cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
622
Views
0
Helpful
11
Replies

getting to the bottom of traffic issues with a cisco pix 501e

joemill11
Level 1
Level 1

i have a customer with two pix's one at each location, i cant ping all the way accross locations, and users cant access anything once logged into the vpn client. total downtime issues.

dont know if its a route/acl/nat/vpn issues or what, i really need someones help on this.

11 Replies 11

acomiskey
Level 10
Level 10

First thing to check is....

isakmp nat-traversal

Next thing to do is post a config.

here are the results of the show isakmp nat-traversal command on both sides of the tunnel

1. (side A)

isakmp enable outside

isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth no-con

fig-mode

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

2. (side B)

isakmp enable outside

isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth no-co

fig-mode

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

i changed the ip addresses for identity reasons.

what does this command tell me???

So is this a lan to lan tunnel, remote access vpn, or both? Post a config, clean out ip's/passwords etc.

this is a basic scenario

router--pix---switch--devices

on both ends

both a tunnel and allows vpn clients to connect

joemill11
Level 1
Level 1

here is the config for side A:

joemill11
Level 1
Level 1

here is the config for sideB:

joemill11
Level 1
Level 1

the isp uses same block for both locations (first 3 octets)

i changed ip so its not posted in public

also changed the group names to test (so whereever you see "test" i changed there also)

the internal subnets on both sides are the following

sideA 172.17.0.0

sideB 172.16.0.0

i didnt make it that way, wouldnt have if you paid me a million, well maybe for a million (but seriously) i inherited it that way.

if you see any insecuritys also let me know please

Site A-

You don't want your vpn pool to be included in your inside subnet. So use your 192pool.

vpngroup testGroup address-pool 192Pool

Nat exemption should be...

access-list inside_outbound_nat0_acl permit ip 172.17.0.0 255.255.0.0 172.16.0.0

255.255.0.0

access-list inside_outbound_nat0_acl permit ip 172.17.0.0 255.255.0.0 192.168.1.

0 255.255.255.0

You don't need these...

no route outside 172.16.0.0 255.255.0.0 1.11.1.81 1

no access-list inside->outside

no access-list outside-->inside

no access-list vpn-inbound

no access-list x

no access-list y

Split tunnel acl should be...

access-list split-tunnel permit ip 172.17.0.0 255.255.0.0 192.168.1.0 255.255.255.0

Site B-

Nat exemption...

access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 172.17.0.0

255.255.0.0

Not needed...

no route outside 172.17.0.0 255.255.0.0 1.11.1.89 1

the guy who is working on this said the reason that he has the 192 in there is because so you dont get to route to anything? does that sound good.

Could you explain that again?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: