We have a PIX 515 (yes this is an older, not an "E" version), running 7.0(2) code. There are a handful of PIX 501 running Point-to-point VPN (static public IP addresses), and another handful of PIX 501 that have dynamic public IP addresses that use dynamic VPN on the 515. All tunnels work, and the remote sites can get to all resources. The issue is that none of our core tools, including ping, remote desktop administration, etc. can get to the dynamic remotes sites. Most of these sites are "always on", and I can see the remote PC connections to core resources in the 515 and in the 501 when I SSH into them. Is there an issue with my configuration, or is there another problem with this? Attached is the configuration of the PIX 515.
Re: PIX Dynamic IP VPN, remote desktop administration
There are two things that can make that you can't reach the other sites of the tunnel:
Have you specifically configured your central pix to disable nat for the remote site destinations, e.g.
access-list nonat permit ip
nat (inside) 0 access-list nonat
If there is an inbound accesslist on the PIX515, if it doesn't allow for traffic to the remote sites (bear in mind, traffic that is a new tcp/udp connection) and the sysopt connection permit-ipsec command is not given, then it will not be possible for you to go to the remote sites.
So, there are two things you have to check:
1) nat 0 rules (e.g. disable nat for traffic that matches the specified accesslist
2) sysopt connection permit-ipsec command, it has to be given.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...