|
Posted by Remco Bressers on August 16, 2005, 11:40 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi,
This problem is giving me some headaches. I hope someone can help me out here.
I've got the following setup :
Internet -- router --- PIX1 ---DSLrouter1-- VPN --DSLrouter2--- PIX2 ----- LAN2
|
LAN1
router : 10.194.124.1/27
LAN 1: 10.194.124.0/27
PIX 1 on the inside : 10.194.124.26/27
PIX 1 on the outside : 217.21.245.132/29
PIX 2 on the inside : 10.194.124.193/27
PIX 2 on the outside : 217.21.241.110/24
LAN 2 : 10.194.124.192/27
the router is the gateway to the outside world, so LAN2 uses PIX2 as the default
gateway and PIX2 uses router as a gateway (10.194.124.1)
LAN1 uses the router as a gateway. On 'router' there's a static route
10.194.124.192/27 > 10.194.124.26 (PIX1).
What i see is that i can get traffic from LAN2 to LAN1 and to the router, but
not from LAN2 through the router. The router uses NAT on it's external
interface. LAN1 works perfect. Did i overlook something overhere??
The configurations:
*** PIX1 ***
names
name 10.194.124.192 LAN2
access-list nonat permit ip any any
access-list nonat permit ip any LAN2 255.255.255.224
access-list outside_cryptomap_20 permit ip any LAN2 255.255.255.224
access-list allow_ping permit icmp any any echo-reply
access-list allow_ping permit icmp any any source-quench
access-list allow_ping permit icmp any any unreachable
access-list allow_ping permit icmp any any time-exceeded
ip address outside 217.21.245.132 255.255.255.248
ip address inside 10.194.124.26 255.255.255.224
nat (inside) 0 access-list nonat
access-group allow_ping in interface outside
route outside 0.0.0.0 0.0.0.0 217.21.245.134 1
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 217.21.241.110
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 217.21.241.110 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
*** PIX2 ***
access-list nonat permit ip any any
access-list nonat permit ip 10.194.124.192 255.255.255.224 any
access-list outside_cryptomap_20 permit ip 10.194.124.192 255.255.255.224 any
access-list allow_ping permit icmp any any echo-reply
access-list allow_pint permit icmp any any source-quench
access-list allow_pint permit icmp any any unreachable
access-list allow_pint permit icmp any any time-exceeded
ip address outside 217.21.241.110 255.255.255.0
ip address inside 10.194.124.193 255.255.255.224
nat (inside) 0 access-list nonat
access-group allow_ping in interface outside
route outside 0.0.0.0 0.0.0.0 10.194.124.1 1
route outside 217.21.245.128 255.255.255.248 217.21.241.254 1
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 217.21.245.132
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 217.21.245.132 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
Thanks in advance,
Remco
|
|
Posted by www.BradReese.Com on August 16, 2005, 7:14 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hi Remco,
You may wish to investigate Cisco's Online PIX Firewall TAC Case
Collection / Knowledge Base:
http://129.41.16.73/security/home
Hope this helps.
Brad Reese
Free Cisco Security Upgrades:
http://www.bradreese.com/cisco-security-advisories.htm
BradReese.Com Cisco Repair Service Experts
http://www.bradreese.com/cisco-big-iron-repair.htm
1293 Hendersonville Road, Suite 17
Asheville, North Carolina USA 28803
U.S./Canada Toll Free: 877-549-2680
International: 828-277-7272
United Kingdom: 44-20-70784294
|
|
Posted by Remco Bressers on August 17, 2005, 9:37 am
If you were Registered and logged in, you could reply and use other advanced thread options > You may wish to investigate Cisco's Online PIX Firewall TAC Case
> Collection / Knowledge Base:
> http://129.41.16.73/security/home
Thanks Brad.. This can be of some help here.. I also opened a TAC case at Cisco
and i'll put the solution overhere.
Remco
|
|
Posted by AM on August 18, 2005, 7:14 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Hi,
>
> This problem is giving me some headaches. I hope someone can help me out
> here.
>
> I've got the following setup :
>
>
> Internet -- router --- PIX1 ---DSLrouter1-- VPN --DSLrouter2--- PIX2
> ----- LAN2
> |
> LAN1
>
>
Could you post router's config?
Are you doing NAT also for LAN2?
Alex.
|
| Similar Threads | Posted | | VPN Troubles | August 17, 2006, 8:46 pm |
| Browser troubles behind PIX | May 31, 2006, 4:37 pm |
| Cisco ASA and VPN troubles | April 10, 2007, 8:46 am |
| IPSec troubles | August 24, 2007, 11:56 am |
| PIX 515 upgrade troubles | May 5, 2008, 10:48 am |
| Cisco 575 and 2950 LRE troubles | September 12, 2005, 4:12 pm |
| Newbie DMZ traffic troubles | December 22, 2005, 1:09 am |
| PPTP VPN and DHCP troubles... | June 14, 2007, 6:12 am |
| PIX troubles H.323 even with fixup disabled | August 15, 2007, 9:12 am |
| OSPF and EIGRP interaction troubles | August 25, 2005, 2:17 am |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map