VPN Tunnel strange issue (aren't they all?) - TechRepublic
Question
July 18, 2010 at 12:08 PM
bk6662

VPN Tunnel strange issue (aren’t they all?)

by bk6662 . Updated 15 years, 11 months ago

Have two internet connections at home: a DSL, and cable. Have 2 PIX-501s (one on each end) with a site-2-site IPSEC tunnel. Have both PIX’s logging to a Linux machine on the cable end (192.168.1.201) Everything worked great until yesterday, when I started trying to allow outside access to a web server on the Linux box. After agonizing for about 4 hours, I never got that working. But in the process I somewhat broke the VPN connection. It’s back up, but now I cannot ping from the DSL-end PIX to anything on the Cable-end. (Even though the tunnel is up). Hosts on that end can ping the cable end just fine; so it has to be in the PIX. But I didn’t change anything on that config? The problem with this is that it can’t reach the syslog server.

I’ve checked access-lists on both PIX’s – don’t see anything being dropped. I don’t know how MTU size can suddenly be an issue (especially since pinging between hosts works fine. And the cable-end PIX can ping the other way just fine as well).

Here’s what I think are the relevant config entries from each PIX:

DSL:
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NoNat permit IP 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
ip address inside 192.168.0.2 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NoNat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
crypto ipsec transform-set chevelle esp-3des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 70.176.x.x
crypto map transam 1 set transform-set chevelle
crypto map transam interface outside
isakmp enable outside
isakmp key *** address 70.176.x.x netmask 255.255.255.0
isakmp identity address
isakmp policy 1 authenticate pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000

And for the cable:
access-list outbound deny ip any host 216.163.137.68
access-list outbound permit ip any any
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside-entry permit tcp any host 192.168.1.201 eq www
access-list outside-entry permit tcp any host 192.168.1.201 eq https
access-list outside-entry permit tcp any host 192.168.1.201 eq ssh
access-list outside-entry permit tcp any host 192.168.1.201 eq ftpaccess-list outbound deny ip any host 216.163.137.68
access-list outbound permit ip any any
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside-entry permit tcp any host 192.168.1.201 eq www
access-list outside-entry permit tcp any host 192.168.1.201 eq https
access-list outside-entry permit tcp any host 192.168.1.201 eq ssh
access-list outside-entry permit tcp any host 192.168.1.201 eq ftp
ip address inside 192.168.1.199 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.1.201 www netmask 255.255.255.255 0 0
access-group outside-entry in interface outside
access-group outbound in interface inside
route inside 11.0.0.0 255.0.0.0 192.168.1.200 1
sysopt connection permit-ipsec
crypto ipsec transform-set toyota esp-3des esp-md5-hmac
crypto map bmw 1 ipsec-isakmp
crypto map bmw 1 match address 101
crypto map bmw 1 set peer 75.171.44.40
crypto map bmw 1 set transform-set toyota
crypto map bmw interface outside
isakmp enable outside
isakmp key ******** address 75.171.44.40 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000

Sorry about the length – hopefully this is enough to provide an idea what is going on. (And if anybody sees why my Linux machine webserver isn’t available please let me know what I’m missing there as well!)

Thank you in advance!
-BK

This discussion is locked

All Comments