[VPN] Pix to Cisco 831 Router

Discussion in 'Cisco' started by Mirek, Apr 4, 2004.

  1. Mirek

    Mirek Guest

    Hello.

    I need help. My network diagram looks list tis one below.
    |
    10.0.1.2 FTP/ WEB/DB Server -----|
    |
    | inside 10.0.1.1 /
    16
    |
    --------------
    | PIX | -- dmz
    172.16.1.1 /16 ---------------------
    --------------
    |
    |
    |
    |
    DNS Server
    |
    172.16.1.2
    | outside 20.20.20.3
    / 28
    |
    |
    My perm. router
    20.20.20.2

    And pix config:
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet1 dmz security90
    access-list ipsec permit ip 10.0.0.0 255.255.0.0 10.2.2.0 255.255.255.0
    access-list nonat permit ip 10.0.0.0 255.255.0.0 10.2.2.0 255.255.255.0
    ip address outside 20.20.20.3 255.255.255.240
    ip address inside 10.0.1.1 255.255.0.0
    ip address dmz 172.16.1.1 255.255.0.0
    global (outside) 1 20.20.20.1
    nat (inside) 0 access-list nonat
    nat (inside) 1 10.0.1.0 255.255.0.0 0 0
    nat (dmz) 1 172.16.0.0 255.255.0.0 0 0
    static (inside,outside) 20.20.20.5 10.0.1.2 netmask 255.255.255.255 0 0
    static (dmz, outside) 20.20.20.6 172.16.1.2 netmask 255.255.255.255 0 0
    conduit permit ip 20.20.20.5 host any
    conduit permit ip 20.20.20.6 host any
    conduit permit icmp any any
    route outside 0.0.0.0 0.0.0.0 20.20.20.2 1
    sysopt connection permit-ipsec
    crypto ipsec transform-set lanche esp-des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto map forg 21 ipsec-isakmp
    crypto map forg 21 match address ipsec
    crypto map forg 21 set peer 30.30.30.1
    crypto map forg 21 set transform-set lanche
    crypto map forg interface outside
    isakmp enable outside
    isakmp key fin2000 address 30.30.30.1 netmask 255.255.255.255
    isakmp identity address
    isakmp policy 21 authentication pre-share
    isakmp policy 21 encryption des
    isakmp policy 21 hash md5
    isakmp policy 21 group 1

    So. I have two problems, questions.
    First question: Is this configuration good, because my banch router from the
    other side doesn't response. How to set up more the one
    VPN tunnel to another Cisco router?

    Secound, main question: I did static address translation, but with ip
    address outside 20.20.20.3 255.255.255.240
    hosts from protected networks inside are invisible for themselves. For
    example: I can't not ping, or telnet to 20.20.20.5 from
    20.20.20.6 using IP or hostsnames. Where I did a mistakes? Please help. With
    ip address outside 20.20.20.3 255.255.255.255 everything goes
    fine. But for me is a bad netmask? I can't ping (no response) to outside
    interface from any host in inside and dmz? Is it correct?

    Please help.
    Best regards
    Mirek
     
    Mirek, Apr 4, 2004
    #1
    1. Advertisements

  2. I do wish people would learn how to post ascii diagrams to usenet.
     
    Bob { Goddard }, Apr 4, 2004
    #2
    1. Advertisements

  3. Mirek

    Mirek Guest

    Upsss. My fault. Diagram once again.


    |
    | -- inside 10.0.1.1 /16 WEB Server 10.0.1.2
    |
    -------------
    | PIX | -- dmz 172.16.1.1 /16 --DNS Server 172.16.1.2
    -------------
    |
    |
    | outside 20.20.20.3 /28
    |
    |
    My perm. router
    20.20.20.2

    Sorry for ...
    Mirek
     
    Mirek, Apr 4, 2004
    #3
  4. Still doesn't make much sense. Hint - keep line lengths to
    under 78 chars and use a mono-spaced font.
     
    Bob { Goddard }, Apr 4, 2004
    #4
  5. :I need help. My network diagram looks list tis one below.

    :And pix config:

    : access-list ipsec permit ip 10.0.0.0 255.255.0.0 10.2.2.0 255.255.255.0
    : access-list nonat permit ip 10.0.0.0 255.255.0.0 10.2.2.0 255.255.255.0

    : conduit permit ip 20.20.20.5 host any
    : conduit permit ip 20.20.20.6 host any
    : conduit permit icmp any any

    :So. I have two problems, questions.
    :First question: Is this configuration good,

    Do you have a Cisco support contract? If so, then go to the software
    download area for PIX and download one of the tools that convert
    'conduit' into equivilent access-lists .

    Once you have completely eliminated conduits from your configuration,
    re-test, and if it still doesn't work, post the new, conduit-less
    configuration.

    You cannot use conduits and access-lists together without encountering
    problems. Conduits haven't been necessary since PIX 5.0(1), and were
    declared deprecated in PIX 5.2, but you are trying to use them with
    a PIX 6.2 or later configuration (the access-list form of nat 0 wasn't
    supported in PIX 5.) Cisco outright says that using the two together
    gives broken results.

    And if you need more convincing: PIX 7.0 will not support conduits at all.


    Personally, I refuse to even -try- to debug any configuration that has
    conduits in it. I don't see any point in spending a lot of time trying
    to track down something that might well be due to software that is known
    to be broken and will not be fixed. If you convert your configuration
    to eliminate the conduits, then I will at least read your question
    (no point even finding out what you want to know as long as the conduits
    are there.)
     
    Walter Roberson, Apr 4, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.