03-20-2007 04:31 AM
We ceated a vpn tunnel between our headoffice and a remote branch. We can ping the outside interface of the remote branch pix and vice versa. The problem we have now is we can't ping the remote branch's subnet.
Here are the configs we're using on the headoffice firewall.
crypto ipsec transform-set Fiji esp-3des esp-sha-hmac
crypto map bsp002 7 ipsec-isakmp
crypto map bsp002 7 match address 170
crypto map bsp002 7 set pfs group2
crypto map bsp002 7 set peer 202.165.201.226
crypto map bsp002 7 set transform-set Fiji
crypto map bsp002 7 set security-association lifetime seconds 3600 kilobytes 8000
isakmp key ******** address 202.165.201.226 netmask 255.255.255.255 no-xauth no-config-mode
access-list 170 permit ip 192.168.32.0 255.255.255.0 192.168.45.0 255.255.255.0
It's the same network. We only want the remote branch subnet to have access to the headoffice subnet.
What are missing out? Pls help.
03-20-2007 05:36 AM
Do you have a nat exemption for the vpn? Something similar to...
access-list inside_nat0_outbound permit ip 192.168.32.0 255.255.255.0 192.168.45.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
03-20-2007 08:05 AM
Hi,
First of all, does the tunnel come up? If not, did you try to capture the debugs and what do they say? Could you post the complete configs of the headoffice and branchoffice firewalls?
Regards,
Kamal
03-20-2007 05:54 PM
I could ping the outside interface of the Branch office. I ran the debug but wasn't too sure how to capture it. I'll get the configs of both firewalls and post.
thanks
pintz6es
03-20-2007 06:23 PM
With the above config, the outside interface of remote branch pix would not be part of the tunnel. The fact you can ping it only proves you have connectivity to it.
03-20-2007 09:32 PM
Hi
not too sure on this. How do I know the tunnel is up?
03-20-2007 06:07 PM
Hi
what does the nat exemption do? I dont have this on both the headoffice firewall and the branch office firewall. Do include it as what you've got here?
03-20-2007 06:21 PM
There are 2 acl's in a lan to lan tunnel. One, which you have already specified, is the crypto acl which defines traffic destined for the tunnel. The second, is nat exemption, which will exempt that traffic from the nat process. In most cases it is identical to the crypto acl.
Headoffice:
access-list 170 permit ip 192.168.32.0 255.255.255.0 192.168.45.0 255.255.255.0 (crypto acl)
access-list inside_nat0_outbound permit ip 192.168.32.0 255.255.255.0 192.168.45.0 255.255.255.0 (nat exemption acl)
nat (inside) 0 access-list inside_nat0_outbound
RemoteOffice:
access-list 170 permit ip 192.168.45.0 255.255.255.0 192.168.32.0 255.255.255.0 (crypto acl)
access-list inside_nat0_outbound permit ip 192.168.45.0 255.255.255.0 192.168.32.0 255.255.255.0 (nat exemption acl)
nat (inside) 0 access-list inside_nat0_outbound
03-20-2007 09:16 PM
Will the nat(inside) 0 specified here have any effect to the other existing nats on the Firewall.
03-21-2007 05:38 AM
The nat 0 will only apply to the traffic which is specified in the corresponding acl. For instance, traffic from 192.168.32.0 to 192.168.45.0 and vice versa.
03-21-2007 05:41 AM
It might if you have other Nat exemption ACL and if you implement what Adam said, then it might break the old ones. If you have anything configured for NAT exemption on the old ones.
If you already have a NAT exemption ACL, please add the networks just like Adam said to the existing NAT exemption.
Hope this helps.
Thanks
Gilbert
03-21-2007 09:57 PM
So if I already have a nat 0 in the configs, can I specify for this particular acl another sequence number like 2 for this particular acl?
03-22-2007 05:49 AM
Yes, you can add to the existing acl. But what gilbert was getting at is you DO NOT want to create a second nat 0 acl and attempt to do another nat (inside) 0 command.
03-22-2007 05:53 AM
Thanks for clarifying Adam :)
Cheers
Gilbert
03-22-2007 06:17 AM
No problem. 5 points for pointing that out.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: