Monitoring remote Pix over IPSEC site to site VPN

Answered Question
Oct 26th, 2009

I have a few Pix 501s that connect over site to site VPNs. We use Orion NPM and I cannot add them for monitoring. I have been able to add remote routers that connect via site to site VPNs. I am assuming the security rules/NAT of the Pix are preventing this. The configuration of the remote Pix is attached.

Attachment: 
I have this problem too.
0 votes
Correct Answer by acomiskey about 7 years 1 month ago

On the 2800 you need...

access-list 131 permit ip host 172.16.30.19 host 24.172.234.126

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Mon, 10/26/2009 - 09:28

You must add the outside interface address of the pix 501 to your interesting traffic.

access-list VPNHQ permit ip host host 172.16.30.19

Then on the orion side you will need the mirror image of that....ex.

access-list VPNHQ permit ip host 172.16.30.19 host

and a nonat

access-list permit ip host 172.16.30.19 host

mark.blanchfield Mon, 10/26/2009 - 09:56

Thanks for your assistance. On the Orion side, I have a 2800 router that is terminating all of the remote site to site VPNs. This includes both Pixs and 1800 routers. On the 2800, I dont have any NONAT ACLs. Just the one that specifies interesting traffic. At one point, we were doing split tunneling. Now we are not. I guess this means that NONAT ACL is not doing anything on the remote end? I tried adding the line to just the VPNHQ acl but still no luck. Thanks again for your response.

acomiskey Mon, 10/26/2009 - 10:04

If you are not natting on the 2800 side then you dont need the nonat..your previous post didn't specify what was on the other end so I just threw that in there.

You need the interesting traffic acl on the 501 end and the mirror image on the 2800 end.

Post your 501 config and 2800 config if you need to.

This may help you too.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094469.shtml

Correct Answer
acomiskey Mon, 10/26/2009 - 11:02

On the 2800 you need...

access-list 131 permit ip host 172.16.30.19 host 24.172.234.126

mark.blanchfield Mon, 10/26/2009 - 11:07

It's on ACL 123 that pertains to the remote Pix. I ran a debug on the 2800 while trying to add the device. I am seeing the SNMP traffic. It may not be getting back into the remote Pix or leaving the 2800 back to the Pix but I am seeing it at the 2800.

acomiskey Mon, 10/26/2009 - 11:10

Oops, I saw that 24.x.x.x and went straight to acl 131.

Do a show cryto ipsec sa on the router and the pix and see if the sa is coming up.

mark.blanchfield Mon, 10/26/2009 - 11:14

SA is up on both sides. Seems like NAT/ACL is the issue. I can ping the outside interface of the remote Pix but when I do a trace, it seems that traffic is not going over the tunnel. We have multiple links out of our network and if i ping the outside interface, it goes out one link and if I ping any remote LAN address (10.46.0.0), it goes over the tunnel. That may have changed when we added the new lines to the ACL.

mark.blanchfield Mon, 10/26/2009 - 11:39

Looks like traffic from HQ (172.16.0.0) is being NAT'd and going out another interface if the destination is the outside interface on the remote Pix (24.172.234.126). This would explain why it is not working as the NAT'd IP is not in the ACL. I would actually prefer to monitor the inside interface of the remote Pix anyway and that traffic would definitely be protected by the tunnel. Just not sure if it is possible and/or how to do it.

acomiskey Mon, 10/26/2009 - 11:47

That's not possible in pix 6. You need pix 7 (not available on 501) or an ASA. Otherwise the outside interface is your only option.

mark.blanchfield Mon, 10/26/2009 - 11:49

OK. Does it appear to be a routing issue then if traffic destined for 24.172.234.126 is not going out via the tunnel but going out a different link? Thanks again for your help.

acomiskey Mon, 10/26/2009 - 12:07

It looks like it should be taking the time warner interface as that is your default route and you have a specific route to that address as well. Have you tried tearing the tunnel down and building it back up?

mark.blanchfield Mon, 10/26/2009 - 12:11

Have not tried tearing the tunnel down. We also have a 7606 router that the SNMP server is behind. From that router, if I do a trace to the outside address of the Pix, it goes out the other link instead of the TW link. But SNMP debugs in the 2800 show that the SNMP pakcets are getting to the 2800. I try to add the device while running the debug and they show up at the router.

mark.blanchfield Mon, 10/26/2009 - 12:19

I got it. Had to add a static route to the 7606. In addition to the ACL that you had me add, that did it. Thanks! How do I rate a post as a fix as you got it working and want to give you the credit you earned.

acomiskey Mon, 10/26/2009 - 16:50

Good deal. Just click rate this post and click the box for this resolved by issue.

mark.blanchfield Mon, 10/26/2009 - 12:37

When I added the static route to the 7606, it came up via SNMP but I could no longer SSH to the outside interface of the Pix.

acomiskey Mon, 10/26/2009 - 16:51

You may want to do policy routing to send only the snmp traffic from your snmp box to the outside interface. All other source addresses could take the other path.

Actions

This Discussion