I´ve got a problem with a configuration in a firewall PIX 515 for implementing two VPN tunnels with two routers Cisco 2610;
The problem is i configure the firewall and one router and the tunnel is right; before, i configure the second tunnel an only works the first tunnel; but, if i change the order of the secuency in the crypto map entries, the first tunnel (before the second) works right and the second doesn´t star to work well.
What is happening?
I send you my configurations:
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
access-list pingok permit icmp any any
access-list nonat permit ip 10.66.10.0 255.255.255.0 10.64.16.0 255.255.255.0
access-list nonat permit ip 126.96.36.199 255.255.255.0 10.64.16.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside publicIP 255.255.255.128
ip address inside 10.66.10.1 255.255.255.0
ip address dmz 188.8.131.52 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 publicIPforPAT netmask 255.255.255.128
global (dmz) 1 184.108.40.206 netmask 255.255.255.0
It looks to me that you're having a porblem with your access-list on your pix. You should use one access-list for each crypto map peer. Right now you have both peers trying to use the same crypto map.
Create 2 different access-lists and apply one each to the crypto map peers and see what happens.
In your case I would have one access-list for "remoteA" and one for "remoteB". Then one called "nonat" that is basically the addition of both "remoteA" and "remoteB" to be applied to the "nat 0" command.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...