I've been trying to simulate on this for almost a week now, we would like to create tunnel from 506E thru our vpn concentrator; Concentrator shows phase 2 completed, but all I get is icmp reply from 3005 LAN IP when pinged from a host connected to pix only, cant do the other way. If I initiate ping, that's the only time that I get TX on my concentrator.
below is my config for pix , what am I missing? I also upgraded my concentrator to software ver 3.6.7 Rel k9
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list 101 permit ip 192.168.xxx.xxx 255.255.255.0 10.11.xxx.xxx 255.255.0.0
access-list 100 permit ip 192.168.xxx.xxx 255.255.255.0 10.11.xxx.xxx 255.255.0.0
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 206.220.xxx.xxx 255.255.255.0
ip address inside 192.168.x.x 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 192.168.x.x 255.255.255.0 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 206.220.xxx.xx 1
no sysopt route dnat
sysopt connection permit-ipsec
crypto ipsec transform-set europe esp-3des esp-md5-hmac
crypto map vpn_euro 10 ipsec-isakmp
crypto map vpn_euro 10 match address 101
crypto map vpn_euro 10 set peer 66.13.xxx.xxx
crypto map vpn_euro 10 set transform-set europe
crypto map vpn_euro interface outside
isakmp enable outside
isakmp key ******** address 66.13.xxx.xxx netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
do I need to create any static route on my concentrator, currently, I only have default route to my 3005's public IP.
Thanks for any advise..
1. Is your VPN3000 configured for Lan to Lan tunnel to the Pix or is it configured to accept dynamic connections through base group.
2. The default route on the VPN3000 should point to the next hop from the public interface and not the interface itself.
3. I would also check the Local and remote network lists on the VPN3000 for this tunnel and also other tunnels if configured, to make sure that I do not have any overlapping subnets.
1. Yes it is configured for LAN-to-LAN.
2. default route is set 0.0.0.0 -->66.13.xxx.xxx(default gateway)
3. Under t IPsec , LAN-to-LAN menu on the concentrator, I defined IP Add/Wildcard-mask for both local and remote networks. no other tunnels are created yet, the concentrator is currently accepting remote access.
If possible can you post the IPAdd/WildCard-Mask from the VPN3000 for the lan to lan tunnel and what is the range of ip addresses that you are assigning to the clients.
And when you tried to ping from a host behind the VPN3000 to a host behind the Pix, what was your source and destination ip addresses.
Does the Host behind the VPN3000 know where to send the packets for a host behind the Pix. And if you have an internal router, what is its default gateway and does it have a route for 192.168.xxx.xxx pointing to the VPN3000.
I have a DCHP Pool for my Remote Access clients starting at 10.11.1.x - 10.11.1.xx 255.255.0.0
Wildcard mask add for my LAN-to-LAN
Local Network --> 10.11.0.0/0.0.255.255
Remote Network --> 192.168.1.0/0.255.255.255
I dont have a router but I have a pix 515e that is connected in parallel to my concentrator, (this was how our consultant set up the appliance), I didnt have problems for clients connecting via remote access......anyway, this is how it looks like.
pix 515e - 10.11.xxx.x --->66.13.xxx.xxx
concentrator - 10.11.xxx.y --->66.13.xxx.xxy
default gateway ---> 66.13.xxx.xxz
on the concentrator, default tunnel gateway points to pix515e local and default gateway -->66.13.xxx.xxz
I dont have a router on my pix506e network either, its directly connected to the DSL modem.
does my pix 515e has something to do with this? Do I need to add a route 192.168.xxx.xxx on my pix 515e? but tunnel should be between 3005 & 506e, right?
can ping 3005 inside address from host on pix506e, but that's just it.. cant ping any other ip's on 10.11.xxx.xx network, or cant ping back.
Thanks for any advise.
I stand corrected,. thank you, but still doesnt work. once thing I realized though, when I changed degault gatewy of host A to 3005's IP, i was able to ping Host B, but cant access internet if I do that, besides, everything should go thru my 515.. how would I be able to pass traffic from concentrator to 515.. do I need to enable RIP on both so that 506 networks would be able to traverse network? any other idea?
I've spent a lot of time with a similar issue, but the difference being I can access internet and end tunnel nodes. You could have the option Split Tunneling Policy (located under Configuration>Groups>YOURGROUP) configured for 'Tunnel Everything' without the 'Allow the networks in the list to bypass the tunnel' option enabled. Using that option all your data packets will be transmitted down the tunnel. I would recommend setting that to 'only tunnel networks in list'. Doing that you'll have to create a Network List under Configuration>Policy Management>Network Lists that includes your local networks.
I use a "router on a stick" setup. Dusted off some old Cisco router that I found in a closet one day, and setup the router to send all 0.0.0.0 to the PIX and all remote VPN site traffic to the concentrator. I then setup all of my workstations to use the Cisco router as the default gateway. No problems with throughput so far since it is using ICMP redirects and not processing every single packet that's going off site.
A server of some sort would work just as well as my Cisco router, just as long as it keeps the routes after a reboot and can send ICMP redirects.
Anyways, my 2 cents.