01-08-2003 11:22 AM - edited 03-09-2019 01:36 AM
Ok, I have two networks setup to see each other via VPN. The VPN is supplied by a 515e, and a 501e. The 515e network is 192.168.50.0, the 501e network is 192.168.51.0
The 515e's external ip is x.x.71.7, the 501 is x.x.71.8
Problem: I can telnet from the 192.168.51.0 network behind the 501 into the outside interface of the 515e, but cannot from the 50.0 network behind the 515e into the outside interface of the 501e.
Here is my setups :
515e -
ip address outside x.x.71.7
ip address inside 192.168.50.1
access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.51.0 255.255.255.0 (hitcnt=1184)
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host x.x.71.8 (hitcnt=62)
501e -
ip address outside x.x.71.8
ip address inside 192.168.51.1
access-list inside_nat0_outbound permit ip 192.168.51.0 255.255.255.0 host x.x.71.7
access-list inside_nat0_outbound permit ip host x.x.71.8 192.168.50.0 255.255.255.0
Why does this work one way, but not back? I would have thought that if it worked enough for me to telnet from the 501 side to the 515, then the same setup would work from the 515 to the 501 but doesnt seem to.
Thanks for your help in advance.
Dave
Solved! Go to Solution.
01-08-2003 03:18 PM
Hi Dave,
Looks at my comments regarding Telnet in the previous posting.
Couple of questions for you:
1. In your config on the Pix 501, whey do you have the two statements in your access-list.
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51 .0 255.255.255.0
access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.51.0 255.255.255.0
2. And also use a different access-list for match address and NAT 0 cos you will run into problems when you configure multiple vpn tunnels.
For Ex:
crypto map VPNMAP 10 match address 100
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
crypto map VPNMAP 20 match address 101
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 150 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 150 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
nat (inside) 0 access-list 150
Regards,
Arul
01-08-2003 11:30 AM
Hi,
please have a look at the 'telnet' commands on both the PIXs. Are the ip addresses specified which are allowed to telnet?
Kind Regards,
Tom
01-08-2003 01:04 PM
yes, they are:
515e
telnet x.x.71.8 255.255.255.255 outside
telnet 192.168.50.0 255.255.255.0 inside
501e
telnet x.x.71.7 255.255.255.255 outside
telnet 192.168.51.0 255.255.255.0 inside
01-08-2003 01:28 PM
I don't see any hits on the nonat access-list of the 501. Is it applied ?
01-08-2003 01:45 PM
yes, i just cant telnet to it from this location (hence the problem) so I just pulled that info from my last text dump of the "sho run" when I was at that location.
But the hits are similar to those of the 515e, one of the statements has a high number ,the other is below 100.
I would like to say that its the access-list inside_nat0_outbound permit ip host x.x.71.8 192.168.50.0 255.255.255.0
statement that is below 100 on the 501e.
sorry, I wasnt very thorough in the description of the problem.
01-08-2003 02:50 PM
Hi,
is it possible to post the two configs? !!Please replace public addresses and passwords!!
Thanks,
Tom
01-08-2003 03:02 PM
What? you want me to make it easy for you? :) ha, ok, here they are (excluding intro , fixups, and names)
(please note on the 515e I am just starting to setup for multiple VPN's, havent got that section finished yet)
515e:
PIX Version 6.2(2)
object-group network Bluff_Inside
network-object 192.168.50.0 255.255.255.0
access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 any
access-list acl_inbound permit tcp any any
access-list acl_inbound permit tcp any host x.x.71.7 eq 3389
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.51.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host x.x.71.8
access-list inside_nat0_out2Sav permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0
access-list inside_nat0_out2Bft permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside pppoe setroute
ip address inside 192.168.50.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.50.0 255.255.255.255 inside
pdm location 192.168.50.201 255.255.255.255 inside
pdm location x.x.71.8 255.255.255.255 outside
pdm location 192.168.51.0 255.255.255.0 outside
pdm group Bluff_Inside inside
pdm history enable
arp timeout 14400
global (outside) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 192.168.50.0 255.255.255.0 0 0
static (inside,outside) tcp x.x.71.7 3389 192.168.50.75 3389 netmask 255.255.2
55.255 0 0
access-group acl_inbound in interface outside
access-group acl_outbound in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map vpn1 10 ipsec-isakmp
crypto map vpn1 10 match address inside_nat0_outbound
crypto map vpn1 10 set pfs group2
crypto map vpn1 10 set peer x.x.71.8
crypto map vpn1 10 set transform-set myset
crypto map vpn1 interface outside
crypto map vpn2 20 ipsec-isakmp
crypto map vpn2 20 match address inside_nat0_out2Sav
crypto map vpn2 20 set pfs group2
crypto map vpn3 30 ipsec-isakmp
crypto map vpn3 30 match address inside_nat0_out2Bft
crypto map vpn3 30 set pfs group2
crypto map vpn3 30 set transform-set myset
isakmp enable outside
isakmp key ******** address x.x.71.8 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet x.x.71.8 255.255.255.255 outside
telnet 192.168.51.0 255.255.255.0 outside
telnet 192.168.50.201 255.255.255.255 inside
telnet 192.168.51.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname yearround1
vpdn group pppoex ppp authentication pap
vpdn username yearround1 password *********
terminal width 80
501e:
PIX Version 6.2(2)
access-list acl_outbound permit ip 192.168.51.0 255.255.255.0 any
access-list inside_nat0_outbound permit ip 192.168.51.0 255.255.255.0 192.168.50
.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51
.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.51.0 255.255.255.0 host x.x.71.7
access-list inside_nat0_outbound permit ip host x.x.71.8 192.168.50.0 255.255.
255.0
access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.51.0 255.255.
255.0
access-list acl_inbound permit ip any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.51.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.50.0 255.255.255.0 outside
pdm location 192.168.51.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 192.168.51.0 255.255.255.0 0 0
access-group acl_inbound in interface outside
access-group acl_outbound in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.51.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map vpn1 10 ipsec-isakmp
crypto map vpn1 10 match address inside_nat0_outbound
crypto map vpn1 10 set pfs group2
crypto map vpn1 10 set peer x.x.71.7
crypto map vpn1 10 set transform-set myset
crypto map vpn1 interface outside
isakmp enable outside
isakmp key ******** address x.x.71.7 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet x.x.71.7 255.255.255.255 outside
telnet 192.168.51.0 255.255.255.0 inside
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname yearround2
vpdn group pppoex ppp authentication pap
vpdn username yearround2 password *********
terminal width 80
Cryptochecksum:523aa7cc13d7e2959e2752a5c6a92fdd
: end
Thanks guys, I really appreciate your time, especially if you are still reading this, ha.
Dave
01-08-2003 03:02 PM
Hi Dave,
If I understand you correctly, your telnet command should have :
515e
telnet 192.168.51.0 255.255.255.0 outside --- from the Pix 501
501
telnet 192.168.50.0 255.255.255.0 outside --- from the pix 515
And also other necessary ip addresses that you want to allow telnet access to the pix .
Regards,
Arul
01-08-2003 03:05 PM
Hi Dave,
Just got your config. Will look into it and let you know.
Regards,
Arul
01-08-2003 03:18 PM
Hi Dave,
Looks at my comments regarding Telnet in the previous posting.
Couple of questions for you:
1. In your config on the Pix 501, whey do you have the two statements in your access-list.
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51 .0 255.255.255.0
access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.51.0 255.255.255.0
2. And also use a different access-list for match address and NAT 0 cos you will run into problems when you configure multiple vpn tunnels.
For Ex:
crypto map VPNMAP 10 match address 100
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
crypto map VPNMAP 20 match address 101
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 150 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 150 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
nat (inside) 0 access-list 150
Regards,
Arul
01-09-2003 06:00 AM
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51 .0 255.255.255.0
(I was under the assumption that this was needed for the vpn traffic between the two networks, and since the hit counter was continually increasing, i figured that was what it was doing)
access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.51.0 255.255.255.0
(this is now gone, it was just an attempt to see if the hit counter would go up when i tried to telnet to the other PIX)
Thanks for the added advice on multiple vpns, I do have a question though.
the access-lists 100 and 101 in your example, are those applied to nat in anyway or are they there just for the match address and the permit statements are used in the 150 list?
Thanks,
Dave
01-09-2003 04:59 PM
Hi Dave,
The access-list 100 and 101 refers to the match address for the respective ipsec peers only.
And the access-list 150 is used to bypass nat. NAT 0
Regards,
Arul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide