cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
346
Views
0
Helpful
2
Replies

VPN again...

dsingleterry
Level 1
Level 1

Ok, I am So close to having this VPN running, yet I have one problem...

It seems to be only one way.

I can see from my MainOffice over to the Construction office, ping them, see their shares, but from there I cannot see back to the MainOffice.

I have temporarily opened up basically everything to see if I can get it working, still doesnt though, the configs are below.

MainOffice PIX (515e):

access-list acl_outbound permit ip 192.168.50.0 255.255.255.0 any

access-list acl_inbound permit tcp any any

access-list acl_inbound permit icmp any any echo-reply

access-list acl_inbound permit udp any any

access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51

.0 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.51.0 255.255.255.0 192.168.50

.0 255.255.255.0

access-list inside_nat0_outbound permit icmp 192.168.50.0 255.255.255.0 192.168.

51.0 255.255.255.0

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside pppoe setroute

ip address inside 192.168.50.1 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.50.0 255.255.255.255 inside

pdm location 192.168.50.201 255.255.255.255 inside

pdm location ConstOffice 255.255.255.255 outside

pdm location 192.168.51.0 255.255.255.0 outside

pdm group Bluff_Inside inside

pdm history enable

arp timeout 14400

global (outside) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 192.168.50.0 255.255.255.0 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.50.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address inside_nat0_outbound

crypto map vpn1 10 set pfs group2

crypto map vpn1 10 set peer ConstOffice

crypto map vpn1 10 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address ConstOffice netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

telnet ConstOffice 255.255.255.255 outside

telnet 192.168.51.0 255.255.255.0 outside

telnet 192.168.50.201 255.255.255.255 inside

telnet 192.168.51.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname yearround1

vpdn group pppoex ppp authentication pap

vpdn username yearround1 password *********

terminal width 80

Cryptochecksum:ebfb752cd90a613290d5922bd67f49ea

: end

ConstOffice PIX (501e):

names

access-list acl_outbound permit ip 192.168.51.0 255.255.255.0 any

access-list acl_outbound permit tcp any any

access-list acl_outbound permit icmp any any

access-list acl_outbound permit udp any any

access-list inside_nat0_outbound permit ip 192.168.51.0 255.255.255.0 192.168.50

.0 255.255.255.0

access-list inside_nat0_outbound permit icmp 192.168.51.0 255.255.255.0 192.168.

50.0 255.255.255.0

access-list acl_inbound permit ip any any

access-list acl_inbound permit icmp any any

access-list acl_inbound permit udp any any

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.51.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.50.0 255.255.255.0 outside

pdm location 192.168.51.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 2 192.168.51.0 255.255.255.0 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.51.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 10 ipsec-isakmp

crypto map vpn1 10 match address inside_nat0_outbound

crypto map vpn1 10 set pfs group2

crypto map vpn1 10 set peer MainOffice

crypto map vpn1 10 set transform-set myset

crypto map vpn1 interface outside

isakmp enable outside

isakmp key ******** address MainOffice netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

telnet MainOffice 255.255.255.255 outside

telnet 192.168.51.0 255.255.255.0 inside

telnet 192.168.50.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

vpdn group pppoex request dialout pppoe

vpdn group pppoex localname yearround2

vpdn group pppoex ppp authentication pap

vpdn username yearround2 password *********

terminal width 80

Cryptochecksum:c5d1bfe1bd3ab8e57b109c4ee7998bbf

: end

1 Accepted Solution

Accepted Solutions

tvanginneken
Level 4
Level 4

Hi,

try adding this command to the two configs:

sysopt connection permit-ipsec

This command bypasses the access-list for authorized vpn traffic.

Kind Regards and Best Wishes!!

Tom

View solution in original post

2 Replies 2

tvanginneken
Level 4
Level 4

Hi,

try adding this command to the two configs:

sysopt connection permit-ipsec

This command bypasses the access-list for authorized vpn traffic.

Kind Regards and Best Wishes!!

Tom

That did the trick, thanks a load! :)

Dave

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: