Re: [Edit] VPN pix 506 to 501 ...

Very very thank you for your answer.

I will test to fix the outside ip on the 501 as you said to not have a
variable.

After, if that not resolve the problem, i will change the crypto map by
dynamic map.

Thanks a lot !

> :The configuration has changed and is not very clean now
>
> I do not see the problem at the moment, and it puzzles me that
> a ping to -inside- would do anything. I'd want to see some of the log
> entries and debug crypto isakmp 2 debug crypto ipsec 2 results.
>
> In the meantime, I happen to notice a couple of small problems with
> your configurations:
>
> :------------Pix 501------------
> :PIX Version 6.3(5)
>
> :access-list fwoutside permit icmp any any
>
> You should not permit -all- icmp, because people *will* attack
> you with unsolicited icmp network-redirects, in an attempt to
> get connections to (e.g.) banks to be redirected to their site
> that has been made up to look just like the bank's...
>
> You do not need this "for debugging" as it is not going to affect
> any traffic in the tunnel: you have sysopt connection permit-ipsec
> which tells the PIX to ignore the interface ACLs for tunnel traffic.
>
> :access-list fwoutside deny ip any any log
>
> Deny is the default, and a log statement would be generated
> anyhow, unless you had turned that off with 'logging message'... which
> you didn't.
>
> :access-list fwinside deny ip any any log
>
> Again, deny is the default and a log statement would be generated
> anyhow.
>
>
> :logging on
> :logging monitor debugging
> :logging buffered debugging
>
> When you are trying to debug a PIX, I recommend that you use
> logging trap debugging and also use logging host IP to send
> a copy of the log messages to a syslog daemon for recording to a file.
>
> :ip address outside pppoe setroute
> :ip address inside 192.168.5.254 255.255.255.0
>
> :management-access inside
>
> Ah, that's probably why pinging to the -inside- brought up a tunnel.
>
>
> :--------pix506-------------
> :PIX Version 6.3(3)
>
> Upgrade to 6.3(4) or 6.3(5) is recommended, for a security fix.
>
> :access-list fwoutside permit icmp any any
>
> See above about icmp any.
>
>
> :crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
> :crypto map outside_map 30 ipsec-isakmp
> :crypto map outside_map 30 match address outside_cryptomap_30
> :crypto map outside_map 30 set pfs group5
> :crypto map outside_map 30 set peer 2.2.2.2
> :crypto map outside_map 30 set transform-set ESP-AES-256-SHA
> :crypto map outside_map interface outside
>
> You have not defined a dynamic map here: you are expecting to talk
> to 2.2.2.2. But look above....
>
> [501 configuration] ip address outside pppoe setroute
>
> Your 501 does not -have- a fixed outside IP according to that.
> Perhaps your provider has assigned a constant address of 2.2.2.2,
> but you've told the PIX the address is variable. [Unfortunately
> I don't see any other way to tell the PIX you need to communicate
> via PPPoE.]
>
> What I suggest you try is removing the crypto map outside_map 30
> on the 506 and putting in a dynamic map (be sure to adjust
> the isakmp key address selector to match the possible range of IPs.)
> Then bring the tunnel up by traffic from the 501 to the 506.
>
>
> I would also suggest removing the management access on the 501.
> If you want the traffic between the 501 and the 506 themselves
> to go through a tunnel (e.g., pings) then you should add an
> entry to the tunnel ACL that specifies the -outside- IPs for both
> ends. That's going to be a bit tricky on the 506 side, though,
> with the 501 having a dynamic IP... That is the situation that the
> management access is for, but I think that -for now- it is just
> confusing the issue.
.

Relevant Pages

  • Re: [Edit] VPN pix 506 to 501 ...
    ... which tells the PIX to ignore the interface ACLs for tunnel traffic. ... unless you had turned that off with 'logging message'... ... :crypto map outside_map 30 set pfs group5 ...
    (comp.dcom.sys.cisco)
  • Re: Multiple IPsec VPNs between PIX
    ... VPN tunnel and automatically restart it with the new changes? ... and rebuilt. ... No, if you "no crypto map", it is going to tear down all the tunnels ... but (in PIX 6 at least) there could still be hold-overs not cleaned up. ...
    (comp.dcom.sys.cisco)
  • Help With 1710 to Pix 501 VPN Tunnel
    ... I am having trouble establishing a tunnel between two sites. ... fixup protocol http 80 ... Crypto map Houston 120 ipsec-isakmp ... Isakmp policy 100 authentication pre-share ...
    (comp.dcom.sys.cisco)
  • RE: Router Internet Monitoring
    ... Problem with Pix is it is logging literally everything, ... Can you use the Cisco Pix Device Manager to filter the log? ... Subject: Router Internet Monitoring ... Modeled after the famous Black Hat event in ...
    (Security-Basics)
  • RE: Router Internet Monitoring
    ... Problem with Pix is it is logging literally everything, ... Can you use the Cisco Pix Device Manager to filter the log? ... Subject: Router Internet Monitoring ... Modeled after the famous Black Hat event in ...
    (Firewall-Wizards)