Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Problem with PIX-to-PIX VPN and more networks

From: Miguel Angel Garcia Rivas <marivas () satec es>
Date: Wed, 22 Mar 2006 12:27:51 +0100
Hello Petr.
I was checking your config, but you only specified from one end-point. As you know, you should have another access-list in the other pix (PIX501) like this: 
access-list XX permit ip 10.1.0.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list XX permit ip 10.1.1.0 255.255.255.0 10.1.5.0 255.255.255.0

It would be helpful if you can attach the pix 501 config (vpn related)

Regards.

Petr Vyhnal wrote:


Hi all,
I have strange problem. I have two PIXes (501 and 506E) with VPN tunnel. LAN structure is like that:
LAN1 (10.1.5.0/24) - PIX506 (inside 10.1.5.254) - Inet (VPN) - PIX501 (inside 10.1.0.254/24) - LAN2 (10.1.0.0/24) - Linux router (nonat, 10.1.0.1 on PIX's side iface and 10.1.1.254 on LAN3 side iface) - LAN3 (10.1.1.0/24)
Crypto tunnel is working, but only for one network at the moment. So if ping works from 10.1.5.0/24 to 10.1.1.0/24 I can't ping from 10.1.5.0/24 to 10.1.0.0/24 and vice versa. But on both rules in acl 101 I can see growing hits when I pinging to both networks at same time. Even if only pings to one network at the moment are going to crypto tunnel and pings to second network are going directly to internet and they are rejected by gateway as unreachable. Does anybody have any idea how to fix it? 

PIX506 config (VPN part):

access-list 101 permit ip 10.1.5.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list 101 permit ip 10.1.5.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list 101
sysopt connection permit-ipsec
crypto ipsec transform-set MYVPN esp-3des esp-md5-hmac
crypto map MYMAP 1 ipsec-isakmp
crypto map MYMAP 1 match address 101
crypto map MYMAP 1 set peer xxx.xxx.xxx.xxx
crypto map MYMAP 1 set transform-set MYVPN
crypto map MYMAP interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000


Thanx Rudiik
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards




_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: