Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
318
Views
0
Helpful
2
Replies

PIX having problems with subnet masks

vladanmilosevic73
Level 1
Level 1

‎04-10-2005 11:52 PM

I have built PIX to Juniper IP sec VPN. The problem is that when the tunnel is brought up by PIX (interesing packts from its side), everything is fine, but when it is brought by JUniper, PIX checks everything and then Phase 2 says that the assotiation must be deleted. One or two packets do pass. I had to encrypt packets for subnetted B class:

from 172.23.29.0/24 to 192.168.165.0/24

Every other aspect was fine, since, when I have changed from subnetted B class to full B-class, everything was OK. I know that Checkpoint has subnet masks exchange as a separate option when establishing the tunnel. Is there a possibillity to do that on PIX.

When I try to establish the connection between two hosts, everything is just fine.

SW versions are the latest ones on PIX side (6.3) and Juniper is the last supported one.

Also, in the first part of this problem, I could not even initiate tunnel creation when there was a subnetted A-class (10.7.2.0/24) as the destination for the ACL defining interesting traffic.

Thanks,

Vladan

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎04-11-2005 05:55 PM

The PIX doesn't care what subnet mask you have defined in the crypto ACL, as long as the exact opposite is defined on the Juniper side. I have built 1000's of VPN's on PIX's with all sorts of network classes and subnet masks, it never matters as long as the opposite is configured on the other end.

The only thing I can think of is that you had a full B-class mask defined on the Juniper side, so when you changed it to that on the PIX side everything started working. This has nothing to do with the mask per se, just that both ends are now agreeing on the specific traffic that they're going to encrypt.

0 Helpful

vladanmilosevic73
Level 1
Level 1
In response to gfullage

‎04-11-2005 11:12 PM

I thought it should be like that, but field work tells me different. The access lists on both machines were exactly opposite, subnet masks included. THe momnet I changed to full B-class on both sides, everything was OK. When two PIXes are involved, everything is clear, we have around 20 working VPNs, but here are some interoperability issues, I guess.

0 Helpful
Customers Also Viewed These Support Documents