×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Vpn concentrator <-> Pix Remote Access tunnel

Unanswered Question
Nov 26th, 2003
User Badges:

Hi


I have a problem getting management-traffic from my LAN to reach my remote office Pix over VPN.


In the main office I have a VPN 3005. The remote offices uses Pix 501:s. They doesn´t have static public IP's, and because of that I cannot set up

LAN2LAN-tunnels in the 3005.


It looks like this in the concentrator:

Base Group, Tunneling protocol IPSEC. Tunnel type: remoteaccess. A preshared key.


And in the pix's:

Cisco PIX Firewall Version 6.3(1)

ip address outside dhcp setroute

ip address inside 172.23.7.97 255.255.255.248

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-list 101 permit ip 172.23.7.96 255.255.255.248 <Ip networks on main office>

access-list 101 permit ip 172.23.7.96 255.255.255.248 <Ip networks on main office>

access-list 101 permit ip 172.23.7.96 255.255.255.248 <Ip networks on main office>

sysopt connection permit-ipsec

crypto ipsec transform-set konc3005 esp-3des esp-md5-hmac

crypto map 3005 10 ipsec-isakmp

crypto map 3005 10 match address 101

crypto map 3005 10 set peer <vpn-concentrator public ip>

crypto map 3005 10 set transform-set konc3005

crypto map 3005 interface outside

isakmp enable outside

isakmp key ******** address <vpn-concentrator public ip> netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 28800

telnet <Ip networks on main office>

management-access inside


All normal LAN2LAN-traffic works fine, the users on remote office can use network resources on main office. BUT. I want to be able to manage the Pix configurations from the main office. Right now I cant even ping the pix inside interface from the concentrator GUI or whichever host on main office LAN.


One thing that I have noticed is that the remote office LAN ip doesnt show up in the concentrator routing table (when the tunnel is up ofcourse). Maybe it should be? But still, the normal lan2lan-traffic initiated from the remote office LAN pc:s to the main office servers works great...


I need to be able to telnet to the pix from main office. Of course the concentrator cannot initiate a tunnel because the pix had dynamic ip:s, but if I was able to communicate with the pix and remote office PC:s from main office while the tunnel is already up, it would be great.


I have been told that this should be possible but I cant find any information about what I am doing wrong. So please help me solve this problem, you gurus!


Thanks for your help!


Regards


Jimmy Larsson

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gfullage Sun, 11/30/2003 - 17:05
User Badges:
  • Cisco Employee,

Can you ping the inside interface of the PIX from the main office when the tunnel is up?


If not, then you probably have a routing problem and you need to add a route on your main office network for each of the remote site subnets. This is usually as simple as adding a static route on your router inside the 3000, pointing the next hop to the 3000 private interface address, then distribute those static routes into whatever routing protocol you're running.


If you can ping, then routing and connectivity is OK, and you probably have your "telnet" command in the PIX wrong. What interface have you specified in the "telnet" command, you don't show that in your config. I can't remember whether you have to put "inside" or "outside", I did this about 6 months ago and remember having to play around with it some to get it working properly.

Actions

This Discussion