01-28-2004 10:12 AM - edited 02-21-2020 01:01 PM
Hi all,
I am new to the PIX, and my VPN experience has been between routers or concentrators so far, so please bear with me.
Currently I am running an IPSec/GRE tunnel from a remote router, through a hub PIX, and terminating both the GRE and IPSec tunnels on an "inside" router.
Due to some network design changes, I need to instead terminate IPSec at the PIX outside interface - and just pass the GRE tunnel through the PIX inside interface to the inside router.
I have no problem bringing up the IPSec tunnel between the remote router and the PIX outside interface - and passing traffic through it. But when I add the tunnel (GRE) interfaces to the routers - along with the routes - I can no longer get any traffic to pass.
One of the things I don't understand here is what the PIX ACL should look like. I am being told two different answers:
One version is to simply leave the IPSEc only ACL "access-list nonat permit ip [local network] [remote network]" in place. {Ok, but how does this permit the GRE packets destined for the inside router to pass across the inside interface?}
The second answer I have been told is to change that to "permit gre host[tunnel src] host[tunnel dest].
Are either of these correct for the PIX?
My thinking was that the GRE traffic would enter the IPSec tunnel on the remote router, come across the Internet, the IPSec encapsulation would be removed on the PIX, and then the remaining GRE packet would need to be permitted to access the higher security inside interface.
What is the proper solution here please?
I am also confused as to where the next hop is for tunnel destination traffic (going to host 10.2.0.2) from the remote router. I need to make that traffic not flow across the gre tunnel to prevent recursive probs - or the Interent. I am assuming that I need to "push" it into the IPSec tunnel; but not into the GRE tunnel - is that correct? If so, exactly how does one accomplish that?
I am attaching the partial configs as they sit now. The pix is v6.3(1), the routers are running 12.2 inside and 12.3 outside. This is still on the bench so the hardware/IOS can change if needed.
Sorry to be so long winded; but I have reached the point of thrashing on this.
Thank you in advance for any guidance here!
Nick
01-28-2004 02:16 PM
Check your pix config verify that you have a 'nat (inside) 0 access-list nonat' present.
I quickly reviewed the pix config and didn't see it. I think you might be missing it.
01-29-2004 05:10 AM
Thank you, you're right - I had missed that. I corrected it; but apparently that isn't the only problem with my configs because packets still aren't flowing - although they sure have a better chance now!
Nick
02-05-2004 02:36 AM
Nick,
If your still having problems have a look at this, describes a solution that matches your requirement.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml
Andy
02-05-2004 06:38 AM
Thank you Andy, I had been using that example - and was just missing a couple lines of config in my interpretation of it. I did finally resolve it last Friday with TAC's assistance. Thank you for the reply.
Nick
03-08-2004 07:04 AM
Hello,
I have just found your conversation. We are currently trying to resolve the same problem. Could you please provide us with the solution of the problem? Thank you very much in advance.
mishak
04-13-2004 07:32 AM
What was the resolution for this issue as I am expierencing the same issue?
04-14-2004 04:36 AM
Hi, sorry for not posting this sooner. I am listing the configs below which should explain my end solution. I am also attaching a rather sorry sketch of my lab layout. I am not including the configs for my "simulated Internet" - it just emulates the ISP side of things.
One of the tunnel addresses was cut off in the scan - they are both 172.16.x.x.
Regards,
Nick
PIX - terminates IPSec tunnel:
tunnelpix# sh run
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname tunnelpix
access-list outside_access_in permit udp host 9.0.0.2 host 242.236.137.103 eq isakmp
access-list outside_access_in permit esp host 9.0.0.2 host 242.236.137.103
pager lines 24
ip address outside 242.236.137.104 255.255.255.248
ip address inside 10.255.240.1 255.255.255.252
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 242.236.137.103 10.255.240.2 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 242.236.137.105 1
route inside 10.2.0.0 255.255.240.0 10.255.240.2 1
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
isakmp enable outside
: end
tunnelpix#
Inside Router -terminates GRE:
1605#
IOS (tm) 1600 Software (C1600-OSY56I-M), Version 12.1(22), RELEASE SOFTWARE (fc4)
ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)
ROM: 1600 Software (C1600-RBOOT-R), Version 12.0(3)T, RELEASE SOFTWARE (fc1)
System image file is "flash:c1600-osy56i-mz.121-22.bin"
1605#sh run
!
version 12.1
!
hostname 1605
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key xxx address 9.0.0.2
!
!
crypto ipsec transform-set transet_1 esp-des esp-md5-hmac
!
crypto map map_1 10 ipsec-isakmp
set peer 9.0.0.2
set transform-set transet_1
match address 105
!
!interface Tunnel0
ip address 172.16.0.2 255.255.255.252
tunnel source Ethernet1
tunnel destination 9.0.0.2
crypto map map_1
!
interface Ethernet0
ip address 10.2.0.1 255.255.240.0
!
interface Ethernet1
ip address 10.255.240.2 255.255.255.252
no ip route-cache
no ip mroute-cache
crypto map map_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.255.240.1
ip route 10.2.32.0 255.255.240.0 Tunnel0
!
access-list 105 permit gre host 10.255.240.2 host 9.0.0.2
!
end
Remote site router -terminates both GRE and IPSec:
remote#sh ver
IOS (tm) C1700 Software (C1700-ADVSECURITYK9-M), Version 12.3(5a), RELEASE SOFTWARE (fc1)
System image file is "flash:c1700-advsecurityk9-mz.123-5a.bin"
remote#sh run
!
version 12.3
!
hostname remote
!
ip cef
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key xxxxx address 242.x.x.103
!
!
crypto ipsec transform-set transet_1 esp-des esp-md5-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto map map_1 10 ipsec-isakmp
set peer 242.236.137.103
set transform-set transet_1
match address 105
!
!
!
!
!
interface Tunnel0
ip address 172.16.0.1 255.255.255.252
tunnel source Serial0.1
tunnel destination 10.255.240.2
!
interface FastEthernet0
ip address 10.2.32.1 255.255.240.0
speed auto
half-duplex
!
interface Serial0
no ip address
encapsulation frame-relay
!
interface Serial0.1 point-to-point
description To Remote LAN via Internet
ip address 9.0.0.2 255.255.255.252
frame-relay interface-dlci 20 CISCO
crypto map map_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 9.0.0.1
ip route 10.2.0.0 255.255.240.0 Tunnel0
!
access-list 105 permit gre host 9.0.0.2 host 10.255.240.2
!
!
end
04-14-2004 06:41 PM
Hi Nick, thanks for the info as it will help with what I wanted to do.
Bob
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: