Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Router to Firewall VPN Connection

I have a 3825 router that terminates client vpn connections and a remote PIX that terminates client vpn connections and tunnels to 2 other PIXs. I want to build a site-site tunnel. I have configured the 3825 as follows:

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ****x address**** no-xauth

crypto isakmp nat keepalive 20

!

crypto isakmp client configuration group admins

key ***

dns 10.65.1.200

wins 10.65.1.200

domain ***

pool ippool-admin

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

crypto map clientmap 20 ipsec-isakmp

set peer ****

set transform-set myset

match address 199

interface Serial0/1/0

ip access-group 101 in

ip nat outside

crypto map clientmap

access-list 199 permit ip 10.65.2.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 199 permit ip 10.65.1.0 0.0.0.255 192.168.0.0 0.0.0.255

The PIX config:

access-list 100 permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.62.1.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.65.1.0 255.255.255.0

access-list 100 permit ip 192.168.0.0 255.255.255.0 10.65.2.0 255.255.255.0

access-list 160 permit ip 192.168.0.0 255.255.255.0 10.65.1.0 255.255.255.0

access-list 160 permit ip 192.168.0.0 255.255.255.0 10.65.2.0 255.255.255.0

nat (inside) 0 access-list 100

sysopt connection permit-ipsec

crypto ipsec transform-set HQset esp-3des esp-md5-hmac

crypto dynamic-map vpnclientmap 10 set transform-set HQset

crypto map HQmap 3 ipsec-isakmp

crypto map HQmap 3 match address 130

crypto map HQmap 3 set peer ***

crypto map HQmap 3 set transform-set HQset

crypto map HQmap 4 ipsec-isakmp

crypto map HQmap 4 match address 140

crypto map HQmap 4 set peer ***

crypto map HQmap 4 set transform-set HQset

crypto map HQmap 6 ipsec-isakmp

crypto map HQmap 6 match address 160

crypto map HQmap 6 set peer ***

crypto map HQmap 6 set transform-set HQset

crypto map HQmap 20 ipsec-isakmp dynamic vpnclientmap

crypto map HQmap interface outside

isakmp enable outside

isakmp key ******** address *** netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address *** netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address *** netmask 255.255.255.255 no-xauth

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

All vpn clients work correctly and the tunnels to the two branch offices (using PIX-PIX) but cannot route traffic between the site with the router to the central PIX. ANy help would be appreciated to guide me in the right direction.

thanks

4 REPLIES

Re: Router to Firewall VPN Connection

Hi,

Do you have mirrored access-lists on the remote sites?

If you find this post usefull

please don't forget to rate this

#########################################

#Iwan Hoogendoorn

#########################################

New Member

Re: Router to Firewall VPN Connection

well, on the router, ACL 199 is local lan - remote lan

on the PIX, ACL 160 is the opposite of that since it is local lan - remote lan

Re: Router to Firewall VPN Connection

Have you done a traceroute ... and is the traffic going trough the tunnel?

If you find this post usefull

please don't forget to rate this

#########################################

#Iwan Hoogendoorn

#########################################

New Member

Re: Router to Firewall VPN Connection

from the router lan side (10.65.1.x)

when I traceroute from a client it goes to the router (.1) and then dies.

here is the output from the router:

#sh crypto map

Crypto Map "clientmap" 10 ipsec-isakmp

Dynamic map template tag: dynmap

Crypto Map "clientmap" 20 ipsec-isakmp

Peer = ****

Extended IP access list 199

access-list 199 permit ip 10.65.2.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 199 permit ip 10.65.1.0 0.0.0.255 192.168.0.0 0.0.0.255

Current peer: ***

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

myset,

}

Interfaces using crypto map clientmap:

Serial0/1/0

#sh crypto session

Crypto session current status

Interface: Serial0/1/0

Session status: DOWN

Peer: *** port 500

IPSEC FLOW: permit ip 10.65.1.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 10.65.2.0/255.255.255.0 192.168.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

It appears that it never brings up the tunnel for traffic destined to the remote LAN 192.168.0.x

335
Views
0
Helpful
4
Replies
CreatePlease login to create content