I have configured a vpn 3000 concentrator to pix 501. Initially I have configured both ends to allow allow an octet of my IP address pool in both locations to pass through the tunnel. Unfortunately, recently I need to allow the entire subnet access through the IPSEC tunnel from both ends. Before I attempted any modifications this worked without any trouble.
On the PIX to allow this I added more statements to my existing access-list to allow these additional subnets from that location.
On the VPN3K end I am a bit confused. I open the LAN-LAN IPSEC connection properties and add the new local address and mask and also for the remote end address and mask.
Unfortunately, when I add this to the VPN3k I am unable to establish the IPSEC tunnel. When I read the log I see the initiator attempting to start the tunnel between, but it is rejected. Phase 1 completes successfully, but phase 2 does not seem to be initiating properly.
If I reset those two address pools back to my original entry the tunnel establishes successfully. This almost seems like a bug in the VPN software. I am not sure. My VPN code is vpn3000-3.5.2.Rel-k9.bin.
If you have more than one line in your crypto ACL on the PIX, then you can't just add in the Locla and remote networks inot the L2L screen on the 3000 anymore, since you can only have one set of IP addresses in here.
Let's say you have the following on the PIX:
> access-list crypto permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
> access-list crypto permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
On the 3000 go to Config - Policy Mgmt - Traffic Mgmt - Network Lists and create a list. Call it anything you like, and add the following to the large box on this screen:
Save this list. Now go to the L2L screen and modify the L2L tunnel fo rthe PIX. In the Local Networks section, select your newly added Network List from the drop down box, leave the IP Address/Wilcard Mask boxes blank. In the Remote Network section, put 10.1.1.0 and 0.0.0.255 as you had previously. Save this.
That's all you should need to do. Always remember, your crypto ACL's on both sides of a VPN tunnel HAVE TO BE THE EXACT OPPOSITE OF EACH OTHER. If you have tow lines in your PIX crypto ACL, then you need two networks in your VPN3000 L2L setup, and to accomplish that you have to use a Network List with 2 networks in it.
I see what you're saying, but there are several networks on both ends. Actually it is one network with a /21 mask on it. Could I specify an access-list mask with 255.255.248.0? If that is possible on the VPN end of the tunnel can I use 172.16.0.0 0.0.7.255?
VPN LAN 172.16.0.0 255.255.248.0
PIX LAN 172.16.15.0 255.255.248.0
I want to allow all hosts for now. Later I will filter out unwanted hosts.
Ok I have done this and it works, somewhat. I can ping or tracert, but I cannot open http, ftp, termserv, etc ports through the tunnel. I checked the VPN L2L rules and there isn't any changes to the allowed protocols and such.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...