor debugging
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside 1.1.1.1 255.255.255.0
    ip address inside 192.168.2.2 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    access-group fwoutside in interface outside
    access-group fwinside in interface inside
    route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
    route inside 192.168.0.0 255.255.255.0 192.168.2.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication http console LOCAL
    aaa authentication serial console LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.0.0 255.255.255.0 inside
    http 192.168.2.0 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto map outside_map 30 ipsec-isakmp
    crypto map outside_map 30 match address outside_cryptomap_30
    crypto map outside_map 30 set pfs group5
    crypto map outside_map 30 set peer 2.2.2.2
    crypto map outside_map 30 set transform-set ESP-AES-256-SHA
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp policy 30 authentication pre-share
    isakmp policy 30 encryption aes-256
    isakmp policy 30 hash sha
    isakmp policy 30 group 5
    isakmp policy 30 lifetime 86400
    telnet timeout 5
    ssh 192.168.0.0 255.255.255.0 inside
    ssh 192.168.2.0 255.255.255.0 inside
    ssh timeout 5
    management-access inside
    console timeout 0
    username admin password ********* encrypted privilege 15
    terminal width 80
     
    Fwed, Sep 2, 2005
    #3
  4. Fwed

    Fwed Guest

    Nick Ersdown a écrit :
    I have 5 users behind the pix 501, so it's ok :)
    The configuration has changed and is not very clean now (I fastly
    configure VPN by cisco client and I change "isakmp policy 20 group 5" by
    "isakmp policy 20 group 2" on the 501).
    1.1.1.1 & 2.2.2.2 & 1.1.1.2 are, in fact, public address.

    ------------Pix 501------------
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ************ encrypted
    passwd ************* encrypted
    hostname PIX-VPN
    domain-name ********.fr
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.2.0 lan01
    name 192.168.0.0 lan02
    access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
    lan02 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
    lan01 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 192.168.5.0 255.255.255.0
    172.16.1.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
    lan02 255.255.255.0
    access-list outside_cryptomap_20 permit ip 192.168.5.0 255.255.255.0
    lan01 255.255.255.0
    access-list fwoutside permit icmp any any
    access-list fwoutside deny ip any any log
    access-list fwinside permit ip 192.168.5.0 255.255.255.0 lan01
    255.255.255.0
    access-list fwinside permit ip 192.168.5.0 255.255.255.0 lan02
    255.255.255.0
    access-list fwinside permit udp any any eq bootpc
    access-list fwinside permit udp 192.168.5.0 255.255.255.0 any eq domain
    access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq www
    access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq ftp
    access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq ftp-data
    access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq https
    access-list fwinside permit icmp any any
    access-list fwinside permit tcp 192.168.5.0 255.255.255.0 any eq ssh
    access-list fwinside deny ip any any log
    pager lines 24
    logging on
    logging monitor debugging
    logging buffered debugging
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside pppoe setroute
    ip address inside 192.168.5.254 255.255.255.0
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip audit name IDS-INFO info action alarm
    ip audit name IDS-ATTACK attack action alarm drop reset
    ip audit interface outside IDS-INFO
    ip audit interface outside IDS-ATTACK
    ip audit interface inside IDS-INFO
    ip audit interface inside IDS-ATTACK
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool test 172.16.1.1-172.16.1.254
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    access-group fwoutside in interface outside
    access-group fwinside in interface inside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication http console LOCAL
    aaa authentication serial console LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.5.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto dynamic-map dynmap 30 set transform-set ESP-AES-256-SHA
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set pfs group5
    crypto map outside_map 20 set peer 1.1.1.1
    crypto map outside_map 20 set transform-set ESP-AES-256-SHA
    crypto map outside_map 60 ipsec-isakmp dynamic dynmap
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp identity address
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption aes-256
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup address-pool idle-time 1800
    vpngroup nomade address-pool test
    vpngroup nomade idle-time 1800
    vpngroup nomade password ********
    telnet timeout 5
    ssh 192.168.5.0 255.255.255.0 inside
    ssh timeout 5
    management-access inside
    console timeout 0
    vpdn group pppoe_group request dialout pppoe
    vpdn group pppoe_group localname **********
    vpdn group pppoe_group ppp authentication pap
    vpdn username fti/rchzgxt password *********
    dhcpd address 192.168.5.15-192.168.5.14 inside
    dhcpd dns 194.2.0.20
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    username admin password *********** encrypted privilege 15
    terminal width 80




    --------pix506-------------
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ********** encrypted
    passwd ************ encrypted
    hostname PIX-VPN
    domain-name **********.fr
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.5.0 lan
    access-list outside_cryptomap_30 permit ip 192.168.0.0 255.255.255.0 lan
    255.255.255.0
    access-list outside_cryptomap_30 permit ip 192.168.2.0 255.255.255.0 lan
    255.255.255.0
    access-list fwoutside permit icmp any any
    access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0
    lan 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0
    lan 255.255.255.0
    access-list fwinside permit ip any any
    pager lines 24
    logging console debugging
    logging monitor debugging
    icmp permit any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside 1.1.1.1 255.255.255.0
    ip address inside 192.168.2.2 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 10 0.0.0.0 0.0.0.0 0 0
    access-group fwoutside in interface outside
    access-group fwinside in interface inside
    route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
    route inside 192.168.0.0 255.255.255.0 192.168.2.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication http console LOCAL
    aaa authentication serial console LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.0.0 255.255.255.0 inside
    http 192.168.2.0 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto map outside_map 30 ipsec-isakmp
    crypto map outside_map 30 match address outside_cryptomap_30
    crypto map outside_map 30 set pfs group5
    crypto map outside_map 30 set peer 2.2.2.2
    crypto map outside_map 30 set transform-set ESP-AES-256-SHA
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp policy 30 authentication pre-share
    isakmp policy 30 encryption aes-256
    isakmp policy 30 hash sha
    isakmp policy 30 group 5
    isakmp policy 30 lifetime 86400
    telnet timeout 5
    ssh 192.168.0.0 255.255.255.0 inside
    ssh 192.168.2.0 255.255.255.0 inside
    ssh timeout 5
    management-access inside
    console timeout 0
    username admin password ********* encrypted privilege 15
    terminal width 80
     
    Fwed, Sep 2, 2005
    #4
  5. :The configuration has changed and is not very clean now

    I do not see the problem at the moment, and it puzzles me that
    a ping to -inside- would do anything. I'd want to see some of the log
    entries and debug crypto isakmp 2 debug crypto ipsec 2 results.

    In the meantime, I happen to notice a couple of small problems with
    your configurations:

    :------------Pix 501------------
    :pIX Version 6.3(5)

    :access-list fwoutside permit icmp any any

    You should not permit -all- icmp, because people *will* attack
    you with unsolicited icmp network-redirects, in an attempt to
    get connections to (e.g.) banks to be redirected to their site
    that has been made up to look just like the bank's...

    You do not need this "for debugging" as it is not going to affect
    any traffic in the tunnel: you have sysopt connection permit-ipsec
    which tells the PIX to ignore the interface ACLs for tunnel traffic.

    :access-list fwoutside deny ip any any log

    Deny is the default, and a log statement would be generated
    anyhow, unless you had turned that off with 'logging message'... which
    you didn't.

    :access-list fwinside deny ip any any log

    Again, deny is the default and a log statement would be generated
    anyhow.


    :logging on
    :logging monitor debugging
    :logging buffered debugging

    When you are trying to debug a PIX, I recommend that you use
    logging trap debugging and also use logging host IP to send
    a copy of the log messages to a syslog daemon for recording to a file.

    :ip address outside pppoe setroute
    :ip address inside 192.168.5.254 255.255.255.0

    :management-access inside

    Ah, that's probably why pinging to the -inside- brought up a tunnel.


    :--------pix506-------------
    :pIX Version 6.3(3)

    Upgrade to 6.3(4) or 6.3(5) is recommended, for a security fix.

    :access-list fwoutside permit icmp any any

    See above about icmp any.


    :crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    :crypto map outside_map 30 ipsec-isakmp
    :crypto map outside_map 30 match address outside_cryptomap_30
    :crypto map outside_map 30 set pfs group5
    :crypto map outside_map 30 set peer 2.2.2.2
    :crypto map outside_map 30 set transform-set ESP-AES-256-SHA
    :crypto map outside_map interface outside

    You have not defined a dynamic map here: you are expecting to talk
    to 2.2.2.2. But look above....

    [501 configuration] ip address outside pppoe setroute

    Your 501 does not -have- a fixed outside IP according to that.
    Perhaps your provider has assigned a constant address of 2.2.2.2,
    but you've told the PIX the address is variable. [Unfortunately
    I don't see any other way to tell the PIX you need to communicate
    via PPPoE.]

    What I suggest you try is removing the crypto map outside_map 30
    on the 506 and putting in a dynamic map (be sure to adjust
    the isakmp key address selector to match the possible range of IPs.)
    Then bring the tunnel up by traffic from the 501 to the 506.


    I would also suggest removing the management access on the 501.
    If you want the traffic between the 501 and the 506 themselves
    to go through a tunnel (e.g., pings) then you should add an
    entry to the tunnel ACL that specifies the -outside- IPs for both
    ends. That's going to be a bit tricky on the 506 side, though,
    with the 501 having a dynamic IP... That is the situation that the
    management access is for, but I think that -for now- it is just
    confusing the issue.
     
    Walter Roberson, Sep 2, 2005
    #5
  6. Fwed

    Fwed Guest

    Very very thank you for your answer.

    I will test to fix the outside ip on the 501 as you said to not have a
    variable.

    After, if that not resolve the problem, i will change the crypto map by
    dynamic map.

    Thanks a lot !
     
    Fwed, Sep 5, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.