sit-to-site VPN with pppoe connection

Unanswered Question
Feb 5th, 2007

We have 2 pixes (a 515 and a 506e) doing a vpn between the 2. The tunnel is up but the 506e side can not connect to anything. I do see the tunnel between the two is up.

config of the 515 pix:

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 101 permit ip 172.16.10.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 101 permit ip 172.16.10.0 255.255.255.0 11.1.1.0 255.255.255.0

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x 255.255.255.248

ip address inside 172.16.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 11.1.1.1-11.1.1.254

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 y.y.y.y 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

url-cache src_dst 128KB

http server enable

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 1 set transform-set myset

crypto map mymap 1 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

vpngroup vpn3000 address-pool vpnpool

vpngroup vpn3000 dns-server platt_dc

vpngroup vpn3000 default-domain company.com

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

vpngroup vpngroup idle-time 1800

ssh Cisco 255.255.255.255 outside

ssh timeout 5

terminal width 80

Config on pix 506e:

PIX Version 6.2(2)

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 101 permit tcp 192.168.0.0 255.255.255.0 172.16.10.0 255.255.255.0

pager lines 24

logging on

logging console debugging

logging monitor debugging

logging buffered debugging

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging warnings 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 100 in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.0.1 255.255.255.255 inside

http 192.168.0.51 255.255.255.255 inside

http 192.168.0.0 255.255.255.0 inside

telnet x.x.x.x 255.255.255.255 outside

telnet 172.16.10.0 255.255.255.0 outside

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

vpdn group pppoegroup request dialout pppoe

vpdn group pppoegroup localname [email protected]

vpdn group pppoegroup ppp authentication pap

vpdn username [email protected] password ********

dhcpd address 192.168.0.50-192.168.0.100 inside

dhcpd dns 198.235.216.134 172.16.10.2

dhcpd lease 504000

dhcpd ping_timeout 750

dhcpd domain company.com

dhcpd enable inside

vpnclient vpngroup vpn3000 password ********

vpnclient server x.x.x.x

vpnclient mode network-extension-mode

vpnclient enable

terminal width 80

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Mon, 02/05/2007 - 06:48

You are missing nat (inside) 0 access-list 101 command in 506.

slashman26 Mon, 02/05/2007 - 06:53

which means i have to turn off the vpnclient inorder to do that correct?

slashman26 Mon, 02/05/2007 - 07:43

Ok cool thanks...

I got the VPN up and working (removed the access-list 101 from the 506) and they can do stuff across the vpn but they have lost their local internet access (ie. web pages can't be displayed). If you see I have their ISP DNS setup on their DHCP settings so not sure what is up or needs to be done to gain that back.

thanks for the help so far!

Actions

This Discussion