04-27-2006 11:25 AM
I have a PIX 501 setup with three different VPNs. VPN1 and VPN2 work fine. The third VPN is having some issues. I've included part of my config file. The problem is this. I have the following and it will work until I restart the PIX. Before I reboot I do a write mem. After restarting the third VPN no longer works. I can get it to work by removing the following access-list rules.
access-list 101 permit ip host 192.168.40.10 192.168.2.0 255.255.255.0
access-list 101 permit ip host 192.168.40.10 host 192.168.4.2
When I add them back and do a write mem, the VPN comes back and works.
names
name 192.168.2.0 BSSI
name 192.168.4.2 BSSIWEB1
object-group service BRANCHOFFICETCP tcp
description Service Group for Branch Office VPN Policies
port-object range 137 netbios-ssn
port-object eq lpd
port-object eq ftp-data
port-object eq ftp
port-object eq lotusnotes
port-object eq www
port-object eq login
port-object eq cmd
port-object eq 449
port-object eq pcanywhere-data
port-object eq 446
port-object eq https
port-object range 8470 8476
port-object eq telnet
port-object eq 135
port-object eq smtp
port-object eq 1433
port-object eq 8080
access-list NAT4ONE permit ip 192.168.40.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list 150 permit ip 10.150.176.232 255.255.255.248 172.16.1.0 255.255.255.0
access-list inside_access_out remark Incoming from BSSI
access-list inside_access_out permit tcp 192.168.2.0 255.255.255.0 object-group BRANCHOFFICETCP host 192.168.40.10 object-group BRANCHOFFICETCP
access-list inside_access_out remark Incoming from BSSIWEBSERVER
access-list inside_outbound_nat0_acl permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_cryptomap_140 permit ip host 192.168.40.10 192.168.2.0 255.255.255.0
access-list outside_cryptomap_140 permit ip host 192.168.40.10 host 192.168.4.2
access-list 101 permit ip 192.168.40.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 101 permit ip host 192.168.40.10 192.168.2.0 255.255.255.0
access-list 101 permit ip host 192.168.40.10 host 192.168.4.2
ip address outside wanip 255.255.255.248
ip address inside lanip 255.255.255.0
global (outside) 1 10.150.176.233 (for another VPN)
global (outside) 2 interface
nat (inside) 0 access-list 101
nat (inside) 1 access-list NAT4ONE 0 0
nat (inside) 3 access-list outside_cryptomap_140 0 0
nat (inside) 4 access-list inside_outbound_nat0_acl 0 0
nat (inside) 2 192.168.40.0 255.255.255.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set one esp-aes-256 esp-sha-hmac
crypto ipsec transform-set two esp-aes-256 esp-sha-hmac
crypto ipsec transform-set three esp-3des esp-sha-hmac
crypto map VPN 10 ipsec-isakmp
crypto map VPN 10 match address 150
crypto map VPN 10 set peer oneip
crypto map VPN 10 set transform-set one
crypto map VPN 20 ipsec-isakmp
crypto map VPN 20 match address 101
crypto map VPN 20 set peer twoip
crypto map VPN 20 set transform-set two
crypto map VPN 30 ipsec-isakmp
crypto map VPN 30 match address outside_cryptomap_140
crypto map VPN 30 set peer threeip
crypto map VPN 30 set transform-set three
crypto map VPN interface outside
isakmp enable outside
isakmp key ******** address oneip netmask 255.255.255.255
isakmp key ******** address twoip netmask 255.255.255.255
isakmp key ******** address threeip netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 1000
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption des
isakmp policy 50 hash sha
isakmp policy 50 group 1
isakmp policy 50 lifetime 86400
It seems like something is overriding the two necessary access-list rules after it restarts. Let me know what you think.
Phusion
05-04-2006 07:18 AM
I figured out what the problem was.
Phusion
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: