11-18-2010 12:13 AM
Hello,
I have a big problem with a Pix config.
Situation is:
Tunnel between a Cisco Pix 515 and a lancom 3850 umts. The Tunnel comes up correctly. I can ping and use all ports and services from the pix network ( 1.1.1.0/24) to the lancom network (2.2.2.0/24) but not from the lancom to the pix.
The goal is to use all ports and services from both devices.
Here is the Pix config snip for the connection. I hope anyone can help me...
access-list alist-vc10127-cmap permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
access-list alist-nat permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
crypto map cmap 127 ipsec-isakmp
crypto map cmap 127 match address alist-vc10127-cmap
crypto map cmap 127 set peer 90.0.0.0
crypto map cmap 127 set transform-set tset1
crypto map cmap 127 set pfs group2
isakmp key pskey address 90.0.0.0 netmask 255.255.255.255
access-list alist-inside-in permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
access-list alist-inside-in permit ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0
THANK you.
Greetings
11-18-2010 12:28 AM
Base on the PIX configuration, it should already support bidirectional traffic, ie: from PIX to Lancom and vice versa. You might want to check the configuration on Lancom end (check if there might be any access-list that might be blocking the traffic being initiated from the Lancom end).
11-18-2010 12:59 AM
Hello,
thank you for the answer.
We have many other tunnels with the same config and other vpn devices. Here is is desired that it works only in one direction.
Maybe a hint, if ich type an ip adress from the vpn at a browser i became an HTTP Authentication (IDxxxx)
Greetings
11-18-2010 01:18 AM
What do you mean by HTTP authentication? Which ip address are you putting in the browser?
11-18-2010 01:30 AM
Hi,
i tryed Internet Explorer from pc1 with ip 2.2.2.1 (lan lancom) to an computer with ip 1.1.1.1 (lan cisco). But no matter what address you take,
then i became an http login. this i becam from all other vpn tunnels that are configured on the cisco pix.But no matter what address you take, that login came always.
Greetings
11-18-2010 02:12 AM
Hi Sven,
Please do the follwing,
no isakmp key pskey address 90.0.0.0 netmask 255.255.255.255
isakmp key pskey address 90.0.0.0 netmask 255.255.255.255 no-xauth.
Let me know if that resolves the issue.
Cheers,
Nash.
11-18-2010 02:24 AM
Hi,
with this parameter the vpn tunnel did not came up.
Greetings
11-18-2010 03:52 AM
At your initial statement you mentioned "the pix network ( 1.1.1.0/24) to the lancom network (2.2.2.0/24)", but in this post you say the opposite. Which network belongs to which device?
Please post the full sanitized config of pix side. There may be some http intercept configuration in place.
11-18-2010 04:08 AM
Hi,
sry my mistake, I corrected my post. The correct networks are shown now.
The config of the device is very small, we use it only as s2s vpn device.
I found the following in the config:
aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL
aaa authentication include udp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL
Can this be my problem?
Edit:
May the folling help me:
aaa authentication exclude tcp/0 outside 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 LOCAL
aaa authentication exclude udp/0 outside 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 LOCAL
11-18-2010 05:42 AM
Hi Sven,
Check this out.
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/a1_72.html#wp1437563
Cheers,
Nash.
11-18-2010 08:10 AM
From 1xxxx to 2xxxx already works, so it must be something like
aaa authentication exclude tcp/0 outside 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0 LOCAL
If you like, first disable all http authentication, check if it works, then try filtering end excluding
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: