PIX VPN mesh with acess to multiple subnets at one of the sites?

Discussion in 'Cisco' started by Tim Levy, Jun 16, 2006.

  1. Tim Levy

    Tim Levy Guest

    I wonder whether any of the experts in this group can help me.

    I have three sites (a 'central' one, and two remotes), each with a single
    subnet, and that are interconnected with a PIX-PIX IPsec VPN mesh. The
    whole thing has worked flawlessly since originally set up a few months ago,
    in that it provides intervisibility between IP hosts at each of the three

    I now have to move some of the servers at the central site to their own
    subnet on their own VLAN (named 'Databases' at I need to
    be able to provide connectivity to hosts on the Databases subnet/VLAN from
    the two remote sites. However, I just have not been able to make this work.

    With the central and remote configurations that are appended, if I do 'debug
    packet Databases' and then ping a host on the Databases VLAN at Central from
    the remote site, I can see the echo packet being sent to the host on the
    Databases subnet/VLAN, and I can see the echo reply being sent back from
    that host to the central PIX.

    I can also see the hitcount increment on the
    access-list Databases_acl permit icmp any any echo-reply
    rule (that is generated from the object group named 'ICMP-allowed') on the
    central PIX.

    However, I do not see the encapsulated packets count increment on the PIX at
    the central site end of the IPsec SA with the remote site that originated
    the ping. And, needless to say, the host from which I sent the ping does
    not see any response.

    Can anybody point me at what I've got wrong in the appended configs. Note
    that other required access to the Databases subnet/VLAN from the
    subnet at the central site, and from two other subnets, and, (that are each connected via a router) all works fine. The
    problem is only with the VPN-connected sites that have the and subnets on their inside interfaces. I realise that, in what
    follows, some of the ACLs show signs of my increasing desperation to get the
    required setup working:

    ** Central site:
    PIX Version 6.3(4)
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet1 vlan99 physical
    interface ethernet1 vlan1 logical
    interface ethernet1 vlan3 logical
    interface ethernet1 vlan4 logical
    nameif ethernet0 outside security0
    nameif ethernet1 i-physical security99
    nameif vlan1 inside security100
    nameif vlan3 Databases security90
    nameif vlan4 DMZ1 security50
    enable password *** encrypted
    passwd *** encrypted
    hostname PIX515-1
    domain-name ***.co.uk
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol http 8888
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    name x.x.x.x PIX_RemoteA
    name Net_RemoteA
    name x.x.x.x PIX_RemoteB
    name Net_RemoteB
    object-group icmp-type ICMP-allowed
    description ICMP types allowed in from outside
    icmp-object echo
    icmp-object echo-reply
    icmp-object time-exceeded
    object-group service DellERA tcp
    description The bunch of protocols used to access a Dell remote console
    port-object eq www
    port-object eq https
    port-object range 5800 5809
    port-object range 5900 5909
    object-group service sitescope tcp
    description Sitesope port
    port-object eq 8888
    object-group network xxx
    description External IPs of xxx systems
    network-object x.x.x.x
    network-object host x.x.x.x
    network-object host x.x.x.x
    object-group network MLabsInbound
    description External IPs of MessageLabs systems permitted to deliver SMTP
    Tim Levy, Jun 16, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.