02-05-2007 06:44 AM - edited 02-21-2020 02:51 PM
We have 2 pixes (a 515 and a 506e) doing a vpn between the 2. The tunnel is up but the 506e side can not connect to anything. I do see the tunnel between the two is up.
config of the 515 pix:
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 101 permit ip 172.16.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 101 permit ip 172.16.10.0 255.255.255.0 11.1.1.0 255.255.255.0
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.248
ip address inside 172.16.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 11.1.1.1-11.1.1.254
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 y.y.y.y 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-cache src_dst 128KB
http server enable
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 1 set transform-set myset
crypto map mymap 1 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup vpn3000 address-pool vpnpool
vpngroup vpn3000 dns-server platt_dc
vpngroup vpn3000 default-domain company.com
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
vpngroup vpngroup idle-time 1800
ssh Cisco 255.255.255.255 outside
ssh timeout 5
terminal width 80
Config on pix 506e:
PIX Version 6.2(2)
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 101 permit tcp 192.168.0.0 255.255.255.0 172.16.10.0 255.255.255.0
pager lines 24
logging on
logging console debugging
logging monitor debugging
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.1 255.255.255.255 inside
http 192.168.0.51 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
telnet x.x.x.x 255.255.255.255 outside
telnet 172.16.10.0 255.255.255.0 outside
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
vpdn group pppoegroup request dialout pppoe
vpdn group pppoegroup localname username@domain.com
vpdn group pppoegroup ppp authentication pap
vpdn username users@domain.com password ********
dhcpd address 192.168.0.50-192.168.0.100 inside
dhcpd dns 198.235.216.134 172.16.10.2
dhcpd lease 504000
dhcpd ping_timeout 750
dhcpd domain company.com
dhcpd enable inside
vpnclient vpngroup vpn3000 password ********
vpnclient server x.x.x.x
vpnclient mode network-extension-mode
vpnclient enable
terminal width 80
02-05-2007 06:48 AM
You are missing nat (inside) 0 access-list 101 command in 506.
02-05-2007 06:53 AM
which means i have to turn off the vpnclient inorder to do that correct?
02-05-2007 07:28 AM
OH, easy vpn, sorry about that. Try this link.
02-05-2007 07:43 AM
Ok cool thanks...
I got the VPN up and working (removed the access-list 101 from the 506) and they can do stuff across the vpn but they have lost their local internet access (ie. web pages can't be displayed). If you see I have their ISP DNS setup on their DHCP settings so not sure what is up or needs to be done to gain that back.
thanks for the help so far!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: