04-04-2007 04:43 AM
pix501e, vpn chanel to another pix is up.
# sh crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
a.b.c.d x.x.x.x
QM_IDLE 0 1
When internal clients ping pc from other side vpn-tunnel i see in log -
110001: No route to 10.20.0.2 from 10.20.51.36
here config-
# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list vpn_outside permit ip 10.20.51.32 255.255.255.224 10.20.0.0 255.255.252.0
access-list vpn_outside permit ip 10.20.51.32 255.255.255.224 10.20.5.0 255.255.255.0
access-list vpn_outside permit ip 10.20.51.32 255.255.255.224 10.10.0.0 255.255.252.0
access-list vpn_outside permit ip 10.20.51.32 255.255.255.224 10.20.7.0 255.255.255.0
access-list outside_cryptomap_10 permit ip 10.20.51.32 255.255.255.224 10.20.0.0 255.255.252.0
access-list outside_cryptomap_10 permit ip 10.20.51.32 255.255.255.224 10.20.5.0 255.255.255.0
access-list outside_cryptomap_10 permit ip 10.20.51.32 255.255.255.224 10.10.0.0 255.255.252.0
access-list outside_cryptomap_10 permit ip 10.20.51.32 255.255.255.224 10.20.7.0 255.255.255.0
access-list inside_out permit ip 10.20.51.32 255.255.255.224 10.20.0.0 255.255.252.0
access-list inside_out permit ip 10.20.51.32 255.255.255.224 10.20.5.0 255.255.255.0
access-list inside_out permit ip 10.20.51.32 255.255.255.224 10.10.0.0 255.255.252.0
access-list inside_out permit ip 10.20.51.32 255.255.255.224 10.20.7.0 255.255.255.0
access-list inside_out deny ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe
ip address inside 10.20.51.34 255.255.255.224
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpn_outside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside_out in interface inside
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set MO_BRANCH_AES esp-aes esp-sha-hmac
crypto map MO 10 ipsec-isakmp
crypto map MO 10 match address outside_cryptomap_10
crypto map MO 10 set peer x.x.x.x
crypto map MO 10 set transform-set MO_BRANCH_AES
crypto map MO interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
management-access inside
console timeout 0
vpdn group PPPOE request dialout pppoe
vpdn group PPPOE localname [[[[[[
vpdn group PPPOE ppp authentication pap
vpdn username [[[[[[ password *********
04-10-2007 06:26 AM
Is there a static to dynamic vpn tunnel between the two hosts if that is the case then the tunnel will always be initiated from the remote host.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide