02-03-2003 03:20 AM - edited 02-21-2020 12:19 PM
I´ve got a problem with a configuration in a firewall PIX 515 for implementing two VPN tunnels with two routers Cisco 2610;
The problem is i configure the firewall and one router and the tunnel is right; before, i configure the second tunnel an only works the first tunnel; but, if i change the order of the secuency in the crypto map entries, the first tunnel (before the second) works right and the second doesn´t star to work well.
What is happening?
I send you my configurations:
PIX
------------------
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
hostname pixfirewall
domain-name xxx.local
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list pingok permit icmp any any
access-list nonat permit ip 10.66.10.0 255.255.255.0 10.64.16.0 255.255.255.0
access-list nonat permit ip 195.53.224.0 255.255.255.0 10.64.16.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside publicIP 255.255.255.128
ip address inside 10.66.10.1 255.255.255.0
ip address dmz 195.53.224.200 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz 0.0.0.0
pdm history enable
arp timeout 14400
global (outside) 1 publicIPforPAT netmask 255.255.255.128
global (dmz) 1 195.53.224.201 netmask 255.255.255.0
nat (dmz) 0 access-list nonat
nat (dmz) 1 195.53.224.0 255.255.255.0 0 0
access-group pingok in interface outside
access-group pingok in interface inside
access-group pingok in interface dmz
route outside 0.0.0.0 0.0.0.0 publicIPgateway
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set grupoidea esp-3des esp-md5-hmac
crypto map cripto 1 ipsec-isakmp
crypto map cripto 1 match address nonat
crypto map cripto 1 set peer 213.172.58.34
crypto map cripto 1 set transform-set grupoidea
crypto map cripto 2 ipsec-isakmp
crypto map cripto 2 match address nonat
crypto map cripto 2 set peer 213.172.58.42
crypto map cripto 2 set transform-set grupoidea
crypto map cripto interface outside
isakmp enable outside
isakmp key ******** address publicIPremoteA netmask 255.255.255.255
isakmp key ******** address publicIPremoteB netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
telnet 10.64.0.9 255.255.255.255 inside
telnet 10.66.10.3 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
ROUTER
-------------------------------------------------
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname resulta
logging rate-limit console 10 except errors
ip subnet-zero
no ip finger
ip audit notify log
ip audit po max-events 100
no ip dhcp-client network-discovery
no mgcp timer receive-rtcp
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
lifetime 1000
crypto isakmp key xxxxxxxxx address publicIP_PIX
crypto ipsec transform-set grupoidea esp-3des esp-md5-hmac
crypto map vpnidea 11 ipsec-isakmp
set peer publicIP_PIX
set transform-set grupoidea
match address 120
call rsvp-sync
!interface Ethernet0/0
ip address 10.64.32.1 255.255.255.0
ip nat inside
half-duplex
interface Ethernet1/0
ip address publicIPremoteAorB 255.255.255.128
ip nat outside
half-duplex
crypto map vpnidea
ip nat pool rangopat publicIPforPAT publicIPforPAT netmask 255.255.255.128
ip nat inside source route-map nonat pool rangopat overload
ip classless
ip route 0.0.0.0 0.0.0.0 publicIPgateway
ip http server
access-list 120 permit ip 10.64.32.0 0.0.0.255 10.66.10.0 0.0.0.255
access-list 120 permit ip 10.64.32.0 0.0.0.255 10.66.10.0 0.0.0.255
access-list 130 deny ip 10.64.32.0 0.0.0.255 10.66.10.0 0.0.0.255
access-list 130 permit ip 10.64.32.0 0.0.0.255 any
route-map nonat permit 10
match ip address 130
dial-peer cor custom
line con 0
transport input none
line aux 0
line vty 0 4
login
end
02-03-2003 11:09 AM
It looks to me that you're having a porblem with your access-list on your pix. You should use one access-list for each crypto map peer. Right now you have both peers trying to use the same crypto map.
Create 2 different access-lists and apply one each to the crypto map peers and see what happens.
In your case I would have one access-list for "remoteA" and one for "remoteB". Then one called "nonat" that is basically the addition of both "remoteA" and "remoteB" to be applied to the "nat 0" command.
02-04-2003 12:59 AM
OK, thank you.
You are right!
Yesterday i tried this solution beacuse i viewed a similar configuration and i viewed this difference.
Thank you very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide