Firewall Wizards mailing list archives
Re: Pix to Pix VPN Help
From: Prabhu Gurumurthy <pgurumu () gmail com>
Date: Fri, 17 Nov 2006 16:32:09 -0800
access-list 130 permit ip 192.168.5.0 255.255.255.0 10.7.1.0 255.255.255.0 you need nat (inside) 0 access-list statement.. that statement will tell the PIX device whether a given traffic needs to ride the tunnel, bypass it, otherwise the default action is to discard. Hope this helps. Prabhu - adrian () itsfhome co uk wrote:
Hi All, I am looking for help in setting up a Pix to Pix VPN. I have gained some success in my configurations but I cannot create the VPN tunnel and this is causing issues. The hardware configuration required is as follows: Network --> Inside Pix 506E --> Outside Pix 506E --> Internet The requirement of the Inside and Outside Pix is a Security requirement at my site. The IP Address ranges are as follows: Network: 192.168.5.x Internal Pix: Inside: 192.168.5.1 Outside: 192.168.9.3 Outside Pix: Inside: 192.168.9.1 Outside: 172.30.6.231 Address 172.30.6.231 is natted out to a public IP address and the Internet. What I require: Inside address 192.168.5.2 to connect to a remote address 10.7.1.1 via VPN. Therefore Address 192.168.5.2 translated to 192.168.9.2 for Outside Pix and then translated to 172.30.6.232 and then onto Public IP address. Here are my successes/failures:From a Dynamic IP Address on the Network (192.168.5.10) I can access theInternet. Proving the path through the network. When I configure to 192.168.5.2, I cannot access the internet. Do I have a Nat issue here. When I attempt to connect, the logs do not raise Nat errors. When I try to connect to remote address 10.7.1.1, no VPN tunnel etc. What I require it to do: With address 192.168.5.2, translate to 192.168.9.2, translate to 172.30.6.232. If I configure for 192.168.9.2 and connect to Outside Pix I have internet connectivity. If I configure for 192.168.5.2 I lose connectivity – no clear logged issues. Return path should get through to 192.168.5.2 Finally – from address 172.30.6.230, I should be able to access both pix’s. Current Pix Configs ********INSIDE*************** : Saved : Written by enable_15 at 12:07:01.353 UTC Mon Oct 16 2006 PIX Version 6.3(4) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password orMeD9LEZDGVgHNT encrypted passwd zdWLaxrocvVoOrCk encrypted hostname FWL-BEE-INSIDE domain-name qinetiq.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 100 permit ip any host 192.168.5.1 access-list 100 permit ip any host 192.168.9.2 access-list 100 permit ah any host 192.168.9.2 access-list 100 permit esp any host 192.168.9.2 access-list 100 permit esp any host 192.168.9.1 access-list 100 permit ah any host 192.168.9.1 access-list 100 permit ip any host 192.168.9.1 access-list 100 permit ip 192.168.5.0 255.255.255.0 10.7.1.0 255.255.255.0 access-list 100 permit ip 10.7.1.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list 130 permit ip 192.168.5.0 255.255.255.0 10.7.1.0 255.255.255.0 pager lines 24 logging on logging buffered debugging mtu outside 1500 mtu inside 1500 ip address outside 192.168.9.3 255.255.255.0 ip address inside 192.168.5.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 192.168.5.0 255.255.255.0 0 0 static (inside,outside) 192.168.9.2 192.168.5.2 netmask 255.255.255.255 0 0 static (outside,inside) 192.168.5.2 192.168.9.2 netmask 255.255.255.255 0 0 route outside 0.0.0.0 0.0.0.0 192.168.9.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set secure esp-3des esp-sha-hmac crypto map securemap 30 ipsec-isakmp crypto map securemap 30 match address 130 crypto map securemap 30 set peer 213.161.69.90 crypto map securemap 30 set transform-set secure crypto map securemap interface outside isakmp enable outside isakmp key ******** address 213.161.69.90 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 1000 telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh timeout 5 console timeout 0 dhcpd address 192.168.5.10-192.168.5.41 inside dhcpd dns 194.72.6.57 194.73.82.242 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside terminal width 80 banner motd Contact: name banner motd Site: BEE banner motd Location: loc Cryptochecksum:a0ea8db40e0b82673fa526d14173ce83 **************Outside************** : Saved : Written by enable_15 at 05:14:26.322 UTC Mon Oct 16 2006 PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password orMeD9LEZDGVgHNT encrypted passwd zdWLaxrocvVoOrCk encrypted hostname FWL-FRN-OUTSIDE domain-name qinetiq.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list INSIDE-OUT permit ip any host 192.168.9.1 access-list INSIDE-OUT permit ah any any access-list INSIDE-OUT permit esp any any access-list INSIDE-OUT permit ip any any log access-list INSIDE-OUT permit icmp any any access-list OUTSIDE-IN permit esp any host 172.30.6.232 access-list OUTSIDE-IN permit ah any host 172.30.6.232 access-list OUTSIDE-IN permit ip any host 172.30.6.232 access-list OUTSIDE-IN permit esp any host 172.30.6.231 access-list OUTSIDE-IN permit ah any host 172.30.6.231 access-list OUTSIDE-IN permit ip any host 172.30.6.231 access-list OUTSIDE-IN deny ip any 10.0.0.0 255.0.0.0 access-list OUTSIDE-IN deny ip any 172.16.0.0 255.240.0.0 access-list OUTSIDE-IN deny ip any 192.168.0.0 255.255.0.0 access-list OUTSIDE-IN deny ip any any log access-list OUTSIDE-IN permit icmp any any pager lines 24 logging on logging buffered debugging mtu outside 1500 mtu inside 1500 ip address outside 172.30.6.231 255.255.255.0 ip address inside 192.168.9.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm no pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 192.168.9.0 255.255.255.0 0 0 static (outside,inside) 192.168.9.2 172.30.6.232 netmask 255.255.255.255 0 0 static (inside,outside) 172.30.6.232 192.168.9.2 netmask 255.255.255.255 0 0 access-group OUTSIDE-IN in interface outside access-group INSIDE-OUT in interface inside route outside 0.0.0.0 0.0.0.0 172.30.6.20 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh 172.30.6.228 255.255.255.255 outside ssh 172.30.6.229 255.255.255.255 outside ssh 172.30.6.230 255.255.255.255 outside ssh timeout 5 console timeout 0 dhcpd address 192.168.9.10-192.168.9.40 inside dhcpd dns 194.72.6.57 194.73.82.242 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside terminal width 80 banner motd Contact: name banner motd Contact: name Cryptochecksum:f9c92b4c259f0cf2fad02ce3cbfcac26 _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Pix to Pix VPN Help Prabhu Gurumurthy (Nov 18)