Site-to-site VPN issues

Unanswered Question
Mar 19th, 2007

Hi, I'm having issues establishing a site-to-site vpn between us and a 3rd party's efility firewall (we're using a Pix 515 running 6.3). Their LAN range is 192.168.2.x but their IT people tell me they're NATting traffic to 217.155.130.97. The tunnel appears to be up but they cannot ping anything at our site. I want them to access 128.31.x.x, 128.51.x.x and 128.60.x.x on our LAN.

Just to complicate matters, I believe this site was set up with some port forwarding rules in the past to allow them access to specific servers on our site.

I've checked the logs and can see traffic from them (on 217.155.130.97) going to 128.51.0.9 which I believe is the port forwarding, but can't see anything else (they have a continuous ping to 128.31.1.78 on our network).

Unfortunately I dont know enough to determine if the port forwarding rules are affecting the site VPN, any help would be greatly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.6 (5 ratings)
Loading.
acomiskey Mon, 03/19/2007 - 07:50

What do you mean by "appears to be up"? What is working and what's not? Explain what you mean by the port forwarding, I do not see any reference to 128.51.0.9 in your config.

Rex Biesty Mon, 03/19/2007 - 08:51

Thanks for the reply.

The 'Appears to be up' comment refers to feedback from the remote site saying that the tunnel appears to be in place at their end. Dont know how to check it on the Cisco but if you could point me in the right direction I'd appreciate it.

The 128.51.0.9 is a typo, sorry, should read 128.51.0.11.

They currently use the following URLs to access selected servers on our site (where 194.70.179.234 is one of our public IP addresses)

http://194.70.179.234:8060/Garp/frameset

http://194.70.179.234:8360/Garp/frameset

http://194.70.179.234/cgi-bin/imagox/admin/Login.cgi

Sorry I'm a bit vague on this, their existing access was setup before I becase involved with the firewall.

Rex Biesty Mon, 03/19/2007 - 09:24

Result of show crypto isakmp sa is

Total : 12

Embryonic : 1

dst src state pending created

81.144.184.37 194.70.27.46 MM_KEY_EXCH 0 0

194.70.27.46 81.144.184.34 QM_IDLE 0 2

194.70.27.46 81.144.184.34 QM_IDLE 0 1

194.70.27.46 81.144.184.34 QM_IDLE 0 2

194.70.27.46 81.144.184.34 QM_IDLE 0 2

194.70.27.46 81.144.184.34 QM_IDLE 0 1

194.70.27.46 81.144.184.34 QM_IDLE 0 1

194.70.27.46 81.144.184.34 QM_IDLE 0 1

194.70.27.46 81.144.184.34 QM_IDLE 0 1

194.70.27.46 host217-155-130-97 QM_IDLE 0 0

194.70.27.46 host217-155-130-97 QM_IDLE 0 0

194.70.27.46 Metalogic_Warwick_Public QM_IDLE 0 0

Result of show crypto ipsec sa is quite large, what am I looking for on it?

acomiskey Mon, 03/19/2007 - 09:53

Do you want

http://

or

http://?

You currently have a static for 194.70.179.234 to 128.51.0.11, but you also have a nat 0 for traffic from 128.51.0.11 to Metalogic_Support_Host.

Rex Biesty Mon, 03/19/2007 - 10:00

I'm trying to set up a site-to-site so access would be to private IP addresses on our networks (i.e. all addresses on 128.31.0.0, 128.51.0.0 and 128.60.0.0). I've already done this sucesfully for another of their sites (Metalogic_Warwick_Public). I think the rules you mention are possibly related to their old setup.

Rex Biesty Mon, 03/19/2007 - 10:22

I appreciate your help and have no problem with you asking as many questions as is needed (it is a complcated setup I know and one I've only have a limited involvement with until now).

At the moment http://194.70.179.234/cgi-bin/imagox/admin/Login.cgi works. I dont know if http://128.51.0.11/cgi-bin/imagox/admin/Login.cgi works yet as I'm awaiting feedback. However, if they try to ping another device on our network (e.g. 128.31.1.78) they get no reply and it's this that we're trying to get working.

Rex Biesty Tue, 03/20/2007 - 02:57

Their pings should show as coming from 217.155.130.97 as their IT folk say their internal traffic is being NATted to that address. I've checked the logs for traffic from 192.168.2.x also (in case their IT dept are telling my untruths) but nothing there.

Rex Biesty Thu, 03/22/2007 - 04:23

Hi, was wondering if you've got any further forward with this, thanks.

acomiskey Thu, 03/22/2007 - 05:43

Is it possible to get some logs going while you try to pass traffic over the tunnel? Any chance of getting the config from the remote peer as well? Their nat exemption traffic should be a mirror image of yours etc.

Actions

This Discussion