Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
330
Views
0
Helpful
7
Replies

vpn with multiple hops away from PIX

cfajardo1_2
Level 1
Level 1

‎04-16-2006 09:40 PM - edited ‎02-21-2020 02:22 PM

scenario

net A--3routers--PIX A---vpn---PIX B--net B

The 3 routers are configured statically.

VPN are terminated at both PIXes.

Is it possible to reach network A from network B through VPN?

What additional config do i need on the PIX A?

Thanks a lot.

Labels:
0 Helpful
7 Replies 7

Fernando_Meza
Level 7
Level 7

‎04-16-2006 10:07 PM

Assuming netA is located behind an inside interface .. it is possible but you need to make sure routing between netA is reachable from the respective interface .. also you need to identify what source IP address comes as when you try pinging the PIX from netA .. the routers is between might be performing NAT in which case your access list for the interersting traffic ( IPsec ) needs to be checked accordingly

0 Helpful

cfajardo1_2
Level 1
Level 1
In response to Fernando_Meza

‎04-17-2006 01:34 PM

i could reach net A from the PIX. The 3 routers doesnt do natting. they have been configured statically to reach each other.

i have the ff access list and crypto on the PIX A

Iam not including the IKE config as am sure they are working.

NOTE that vpn is working find bidirectionally between the two inside networks of the PIXs.

access-list 100 permit ip net A net B

access-list 110 permit ip net A net B

nat (inside) 0 access-list 100

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 110

crypto map mymap 10 set peer remoteIP

crypto map mymap 10 set transform-set myset

0 Helpful

Patrick Laidlaw
Level 4
Level 4
In response to cfajardo1_2

‎04-17-2006 04:59 PM

Hello,

That configuration looks appropriate but it might help if you posted a scrubbed configuration. There might be something else that your missing.

Patrick

0 Helpful

cfajardo1_2
Level 1
Level 1
In response to Patrick Laidlaw

‎04-17-2006 09:59 PM

Ok..I am attaching the rough config.

Preview file
2 KB
0 Helpful

Fernando_Meza
Level 7
Level 7
In response to cfajardo1_2

‎04-17-2006 10:32 PM

Assuming the same interesting traffic is also configured on PIX B .. then it seem OK However, when you initiate a ping from NetA towards network B are you able to see any packets actually hitting the firewall PIXA ... could it be a routing issue you are experiencing here !!

0 Helpful

cfajardo1_2
Level 1
Level 1
In response to Fernando_Meza

‎04-18-2006 03:47 AM

yes i could see the acl being hit..note that VPN between net_B and network_X is working fine..I could even ping rtr_B from net_B

0 Helpful

cfajardo1_2
Level 1
Level 1
In response to Fernando_Meza

‎04-21-2006 01:35 AM

i rebooted the firewall and it works...thanks a lot

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents