04-24-2008 08:56 AM - edited 03-11-2019 05:36 AM
i have a customer with two pix's one at each location, i cant ping all the way accross locations, and users cant access anything once logged into the vpn client. total downtime issues.
dont know if its a route/acl/nat/vpn issues or what, i really need someones help on this.
04-24-2008 09:00 AM
First thing to check is....
isakmp nat-traversal
Next thing to do is post a config.
04-24-2008 10:48 AM
here are the results of the show isakmp nat-traversal command on both sides of the tunnel
1. (side A)
isakmp enable outside
isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
2. (side B)
isakmp enable outside
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth no-co
fig-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
i changed the ip addresses for identity reasons.
what does this command tell me???
04-24-2008 10:50 AM
So is this a lan to lan tunnel, remote access vpn, or both? Post a config, clean out ip's/passwords etc.
04-24-2008 11:06 AM
this is a basic scenario
router--pix---switch--devices
on both ends
both a tunnel and allows vpn clients to connect
04-24-2008 10:59 AM
04-24-2008 11:03 AM
04-24-2008 11:06 AM
the isp uses same block for both locations (first 3 octets)
i changed ip so its not posted in public
also changed the group names to test (so whereever you see "test" i changed there also)
the internal subnets on both sides are the following
sideA 172.17.0.0
sideB 172.16.0.0
i didnt make it that way, wouldnt have if you paid me a million, well maybe for a million (but seriously) i inherited it that way.
if you see any insecuritys also let me know please
04-24-2008 11:25 AM
Site A-
You don't want your vpn pool to be included in your inside subnet. So use your 192pool.
vpngroup testGroup address-pool 192Pool
Nat exemption should be...
access-list inside_outbound_nat0_acl permit ip 172.17.0.0 255.255.0.0 172.16.0.0
255.255.0.0
access-list inside_outbound_nat0_acl permit ip 172.17.0.0 255.255.0.0 192.168.1.
0 255.255.255.0
You don't need these...
no route outside 172.16.0.0 255.255.0.0 1.11.1.81 1
no access-list inside->outside
no access-list outside-->inside
no access-list vpn-inbound
no access-list x
no access-list y
Split tunnel acl should be...
access-list split-tunnel permit ip 172.17.0.0 255.255.0.0 192.168.1.0 255.255.255.0
04-24-2008 11:30 AM
Site B-
Nat exemption...
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 172.17.0.0
255.255.0.0
Not needed...
no route outside 172.17.0.0 255.255.0.0 1.11.1.89 1
04-24-2008 12:15 PM
the guy who is working on this said the reason that he has the 192 in there is because so you dont get to route to anything? does that sound good.
04-24-2008 12:17 PM
Could you explain that again?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: