VPN lan to lan - works but does not

Discussion in 'Cisco' started by Robert, Jan 18, 2006.

  1. Robert

    Robert Guest

    i have 2 pixes (501) and 1 pix is VPN serverThere is VPN site - to - site

    i am trying to connect ftrom home
    connection is OK but i can not use Remote admin (like before) - before i
    had VPN server only - n site to site - i was doing the same things like
    www.cisco .cotutorial and does not work


    this is my config

    Office
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    access-list 100 permit ip 192.168.1.0 255.255.255.0 50.50.67.112
    255.255.255.240
    access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.7.0
    255.255.255.0
    access-list 110 permit ip 192.168.1.0 255.255.255.0 50.50.67.112
    255.255.255.240
    ip local pool test 192.168.7.1-192.168.7.5
    nat (inside) 0 access-list 100
    ip address outside 60.60.192.18 255.255.255.240
    ip address inside 192.168.1.1 255.255.255.0
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 30 set transform-set myset
    crypto map newmap 10 ipsec-isakmp
    crypto map newmap 10 match address 110
    crypto map newmap 10 set peer 50.50.66.239
    crypto map newmap 10 set transform-set myset
    crypto map newmap 20 ipsec-isakmp dynamic dynmap
    crypto map newmap interface outside
    isakmp enable outside
    isakmp key ********* address 50.50.66.239 netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup Mygroup address-pool test
    vpngroup Mygroup dns-server 192.168.1.2
    vpngroup Mygroup wins-server 192.168.1.2
    vpngroup Mygroup default-domain company.com.com
    vpngroup Mygroup idle-time 1800
    vpngroup Mygroup password [email protected]

    Office2

    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    access-list 100 permit ip 50.50.67.112 255.255.255.240 192.168.1.0
    255.255.255.0
    nat (inside) 0 access-list 100
    ip address outside 50.50.66.239 255.255.255.0
    ip address inside 192.168.1.1 255.255.255.0
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto map newmap 10 ipsec-isakmp
    crypto map newmap 10 match address 100
    crypto map newmap 10 set peer 60.60.192.18
    crypto map newmap 10 set transform-set myset
    crypto map newmap interface outside
    isakmp enable outside
    isakmp key ********* address 60.60.192.18 netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
     
    Robert, Jan 18, 2006
    #1
    1. Advertisements

  2. ACL number doesnt macth
    ACL are wrong - do it like this :
    Allow the inside LAN to the other inside LAN.
    fx
    access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.1.0
    255.255.255.240


    OOPS

    Here is the next problem - you use same LAN IP range on both sides.
    Get this right, by using fx 192.168.2.0 /24 on the other site and so on
    so your ACL will be
    access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    255.255.255.240
    access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.3.0
    255.255.255.240

    and reverse these ACL in the remote PIX's

    Also Add "isakmp nat-t" for your VPN CLients
    And the "management-access inside" for the remote admin via the tunnels
    plus fx ssh 192.168.1.0 255.255.255.0 inside on the remote pix
     
    Martin Bilgrav, Jan 20, 2006
    #2
    1. Advertisements

  3. Robert

    Robert Guest

    Robert, Jan 23, 2006
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.