×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN3K to PIX501

Unanswered Question
Jan 17th, 2003
User Badges:

I have configured a vpn 3000 concentrator to pix 501. Initially I have configured both ends to allow allow an octet of my IP address pool in both locations to pass through the tunnel. Unfortunately, recently I need to allow the entire subnet access through the IPSEC tunnel from both ends. Before I attempted any modifications this worked without any trouble.


On the PIX to allow this I added more statements to my existing access-list to allow these additional subnets from that location.

On the VPN3K end I am a bit confused. I open the LAN-LAN IPSEC connection properties and add the new local address and mask and also for the remote end address and mask.

Unfortunately, when I add this to the VPN3k I am unable to establish the IPSEC tunnel. When I read the log I see the initiator attempting to start the tunnel between, but it is rejected. Phase 1 completes successfully, but phase 2 does not seem to be initiating properly.

If I reset those two address pools back to my original entry the tunnel establishes successfully. This almost seems like a bug in the VPN software. I am not sure. My VPN code is vpn3000-3.5.2.Rel-k9.bin.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
gfullage Fri, 01/17/2003 - 22:35
User Badges:
  • Cisco Employee,

If you have more than one line in your crypto ACL on the PIX, then you can't just add in the Locla and remote networks inot the L2L screen on the 3000 anymore, since you can only have one set of IP addresses in here.


Let's say you have the following on the PIX:


> access-list crypto permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

> access-list crypto permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0


On the 3000 go to Config - Policy Mgmt - Traffic Mgmt - Network Lists and create a list. Call it anything you like, and add the following to the large box on this screen:


10.2.2.0/0.0.0.255

10.3.3.0/0.0.0.255


Save this list. Now go to the L2L screen and modify the L2L tunnel fo rthe PIX. In the Local Networks section, select your newly added Network List from the drop down box, leave the IP Address/Wilcard Mask boxes blank. In the Remote Network section, put 10.1.1.0 and 0.0.0.255 as you had previously. Save this.


That's all you should need to do. Always remember, your crypto ACL's on both sides of a VPN tunnel HAVE TO BE THE EXACT OPPOSITE OF EACH OTHER. If you have tow lines in your PIX crypto ACL, then you need two networks in your VPN3000 L2L setup, and to accomplish that you have to use a Network List with 2 networks in it.


jsalminen Mon, 01/20/2003 - 10:16
User Badges:

I see what you're saying, but there are several networks on both ends. Actually it is one network with a /21 mask on it. Could I specify an access-list mask with 255.255.248.0? If that is possible on the VPN end of the tunnel can I use 172.16.0.0 0.0.7.255?


subnet ID

VPN LAN 172.16.0.0 255.255.248.0

PIX LAN 172.16.15.0 255.255.248.0


I want to allow all hosts for now. Later I will filter out unwanted hosts.

gfullage Tue, 01/21/2003 - 20:17
User Badges:
  • Cisco Employee,

You cna certainly have something like:


> access-list crypto permit ip 172.16.16.0 255.255.248.0 172.16.0.0 255.255.248.0


as long as you then have the opposite on the 3000 (specify 172.16.0.0/21 as the Local Network and 172.16.16.0/21 as the Remote Network).


Note that I've said 172.16.16.0, not 172.16.15.0 as you have written.

jsalminen Wed, 01/22/2003 - 09:55
User Badges:

Ok I have done this and it works, somewhat. I can ping or tracert, but I cannot open http, ftp, termserv, etc ports through the tunnel. I checked the VPN L2L rules and there isn't any changes to the allowed protocols and such.

Actions

This Discussion