cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
492
Views
2
Helpful
8
Replies

site to site vpn not working - PIX firewall

secureIT
Level 4
Level 4

Hi,

My site to site vpn is not working..

Im not able to ping to remote network but remote people are able to ping to my network. vpn comes up when remote users initiate the session.

network set up is as given below.

my local network is Patted to 1.1.1.5

VPN traffic is between 1.1.1.5 & remote segment.

Can some one help me on this...

regards

Rajesh P

8 Replies 8

Marwan ALshawi
VIP Alumni
VIP Alumni

u missing the nat exmption

nat 0

also the access-list 12

shoud be sourced from ur LAN to the remote LAN

not from the pix ip address itself

for nat exampltion

make ACL from ur lan to the remote lan

lets say

access-list 100 permit ip 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255.0

nat 9inside0 0 access-list 100

also use the same form of this ACL instead of the ACL 12 u have

ii the above example 10.1.1.0/24 ur local lan

and 20.1.1.0/24 the remote lan

good luck

please Rate if helpful

Hi team,

Its Pix firewall and not router..

more over 1.1.1.5 is the PAT ip...

pls find the below....

nat (intf5) 2 access-list 95 0 0

global (outside) 2 1.1.1.5

client wants to include natted traffic to pass thru the vpn tunnel.

Hence we can not use

ACL ID permit ip local_net remote_net

Pls help...

Client wants to hide the below networks...

access-list 95 permit ip 192.168.27.0 255.255.255.0 2.6.4.0255.255.255.0

access-list 95 permit ip 192.168.29.0 255.255.255.0 2.6.4.0255.255.255.0

access-list 95 permit ip 192.168.28.0 255.255.255.0 2.6.4.0255.255.255.0

access-list 95 permit ip 192.168.27.0 255.255.255.0 2.7.4.0 255.255.255.0

access-list 95 permit ip 192.168.29.0 255.255.255.0 2.7.4.0 255.255.255.0

access-list 95 permit ip 192.168.28.0 255.255.255.0 2.7.4.0 255.255.255.0

access-list 95 permit ip 192.168.27.0 255.255.255.0 192.168.13.0 255.255.255.0

access-list 95 permit ip 192.168.29.0 255.255.255.0 192.168.13.0 255.255.255.0

access-list 95 permit ip 192.168.28.0 255.255.255.0 192.168.13.0 255.255.255.0

Hence they are doing the below..

access-list 12 permit ip host 1.1.1.5 2.6.4.0 255.255.255.0

access-list 12 permit ip host 1.1.1.5 2.7.4.0 255.255.255.0

access-list 12 permit ip host 1.1.1.5 192.168.13.0 255.255.255.0

Where,

nat (intf5) 2 access-list 95 0 0

global (outside) 2 1.1.1.5

Pls help..

the above config make the ip address 1.1.1.5 apear as the source and any traffic included in ACL 95 going from inside to outside!!!

yes... source as 1.1.1.5 ..

But why cant i ping to remote IPs or why the VPN does not come up.. Any idia ??

As its doing PAT, remote will be able to ping to only my PAT ip.. where as from my side i should be able to ping to remote network (like 2.6.4.0 etc..) which is not happening..

Remote will not able to ping to my network.. Its hided by PAT.

I want to know why my vpn phase 1 itself does not come up...

Where do you suspect the problem ?

Any good suggestions are appreciated..

regards

Rajesh P

hi

see the attached file

i have made chanes to ur config read and do it then should work

good luck

Please, Rate if helpful

Hi,

Thanks for the configuration attached !!

I have resolved this issue by my own..

I have re-configured the VPN with different ID and now VPN is working fine..

I will explain this to All....

There was a configuration in the firewall, used for another VPN...(crytomap id is 20)

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 set peer 7.7.7.7

crypto map outside_map 20 set transform-set ESP-3DES-MD5

Our fault VPN config is as below....

crypto map igsl 20 ipsec-isakmp

crypto map igsl 20 match address 12

crypto map igsl 20 set peer 5.5.5.5

crypto map igsl 20 set transform-set my_company

----x----

So, what i did is, i changed the config as below...

crypto map igsl 14 ipsec-isakmp

crypto map igsl 14 match address 12

crypto map igsl 14 set peer 5.5.5.5

crypto map igsl 14 set transform-set iGATE-OC

---xx--x--

We are not supposed to use nat zero here, as the client does not want this side network to expose to other side network.. Only this side can access the remote side network..vice versa should not happen..

Now everything is working fine...

The issue has been resolved by myself

Thanks to all who have participated in this session....

regards

Rajesh P

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: