COMPGROUPS.NET | Search | Post Question | Groups | Stream | About | Register

Problem with IPSEC VPN

  • Follow


Hello

I have problem with site-to-site connection between two PIXes. Network
diagram looking like this:

PIX501---------- Internet -------------------- PIX515E
|                                                    |
|                                                    |
|                                                    |
192.168.4.1/24                          192.168.0.1/24

The VPN connection is established, but:
1) If I pinging host 192.168.4.10 from network 192.168.0.10 - OK
2) If I pinging host 192.168.0.10 from network 192.168.4.10 - error

Jan 22 2006 14:13:17: %PIX-3-713042: IKE Initiator unable to find
policy: Intf 1, Src: 192.168.0.10, Dst: 192.168.4.10
Jan 22 2006 14:13:18: %PIX-3-713042: IKE Initiator unable to find
policy: Intf 1, Src: 192.168.0.10, Dst: 192.168.4.10

The communications from 192.168.4.10 to 192.168.0.10 only working when
192.168.0.10 starts send packets.
Any ideas or recommendations ???

Below configurations of both PIXes:

PIX-515E running OS 7.0(4)

interface Ethernet0
 nameif outside
 security-level 0
 ip address 195.22.16.2 255.255.255.252
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 195.22.16.1 1
same-security-traffic permit intra-interface
access-list VPN extended permit ip 192.168.0.0 255.255.255.0
192.168.4.0 255.255.255.0
access-list NONAT extended permit ip 192.168.0.0 255.255.0.0
192.168.0.0 255.255.0.0
nat-control
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
crypto ipsec transform-set TransSet esp-3des esp-md5-hmac
crypto map VPN 20 match address VPN
crypto map VPN 20 set peer 195.22.17.2
crypto map VPN 20 set transform-set TransSet
crypto map VPN 20 set nat-t-disable
crypto map VPN interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
tunnel-group 195.22.17.2 type ipsec-l2l
tunnel-group 195.22.17.2 ipsec-attributes
 pre-shared-key *


PIX-501 running OS 6.3(5)

interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
ip address outside 195.22.17.2 255.255.255.252
ip address inside 192.168.4.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 195.22.17.1 1
access-list NONAT permit ip 192.168.0.0 255.255.0.0 192.168.0.0
255.255.0.0
access-list VPN permit ip 192.168.4.0 255.255.255.0 192.168.0.0
255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set TransSet esp-3des esp-md5-hmac
crypto map VPN 20 ipsec-isakmp
crypto map VPN 20 match address VPN
crypto map VPN 20 set peer 195.22.16.2
crypto map VPN 20 set transform-set TransSet
crypto map VPN interface outside
isakmp enable outside
isakmp key ******** address 195.22.16.2 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
0
Reply robhass (14) 1/22/2006 4:30:15 PM 

Hi Robert,

The following command is having error in your PIX515E,

access-list NONAT extended permit ip 192.168.0.0 255.255.0.0
192.168.0.0
255.255.0.0

it should be,
access-list NONAT extended permit ip 192.168.0.0 255.255.0.0
192.168.4.0
255.255.0.0

Try this and let me know for any issues.

Regards,
Naveen.
0
Reply Naveen 1/25/2006 7:22:21 PM 


In article <1138216941.735329.249970@o13g2000cwo.googlegroups.com>,
Naveen Kollipara <naveen.kollipara@gmail.com> wrote:
>The following command is having error in your PIX515E,

>access-list NONAT extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

>it should be,
>access-list NONAT extended permit ip 192.168.0.0 255.255.0.0 192.168.4.0 255.255.0.0

I'd say it should probably be

access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0

in other words that it should match the ACL being used for the crypto map.
0
Reply roberson 1/26/2006 2:18:43 AM
comp.dcom.sys.cisco 24754 articles. 23 followers.

2 Replies
247 Views

(page loaded in 0.051 seconds)

Similiar Articles:

Pix 506E IPsec site to site VPN Problem - comp.dcom.sys.cisco ...
Hello All, I am trying to set up two 506E Pix firewalls to use a Site to Site VPN. I can get that setup however afterwards my internet will stop work...

Wyse Thin Client - 831 - Cable Modem - VPN 3030 Problem? - comp ...
VPN - comp.dcom.sys.cisco MTU with Site to Site VPN - comp.dcom.sys.cisco Problem with IPSEC VPN - comp.dcom.sys.cisco Wyse Thin Client - 831 - Cable Modem - VPN 3030 ...

DHCP through IPsec - comp.dcom.sys.cisco
I have DHCP serving all of my internal users with no problem at all, on different networks. I also have many clinics etc, connected to us by an IPsec VPN tunnel done ...

PIX 7.2: no crypto map matching problem - comp.dcom.sys.cisco ...
Pix 506E IPsec site to site VPN Problem - comp.dcom.sys.cisco ... Pix to Pix: Initiate VPN on one side only... - comp.dcom.sys.cisco ..... sys.cisco What causes: IPSEC ...

Query regarding behavior of IKE/IPSec in Solaris-9 - comp.unix ...
Hi, We are facing problems while using the IPSEC features of solaris, the details are ... of keepalives ... reading in the book titled "IPSec Virtual Private Network ...

PPTP split-tunnel - comp.dcom.sys.cisco
PPTP split-tunnel - comp.dcom.sys.cisco Windows XP native l2tp/ipsec client to cisco router - comp.dcom ... L2TP/IPSec DNS split problem on Windows XP VPN client ...

Cisco WebVPN cifs problem - comp.dcom.sys.cisco
A problem in IPsec - comp.unix.solaris MTU with Site to Site VPN - comp.dcom.sys.cisco Problem with IPSEC VPN - comp.dcom.sys.cisco MTU ... I have enabled IPSec for CIFS ...

PIX - Disconnect IPSEC Tunnel - comp.dcom.sys.cisco
Pix 506E IPsec site to site VPN Problem - comp.dcom.sys.cisco ... PIX 506E to Cisco PIX 506E site-to-site VPN ... PIX - Disconnect IPSEC Tunnel - comp.dcom ... 5510 to ...

Ipsec in solaris 9 - comp.unix.solaris
Hi, I have some problems with ipsec realization in solaris 9. It works with ... Hello, I'm trying establish a VPN-tunnel between Solaris 9's IPsec (the native OS one, not ...

Ipsec VPN between Cisco IOS and Zywall - comp.dcom.sys.cisco ...
I would tend to suspect the unidirectional tunnel problem you ... To Site VPN from Cisco 837 ... ASA ... virtual private network ... I have a Cisco ... IPSec ... between ...

Cisco - Most Common L2L and Remote Access IPsec VPN ...
that an ACL is the cause of problems with your IPsec VPN. • Make sure that your NAT Exemption and crypto ACLs specify the correct traffic. If you have multiple VPN ...

Cisco VPN connection problem - Cisco Support Community
Cisco VPN connection problem Hello, I am a contractor for a customer of mine who has a Cisco ASA box with an IPsec VPN set up too allow me remote access. I c

7/29/2012 10:25:43 PM


Reply:



Privacy Policy | All Times Are GMT(UTC) | powered by