02-28-2007 12:18 AM - edited 03-11-2019 02:39 AM
I have a 3825 router that terminates client vpn connections and a remote PIX that terminates client vpn connections and tunnels to 2 other PIXs. I want to build a site-site tunnel. I have configured the 3825 as follows:
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ****x address**** no-xauth
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group admins
key ***
dns 10.65.1.200
wins 10.65.1.200
domain ***
pool ippool-admin
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
crypto map clientmap 20 ipsec-isakmp
set peer ****
set transform-set myset
match address 199
interface Serial0/1/0
ip access-group 101 in
ip nat outside
crypto map clientmap
access-list 199 permit ip 10.65.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 199 permit ip 10.65.1.0 0.0.0.255 192.168.0.0 0.0.0.255
The PIX config:
access-list 100 permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 100 permit ip 192.168.0.0 255.255.255.0 10.62.1.0 255.255.255.0
access-list 100 permit ip 192.168.0.0 255.255.255.0 10.65.1.0 255.255.255.0
access-list 100 permit ip 192.168.0.0 255.255.255.0 10.65.2.0 255.255.255.0
access-list 160 permit ip 192.168.0.0 255.255.255.0 10.65.1.0 255.255.255.0
access-list 160 permit ip 192.168.0.0 255.255.255.0 10.65.2.0 255.255.255.0
nat (inside) 0 access-list 100
sysopt connection permit-ipsec
crypto ipsec transform-set HQset esp-3des esp-md5-hmac
crypto dynamic-map vpnclientmap 10 set transform-set HQset
crypto map HQmap 3 ipsec-isakmp
crypto map HQmap 3 match address 130
crypto map HQmap 3 set peer ***
crypto map HQmap 3 set transform-set HQset
crypto map HQmap 4 ipsec-isakmp
crypto map HQmap 4 match address 140
crypto map HQmap 4 set peer ***
crypto map HQmap 4 set transform-set HQset
crypto map HQmap 6 ipsec-isakmp
crypto map HQmap 6 match address 160
crypto map HQmap 6 set peer ***
crypto map HQmap 6 set transform-set HQset
crypto map HQmap 20 ipsec-isakmp dynamic vpnclientmap
crypto map HQmap interface outside
isakmp enable outside
isakmp key ******** address *** netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address *** netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address *** netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
All vpn clients work correctly and the tunnels to the two branch offices (using PIX-PIX) but cannot route traffic between the site with the router to the central PIX. ANy help would be appreciated to guide me in the right direction.
thanks
02-28-2007 12:35 AM
Hi,
Do you have mirrored access-lists on the remote sites?
If you find this post usefull
please don't forget to rate this
#########################################
#Iwan Hoogendoorn
#########################################
02-28-2007 01:22 AM
well, on the router, ACL 199 is local lan - remote lan
on the PIX, ACL 160 is the opposite of that since it is local lan - remote lan
02-28-2007 01:45 AM
Have you done a traceroute ... and is the traffic going trough the tunnel?
If you find this post usefull
please don't forget to rate this
#########################################
#Iwan Hoogendoorn
#########################################
02-28-2007 02:36 AM
from the router lan side (10.65.1.x)
when I traceroute from a client it goes to the router (.1) and then dies.
here is the output from the router:
#sh crypto map
Crypto Map "clientmap" 10 ipsec-isakmp
Dynamic map template tag: dynmap
Crypto Map "clientmap" 20 ipsec-isakmp
Peer = ****
Extended IP access list 199
access-list 199 permit ip 10.65.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 199 permit ip 10.65.1.0 0.0.0.255 192.168.0.0 0.0.0.255
Current peer: ***
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
myset,
}
Interfaces using crypto map clientmap:
Serial0/1/0
#sh crypto session
Crypto session current status
Interface: Serial0/1/0
Session status: DOWN
Peer: *** port 500
IPSEC FLOW: permit ip 10.65.1.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 10.65.2.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 0, origin: crypto map
It appears that it never brings up the tunnel for traffic destined to the remote LAN 192.168.0.x
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: