Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
664
Views
0
Helpful
4
Replies

Router to Firewall VPN Connection

buzzyng99
Level 1
Level 1

‎02-28-2007 12:18 AM - edited ‎03-11-2019 02:39 AM

I have a 3825 router that terminates client vpn connections and a remote PIX that terminates client vpn connections and tunnels to 2 other PIXs. I want to build a site-site tunnel. I have configured the 3825 as follows:

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ****x address**** no-xauth

crypto isakmp nat keepalive 20

!

crypto isakmp client configuration group admins

key ***

dns 10.65.1.200

wins 10.65.1.200

domain ***

pool ippool-admin

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

crypto map clientmap 20 ipsec-isakmp

set peer ****

set transform-set myset

match address 199

interface Serial0/1/0

ip access-group 101 in

ip nat outside

crypto map clientmap

access-list 199 permit ip 10.65.2.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 199 permit ip 10.65.1.0 0.0.0.255 192.168.0.0 0.0.0.255

The PIX config:

access-list 100 permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.62.1.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.65.1.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.65.2.0 255.255.255.0

access-list 160 permit ip 192.168.0.0 255.255.255.0 10.65.1.0 255.255.255.0

access-list 160 permit ip 192.168.0.0 255.255.255.0 10.65.2.0 255.255.255.0

nat (inside) 0 access-list 100

sysopt connection permit-ipsec

crypto ipsec transform-set HQset esp-3des esp-md5-hmac

crypto dynamic-map vpnclientmap 10 set transform-set HQset

crypto map HQmap 3 ipsec-isakmp

crypto map HQmap 3 match address 130

crypto map HQmap 3 set peer ***

crypto map HQmap 3 set transform-set HQset

crypto map HQmap 4 ipsec-isakmp

crypto map HQmap 4 match address 140

crypto map HQmap 4 set peer ***

crypto map HQmap 4 set transform-set HQset

crypto map HQmap 6 ipsec-isakmp

crypto map HQmap 6 match address 160

crypto map HQmap 6 set peer ***

crypto map HQmap 6 set transform-set HQset

crypto map HQmap 20 ipsec-isakmp dynamic vpnclientmap

crypto map HQmap interface outside

isakmp enable outside

isakmp key ******** address *** netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address *** netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address *** netmask 255.255.255.255 no-xauth

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

All vpn clients work correctly and the tunnels to the two branch offices (using PIX-PIX) but cannot route traffic between the site with the router to the central PIX. ANy help would be appreciated to guide me in the right direction.

thanks

Labels:
0 Helpful
4 Replies 4

IWAN HOOGENDOORN
Level 1
Level 1

‎02-28-2007 12:35 AM

Hi,

Do you have mirrored access-lists on the remote sites?

If you find this post usefull

please don't forget to rate this

#########################################

#Iwan Hoogendoorn

#########################################

0 Helpful

buzzyng99
Level 1
Level 1
In response to IWAN HOOGENDOORN

‎02-28-2007 01:22 AM

well, on the router, ACL 199 is local lan - remote lan

on the PIX, ACL 160 is the opposite of that since it is local lan - remote lan

0 Helpful

IWAN HOOGENDOORN
Level 1
Level 1
In response to buzzyng99

‎02-28-2007 01:45 AM

Have you done a traceroute ... and is the traffic going trough the tunnel?

If you find this post usefull

please don't forget to rate this

#########################################

#Iwan Hoogendoorn

#########################################

0 Helpful

buzzyng99
Level 1
Level 1
In response to IWAN HOOGENDOORN

‎02-28-2007 02:36 AM

from the router lan side (10.65.1.x)

when I traceroute from a client it goes to the router (.1) and then dies.

here is the output from the router:

#sh crypto map

Crypto Map "clientmap" 10 ipsec-isakmp

Dynamic map template tag: dynmap

Crypto Map "clientmap" 20 ipsec-isakmp

Peer = ****

Extended IP access list 199

access-list 199 permit ip 10.65.2.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 199 permit ip 10.65.1.0 0.0.0.255 192.168.0.0 0.0.0.255

Current peer: ***

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

myset,

}

Interfaces using crypto map clientmap:

Serial0/1/0

#sh crypto session

Crypto session current status

Interface: Serial0/1/0

Session status: DOWN

Peer: *** port 500

IPSEC FLOW: permit ip 10.65.1.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 10.65.2.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

It appears that it never brings up the tunnel for traffic destined to the remote LAN 192.168.0.x

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card