Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

getting to the bottom of traffic issues with a cisco pix 501e

i have a customer with two pix's one at each location, i cant ping all the way accross locations, and users cant access anything once logged into the vpn client. total downtime issues.

dont know if its a route/acl/nat/vpn issues or what, i really need someones help on this.

11 REPLIES
Green

Re: getting to the bottom of traffic issues with a cisco pix 501

First thing to check is....

isakmp nat-traversal

Next thing to do is post a config.

Community Member

Re: getting to the bottom of traffic issues with a cisco pix 501

here are the results of the show isakmp nat-traversal command on both sides of the tunnel

1. (side A)

isakmp enable outside

isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth no-con

fig-mode

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

2. (side B)

isakmp enable outside

isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth no-co

fig-mode

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

i changed the ip addresses for identity reasons.

what does this command tell me???

Green

Re: getting to the bottom of traffic issues with a cisco pix 501

So is this a lan to lan tunnel, remote access vpn, or both? Post a config, clean out ip's/passwords etc.

Community Member

Re: getting to the bottom of traffic issues with a cisco pix 501

this is a basic scenario

router--pix---switch--devices

on both ends

both a tunnel and allows vpn clients to connect

Community Member

Re: getting to the bottom of traffic issues with a cisco pix 501

here is the config for side A:

Community Member

Re: getting to the bottom of traffic issues with a cisco pix 501

here is the config for sideB:

Community Member

Re: getting to the bottom of traffic issues with a cisco pix 501

the isp uses same block for both locations (first 3 octets)

i changed ip so its not posted in public

also changed the group names to test (so whereever you see "test" i changed there also)

the internal subnets on both sides are the following

sideA 172.17.0.0

sideB 172.16.0.0

i didnt make it that way, wouldnt have if you paid me a million, well maybe for a million (but seriously) i inherited it that way.

if you see any insecuritys also let me know please

Green

Re: getting to the bottom of traffic issues with a cisco pix 501

Site A-

You don't want your vpn pool to be included in your inside subnet. So use your 192pool.

vpngroup testGroup address-pool 192Pool

Nat exemption should be...

access-list inside_outbound_nat0_acl permit ip 172.17.0.0 255.255.0.0 172.16.0.0

255.255.0.0

access-list inside_outbound_nat0_acl permit ip 172.17.0.0 255.255.0.0 192.168.1.

0 255.255.255.0

You don't need these...

no route outside 172.16.0.0 255.255.0.0 1.11.1.81 1

no access-list inside->outside

no access-list outside-->inside

no access-list vpn-inbound

no access-list x

no access-list y

Split tunnel acl should be...

access-list split-tunnel permit ip 172.17.0.0 255.255.0.0 192.168.1.0 255.255.255.0

Green

Re: getting to the bottom of traffic issues with a cisco pix 501

Site B-

Nat exemption...

access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 172.17.0.0

255.255.0.0

Not needed...

no route outside 172.17.0.0 255.255.0.0 1.11.1.89 1

Community Member

Re: getting to the bottom of traffic issues with a cisco pix 501

the guy who is working on this said the reason that he has the 192 in there is because so you dont get to route to anything? does that sound good.

Green

Re: getting to the bottom of traffic issues with a cisco pix 501

Could you explain that again?

145
Views
0
Helpful
11
Replies
CreatePlease to create content