Router to Firewall VPN Connection

Unanswered Question
Feb 28th, 2007

I have a 3825 router that terminates client vpn connections and a remote PIX that terminates client vpn connections and tunnels to 2 other PIXs. I want to build a site-site tunnel. I have configured the 3825 as follows:

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ****x address**** no-xauth

crypto isakmp nat keepalive 20

!

crypto isakmp client configuration group admins

key ***

dns 10.65.1.200

wins 10.65.1.200

domain ***

pool ippool-admin

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

crypto map clientmap 20 ipsec-isakmp

set peer ****

set transform-set myset

match address 199

interface Serial0/1/0

ip access-group 101 in

ip nat outside

crypto map clientmap

access-list 199 permit ip 10.65.2.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 199 permit ip 10.65.1.0 0.0.0.255 192.168.0.0 0.0.0.255

The PIX config:

access-list 100 permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.62.1.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.65.1.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.65.2.0 255.255.255.0

access-list 160 permit ip 192.168.0.0 255.255.255.0 10.65.1.0 255.255.255.0

access-list 160 permit ip 192.168.0.0 255.255.255.0 10.65.2.0 255.255.255.0

nat (inside) 0 access-list 100

sysopt connection permit-ipsec

crypto ipsec transform-set HQset esp-3des esp-md5-hmac

crypto dynamic-map vpnclientmap 10 set transform-set HQset

crypto map HQmap 3 ipsec-isakmp

crypto map HQmap 3 match address 130

crypto map HQmap 3 set peer ***

crypto map HQmap 3 set transform-set HQset

crypto map HQmap 4 ipsec-isakmp

crypto map HQmap 4 match address 140

crypto map HQmap 4 set peer ***

crypto map HQmap 4 set transform-set HQset

crypto map HQmap 6 ipsec-isakmp

crypto map HQmap 6 match address 160

crypto map HQmap 6 set peer ***

crypto map HQmap 6 set transform-set HQset

crypto map HQmap 20 ipsec-isakmp dynamic vpnclientmap

crypto map HQmap interface outside

isakmp enable outside

isakmp key ******** address *** netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address *** netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address *** netmask 255.255.255.255 no-xauth

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

All vpn clients work correctly and the tunnels to the two branch offices (using PIX-PIX) but cannot route traffic between the site with the router to the central PIX. ANy help would be appreciated to guide me in the right direction.

thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
buzzyng99 Wed, 02/28/2007 - 01:22

well, on the router, ACL 199 is local lan - remote lan

on the PIX, ACL 160 is the opposite of that since it is local lan - remote lan

buzzyng99 Wed, 02/28/2007 - 02:36

from the router lan side (10.65.1.x)

when I traceroute from a client it goes to the router (.1) and then dies.

here is the output from the router:

#sh crypto map

Crypto Map "clientmap" 10 ipsec-isakmp

Dynamic map template tag: dynmap

Crypto Map "clientmap" 20 ipsec-isakmp

Peer = ****

Extended IP access list 199

access-list 199 permit ip 10.65.2.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 199 permit ip 10.65.1.0 0.0.0.255 192.168.0.0 0.0.0.255

Current peer: ***

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

myset,

}

Interfaces using crypto map clientmap:

Serial0/1/0

#sh crypto session

Crypto session current status

Interface: Serial0/1/0

Session status: DOWN

Peer: *** port 500

IPSEC FLOW: permit ip 10.65.1.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 10.65.2.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

It appears that it never brings up the tunnel for traffic destined to the remote LAN 192.168.0.x

Actions

This Discussion