Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
334
Views
0
Helpful
1
Replies

Problem with 3rd VPN

phusion2k
Level 1
Level 1

‎04-27-2006 11:25 AM

I have a PIX 501 setup with three different VPNs. VPN1 and VPN2 work fine. The third VPN is having some issues. I've included part of my config file. The problem is this. I have the following and it will work until I restart the PIX. Before I reboot I do a write mem. After restarting the third VPN no longer works. I can get it to work by removing the following access-list rules.

access-list 101 permit ip host 192.168.40.10 192.168.2.0 255.255.255.0

access-list 101 permit ip host 192.168.40.10 host 192.168.4.2

When I add them back and do a write mem, the VPN comes back and works.

names

name 192.168.2.0 BSSI

name 192.168.4.2 BSSIWEB1

object-group service BRANCHOFFICETCP tcp

description Service Group for Branch Office VPN Policies

port-object range 137 netbios-ssn

port-object eq lpd

port-object eq ftp-data

port-object eq ftp

port-object eq lotusnotes

port-object eq www

port-object eq login

port-object eq cmd

port-object eq 449

port-object eq pcanywhere-data

port-object eq 446

port-object eq https

port-object range 8470 8476

port-object eq telnet

port-object eq 135

port-object eq smtp

port-object eq 1433

port-object eq 8080

access-list NAT4ONE permit ip 192.168.40.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list 150 permit ip 10.150.176.232 255.255.255.248 172.16.1.0 255.255.255.0

access-list inside_access_out remark Incoming from BSSI

access-list inside_access_out permit tcp 192.168.2.0 255.255.255.0 object-group BRANCHOFFICETCP host 192.168.40.10 object-group BRANCHOFFICETCP

access-list inside_access_out remark Incoming from BSSIWEBSERVER

access-list inside_outbound_nat0_acl permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list outside_cryptomap_140 permit ip host 192.168.40.10 192.168.2.0 255.255.255.0

access-list outside_cryptomap_140 permit ip host 192.168.40.10 host 192.168.4.2

access-list 101 permit ip 192.168.40.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 101 permit ip host 192.168.40.10 192.168.2.0 255.255.255.0

access-list 101 permit ip host 192.168.40.10 host 192.168.4.2

ip address outside wanip 255.255.255.248

ip address inside lanip 255.255.255.0

global (outside) 1 10.150.176.233 (for another VPN)

global (outside) 2 interface

nat (inside) 0 access-list 101

nat (inside) 1 access-list NAT4ONE 0 0

nat (inside) 3 access-list outside_cryptomap_140 0 0

nat (inside) 4 access-list inside_outbound_nat0_acl 0 0

nat (inside) 2 192.168.40.0 255.255.255.0 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set one esp-aes-256 esp-sha-hmac

crypto ipsec transform-set two esp-aes-256 esp-sha-hmac

crypto ipsec transform-set three esp-3des esp-sha-hmac

crypto map VPN 10 ipsec-isakmp

crypto map VPN 10 match address 150

crypto map VPN 10 set peer oneip

crypto map VPN 10 set transform-set one

crypto map VPN 20 ipsec-isakmp

crypto map VPN 20 match address 101

crypto map VPN 20 set peer twoip

crypto map VPN 20 set transform-set two

crypto map VPN 30 ipsec-isakmp

crypto map VPN 30 match address outside_cryptomap_140

crypto map VPN 30 set peer threeip

crypto map VPN 30 set transform-set three

crypto map VPN interface outside

isakmp enable outside

isakmp key ******** address oneip netmask 255.255.255.255

isakmp key ******** address twoip netmask 255.255.255.255

isakmp key ******** address threeip netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 1000

isakmp policy 50 authentication pre-share

isakmp policy 50 encryption des

isakmp policy 50 hash sha

isakmp policy 50 group 1

isakmp policy 50 lifetime 86400

It seems like something is overriding the two necessary access-list rules after it restarts. Let me know what you think.

Phusion

Labels:
0 Helpful
1 Reply 1

phusion2k
Level 1
Level 1

‎05-04-2006 07:18 AM

I figured out what the problem was.

Phusion

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents