cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
285
Views
9
Helpful
4
Replies

VPN3K to PIX501

jsalminen
Level 1
Level 1

I have configured a vpn 3000 concentrator to pix 501. Initially I have configured both ends to allow allow an octet of my IP address pool in both locations to pass through the tunnel. Unfortunately, recently I need to allow the entire subnet access through the IPSEC tunnel from both ends. Before I attempted any modifications this worked without any trouble.

On the PIX to allow this I added more statements to my existing access-list to allow these additional subnets from that location.

On the VPN3K end I am a bit confused. I open the LAN-LAN IPSEC connection properties and add the new local address and mask and also for the remote end address and mask.

Unfortunately, when I add this to the VPN3k I am unable to establish the IPSEC tunnel. When I read the log I see the initiator attempting to start the tunnel between, but it is rejected. Phase 1 completes successfully, but phase 2 does not seem to be initiating properly.

If I reset those two address pools back to my original entry the tunnel establishes successfully. This almost seems like a bug in the VPN software. I am not sure. My VPN code is vpn3000-3.5.2.Rel-k9.bin.

4 Replies 4

gfullage
Cisco Employee
Cisco Employee

If you have more than one line in your crypto ACL on the PIX, then you can't just add in the Locla and remote networks inot the L2L screen on the 3000 anymore, since you can only have one set of IP addresses in here.

Let's say you have the following on the PIX:

> access-list crypto permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

> access-list crypto permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0

On the 3000 go to Config - Policy Mgmt - Traffic Mgmt - Network Lists and create a list. Call it anything you like, and add the following to the large box on this screen:

10.2.2.0/0.0.0.255

10.3.3.0/0.0.0.255

Save this list. Now go to the L2L screen and modify the L2L tunnel fo rthe PIX. In the Local Networks section, select your newly added Network List from the drop down box, leave the IP Address/Wilcard Mask boxes blank. In the Remote Network section, put 10.1.1.0 and 0.0.0.255 as you had previously. Save this.

That's all you should need to do. Always remember, your crypto ACL's on both sides of a VPN tunnel HAVE TO BE THE EXACT OPPOSITE OF EACH OTHER. If you have tow lines in your PIX crypto ACL, then you need two networks in your VPN3000 L2L setup, and to accomplish that you have to use a Network List with 2 networks in it.

I see what you're saying, but there are several networks on both ends. Actually it is one network with a /21 mask on it. Could I specify an access-list mask with 255.255.248.0? If that is possible on the VPN end of the tunnel can I use 172.16.0.0 0.0.7.255?

subnet ID

VPN LAN 172.16.0.0 255.255.248.0

PIX LAN 172.16.15.0 255.255.248.0

I want to allow all hosts for now. Later I will filter out unwanted hosts.

You cna certainly have something like:

> access-list crypto permit ip 172.16.16.0 255.255.248.0 172.16.0.0 255.255.248.0

as long as you then have the opposite on the 3000 (specify 172.16.0.0/21 as the Local Network and 172.16.16.0/21 as the Remote Network).

Note that I've said 172.16.16.0, not 172.16.15.0 as you have written.

Ok I have done this and it works, somewhat. I can ping or tracert, but I cannot open http, ftp, termserv, etc ports through the tunnel. I checked the VPN L2L rules and there isn't any changes to the allowed protocols and such.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: