×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

L2L between PIX and VPN 3030

Unanswered Question
Sep 1st, 2006
User Badges:

I'm having some trouble setting up my 3030 concentrator to establish a tunnel with a PIX. The remote side, which I do not control, has an ACL that only allows telnet traffic on the VPN tunnel. When this ACL is active, the tunnel does not work. Phase 1 completes but it bombs out on phase 2. We tested by changing the ACL to allow any ip traffic and everything worked fine.


What do I need to do on the concentrator side to match this ACL? I have tried creating rules and adding them to a filter and applying it to the L2L for that tunnel, but that did not work.


Appreciate any help!


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
grant.maynard Mon, 09/04/2006 - 11:40
User Badges:
  • Silver, 250 points or more

The VPN ACLs at each end must be mirrors of each other. Therefore if the PIX end "allow tcp from 10.1.x.x to 10.2.x.x, destination port 23", then the L2L setup on the VPN303 must say "allow tcp from 10.2.x.x to 10.1.x.x, source port 23".


Alternatively, make the VPN open for all traffic, but use a filter on the VPN3030 or ACL on PIX to filter the traffic. That way, if you decide to add to the VPN (e.g. allow smtp) then you only need to amend the ACL/filter and not the VPN config itself. This is what I would do.

kevin.m.newman Tue, 09/05/2006 - 06:07
User Badges:

I appreciate the reply. What is the correct way to mirror the ACL though?


I have tried creating a rule that applies to TCP for destination port 23 and apply that to a filter and apply that to the L2L config, but that did not work.


I would love to do it the other way you suggested, in fact that's how we do all of our other tunnels, but I do not have control of the PIX side and that is how they require it.

mustafa_nbk Tue, 09/05/2006 - 20:55
User Badges:

Hi,

First of all, you have to inform PIX side administrator to use full ip traffic as vpn interesting traffic. Also at your concentrator side, you configured lan to lan tunnel with the source and destination network.

Now in Policy Management->Traffic Management-> Rules-> Add


Rule 1 :-


Name- OutboundXX

Direction :- Outbound

Action :- Forword

Protocol :- TCP

Source Address :- PIX Net

Destination Add :- Concentrator Net

TCP/UDP Source Port :- range 0-65535

TCP/UDP Destination Port :- 23


Rule =2 :-


Name- InboundXX

Direction :- Inbound

Action :- Forword

Protocol :- TCP

Source Address :- Concentrator Net

Destination Add :- PIX Net

TCP/UDP Source Port :- 23

TCP/UDP Destination Port :- range 0-65535

---------------

Now Create File named FilterL2L, and add the priviously created two rules in this fileter.

---

Now in LAN-to-LAN configuration, Specify the filter which you created in filter drop-down feild.


I hope it will solve your problum


Thanks,

Mustafa

Actions

This Discussion