Question

Locked

Problem with pix VPN configuration

By abraham.nyirongo ·
I am running a VPN between two LANS (Network A and B) using Pix 506 firewalls. I recently added a new VPN between Network A and C using Cisco 2600 routers.

Users on network A are able to access network C and B. Users on Network B can access Network A only. They cannot access network C.

From network B I can ping hosts on network A but not on network C. From network A I can ping hosts on Network B and C

How do I configure the pix firewall on network B to allow VPN traffic to go to network C? (e.g. be able to ping hosts on network C from network B)

See below are configurations for the pix on network A and pix on network B

PIX Config on Network B

PIX Version 6.3(5)

access-list 101 permit ip koko 255.255.255.128 insidelan 255.255.255.128
access-list 101 permit icmp koko 255.255.255.128 insidelan 255.255.255.128
access-list 101 permit ip koko 255.255.255.128 10.0.0.0 255.0.0.0
access-list 101 permit ip koko 255.255.255.128 145.27.0.0 255.255.0.0
access-list 101 permit ip koko 255.255.255.128 158.163.0.0 255.255.0.0
access-list 101 permit ip koko 255.255.255.128 158.174.0.0 255.255.0.0
access-list 101 permit ip koko 255.255.255.128 158.177.0.0 255.255.0.0
access-list 101 permit ip koko 255.255.255.128 172.16.0.0 255.240.0.0
access-list insideacl permit icmp any any echo
access-list insideacl permit icmp any any unreachable
access-list insideacl permit icmp any any time-exceeded
access-list insideacl permit icmp any any parameter-problem
access-list insideacl permit ip koko 255.255.255.128 insidelan 255.255.255.128
access-list insideacl permit icmp koko 255.255.255.128 insidelan 255.255.255.128
access-list insideacl permit ip koko 255.255.255.128 10.0.0.0 255.0.0.0
access-list insideacl permit ip koko 255.255.255.128 145.27.0.0 255.255.0.0
access-list insideacl permit ip koko 255.255.255.128 158.163.0.0 255.255.0.0
access-list insideacl permit ip koko 255.255.255.128 158.174.0.0 255.255.0.0
access-list insideacl permit ip koko 255.255.255.128 158.177.0.0 255.255.0.0
access-list insideacl permit ip koko 255.255.255.128 172.16.0.0 255.240.0.0
access-list insideacl permit ip koko 255.255.255.128 any
access-list insideacl deny ip any any
access-list outsideacl permit icmp any any echo-reply
access-list outsideacl permit icmp any any unreachable
access-list outsideacl permit icmp any any time-exceeded
access-list outsideacl permit icmp any any parameter-problem
access-list outsideacl deny ip 10.0.0.0 255.0.0.0 any
access-list outsideacl deny ip 172.16.0.0 255.240.0.0 any
access-list outsideacl deny ip 127.0.0.0 255.0.0.0 any
access-list outsideacl deny ip 169.254.0.0 255.255.0.0 any
access-list outsideacl deny ip 192.0.2.0 255.255.255.0 any
access-list outsideacl deny ip 192.168.0.0 255.255.0.0 any
access-list outsideacl deny ip host outside_if host outside_if
access-list outsideacl deny ip 0.0.0.0 255.0.0.0 any
access-list outsideacl deny ip 224.0.0.0 240.0.0.0 any
access-list outsideacl deny ip 240.0.0.0 248.0.0.0 any
access-list outsideacl deny ip 248.0.0.0 248.0.0.0 any
access-list outsideacl deny ip host 0.0.0.0 any
access-list outsideacl deny ip host 255.255.255.255 any
access-list outsideacl deny ip any any
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp permit any parameter-problem outside
mtu outside 1500
mtu inside 1500
ip address outside outside_if 255.255.255.252
ip address inside inside_if 255.255.255.128
ip audit name attack attack action drop reset
ip audit interface outside attack
ip audit interface inside attack
ip audit info action alarm
ip audit attack action alarm drop
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outsideacl in interface outside
access-group insideacl in interface inside
route outside 0.0.0.0 0.0.0.0 outside_router 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http ssh_extern 255.255.255.255 outside
http koko 255.255.255.128 inside
no snmp-server location
no snmp-server contact
snmp-server community qg#x9:4$
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set zm-vpn esp-3des esp-sha-hmac
crypto map zambo 1 ipsec-isakmp
crypto map zambo 1 match address 101
crypto map zambo 1 set peer Lolo-vpnpeer
crypto map zambo 1 set transform-set zm-vpn
crypto map zambo interface outside
isakmp enable outside
isakmp key ******** address Lolo-vpnpeer netmask 255.255.255.248
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 864


PIX Config on Network A

PIX Version 6.3(5)
access-list 101 permit ip insidelan 255.255.255.128 koko 255.255.255.128
access-list 101 permit icmp insidelan 255.255.255.128 koko 255.255.255.128
access-list insideacl permit icmp any any echo
access-list insideacl permit icmp any any unreachable
access-list insideacl permit icmp any any time-exceeded
access-list insideacl permit icmp any any parameter-problem
access-list insideacl permit udp insidelan 255.255.255.0 any eq domain
access-list insideacl permit tcp insidelan 255.255.255.0 any eq www
access-list insideacl permit tcp insidelan 255.255.255.0 any eq https
access-list insideacl permit tcp insidelan 255.255.255.0 any eq ftp
access-list insideacl permit tcp insidelan 255.255.255.0 any eq ftp-data
access-list insideacl permit tcp insidelan 255.255.255.0 any eq 2492
access-list insideacl permit tcp insidelan 255.255.255.0 any eq ssh
access-list insideacl permit tcp host inside_smtp any eq smtp
access-list insideacl permit tcp host exchange_server any eq smtp
access-list insideacl permit ip insidelan 255.255.255.128 koko 255.255.255.1
28
access-list insideacl permit icmp insidelan 255.255.255.128 koko 255.255.255
.128
access-list insideacl deny ip any any
access-list outsideacl permit icmp any any echo-reply
access-list outsideacl permit icmp any any unreachable
access-list outsideacl permit icmp any any time-exceeded
access-list outsideacl permit icmp any any parameter-problem
access-list outsideacl permit tcp any host outside_if eq smtp
access-list outsideacl deny ip 10.0.0.0 255.0.0.0 any
access-list outsideacl deny ip 172.16.0.0 255.240.0.0 any
access-list outsideacl deny ip 127.0.0.0 255.0.0.0 any
access-list outsideacl deny ip 169.254.0.0 255.255.0.0 any
access-list outsideacl deny ip 192.0.2.0 255.255.255.0 any
access-list outsideacl deny ip 192.168.0.0 255.255.0.0 any
access-list outsideacl deny ip host outside_if host outside_if
access-list outsideacl deny ip 0.0.0.0 255.0.0.0 any
access-list outsideacl deny ip 224.0.0.0 240.0.0.0 any
access-list outsideacl deny ip 240.0.0.0 248.0.0.0 any
access-list outsideacl deny ip 248.0.0.0 248.0.0.0 any
access-list outsideacl deny ip host 0.0.0.0 any
access-list outsideacl deny ip host 255.255.255.255 any
access-list outsideacl deny ip any any
icmp permit any unreachable outside
icmp permit any time-exceeded outside
icmp permit any parameter-problem outside
mtu outside 1500
mtu inside 1500
ip address outside outside_if 255.255.255.248
ip address inside inside_if 255.255.255.128
ip audit name attack attack action drop reset
ip audit interface outside attack
ip audit interface inside attack
ip audit info action alarm
ip audit attack action alarm drop
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp inside_smtp smtp netmask 255.255.255.
255 0 0
access-group outsideacl in interface outside
access-group insideacl in interface inside
route outside 0.0.0.0 0.0.0.0 outside_router 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http ssh_extern 255.255.255.255 outside
http insidelan 255.255.255.128 inside
no snmp-server location
no snmp-server contact
snmp-server community Qg#x9:4$
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set zm-vpn esp-3des esp-sha-hmac
crypto map buku 1 ipsec-isakmp
crypto map buku 1 match address 101
crypto map buku 1 set peer KIT-vpnpeer
crypto map buku 1 set transform-set zm-vpn
crypto map buku interface outside
isakmp enable outside
isakmp key ******** address KIT-vpnpeer netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400

This conversation is currently closed to new comments.

0 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Share your knowledge
Back to Networks Forum
0 total posts (Page 1 of 1)  

Related Discussions

Related Forums