12-31-2002 05:04 AM - edited 02-21-2020 12:15 PM
Ok, I am So close to having this VPN running, yet I have one problem...
It seems to be only one way.
I can see from my MainOffice over to the Construction office, ping them, see their shares, but from there I cannot see back to the MainOffice.
I have temporarily opened up basically everything to see if I can get it working, still doesnt though, the configs are below.
MainOffice PIX (515e):
access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 any
access-list acl_inbound permit tcp any any
access-list acl_inbound permit icmp any any echo-reply
access-list acl_inbound permit udp any any
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51
.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.51.0 255.255.255.0 192.168.50
.0 255.255.255.0
access-list inside_nat0_outbound permit icmp 192.168.50.0 255.255.255.0 192.168.
51.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside pppoe setroute
ip address inside 192.168.50.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.50.0 255.255.255.255 inside
pdm location 192.168.50.201 255.255.255.255 inside
pdm location ConstOffice 255.255.255.255 outside
pdm location 192.168.51.0 255.255.255.0 outside
pdm group Bluff_Inside inside
pdm history enable
arp timeout 14400
global (outside) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 192.168.50.0 255.255.255.0 0 0
access-group acl_inbound in interface outside
access-group acl_outbound in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map vpn1 10 ipsec-isakmp
crypto map vpn1 10 match address inside_nat0_outbound
crypto map vpn1 10 set pfs group2
crypto map vpn1 10 set peer ConstOffice
crypto map vpn1 10 set transform-set myset
crypto map vpn1 interface outside
isakmp enable outside
isakmp key ******** address ConstOffice netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet ConstOffice 255.255.255.255 outside
telnet 192.168.51.0 255.255.255.0 outside
telnet 192.168.50.201 255.255.255.255 inside
telnet 192.168.51.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname yearround1
vpdn group pppoex ppp authentication pap
vpdn username yearround1 password *********
terminal width 80
Cryptochecksum:ebfb752cd90a613290d5922bd67f49ea
: end
ConstOffice PIX (501e):
names
access-list acl_outbound permit ip 192.168.51.0 255.255.255.0 any
access-list acl_outbound permit tcp any any
access-list acl_outbound permit icmp any any
access-list acl_outbound permit udp any any
access-list inside_nat0_outbound permit ip 192.168.51.0 255.255.255.0 192.168.50
.0 255.255.255.0
access-list inside_nat0_outbound permit icmp 192.168.51.0 255.255.255.0 192.168.
50.0 255.255.255.0
access-list acl_inbound permit ip any any
access-list acl_inbound permit icmp any any
access-list acl_inbound permit udp any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.51.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.50.0 255.255.255.0 outside
pdm location 192.168.51.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 192.168.51.0 255.255.255.0 0 0
access-group acl_inbound in interface outside
access-group acl_outbound in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.51.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map vpn1 10 ipsec-isakmp
crypto map vpn1 10 match address inside_nat0_outbound
crypto map vpn1 10 set pfs group2
crypto map vpn1 10 set peer MainOffice
crypto map vpn1 10 set transform-set myset
crypto map vpn1 interface outside
isakmp enable outside
isakmp key ******** address MainOffice netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet MainOffice 255.255.255.255 outside
telnet 192.168.51.0 255.255.255.0 inside
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname yearround2
vpdn group pppoex ppp authentication pap
vpdn username yearround2 password *********
terminal width 80
Cryptochecksum:c5d1bfe1bd3ab8e57b109c4ee7998bbf
: end
Solved! Go to Solution.
12-31-2002 05:37 AM
Hi,
try adding this command to the two configs:
sysopt connection permit-ipsec
This command bypasses the access-list for authorized vpn traffic.
Kind Regards and Best Wishes!!
Tom
12-31-2002 05:37 AM
Hi,
try adding this command to the two configs:
sysopt connection permit-ipsec
This command bypasses the access-list for authorized vpn traffic.
Kind Regards and Best Wishes!!
Tom
12-31-2002 08:07 AM
That did the trick, thanks a load! :)
Dave
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: