Re: Access to remote network across a VPN
- From: "mcaissie" <mcaissie@xxxxxxxxxxxxxxxxxxx>
- Date: Wed, 21 Jun 2006 21:20:10 GMT
%PIX-3-305006: portmap translation creation failed for icmp src
inside-HBG:10.3.0.5 dst inside-HBG:10.2.0.5 (type 8, code 0)
If the PIX tried to create a translation for 10.3 to 10.2 , it means
that you have a missing line in your nat 0 statement for the inside (
your nat_inside acl)
"Scott Townsend" <scott-i@.-N0-SPAMplease.enm.com> wrote in message
news:snimg.55151$Lm5.2450@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I do have that in there. I think I messed something else up.
I can no longer initiate a communication from 10.1.0.0 to 10.2.0.0
I can initiate connections from 10.2.0.0 to 10.1.0.0
So I can terminal serve, access server shares, etc to machines in 10.1.0.0
from 10.2.0.0 but not the other way around...
Now I'm getting the Following in the log of PIX A
%PIX-3-305006: portmap translation creation failed for icmp src
inside-HBG:10.3.0.5 dst inside-HBG:10.2.0.5 (type 8, code 0)
I'm at the location of PIX B, I cant leave till I can reach PIX B from
Site A!!! AARRGG!!!
Scott<-
"mcaissie" <mcaissie@xxxxxxxxxxxxxxxxxxx> wrote in message
news:4cimg.66501$I61.55274@xxxxxxxxxxx
On PIX A you will need a static route for the 10.3.0.0 network pointing
to
the T1 router
route inside 10.3.0.0 255.255.255.0 10.1.0.x
"Scott Townsend" <scott-i@.-N0-SPAMplease.enm.com> wrote in message
news:VPgmg.26478$VE1.23030@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I have the following setup
10.3.0.0 <--T1 Link-->10.1.0.0 <--PIX A--> Internet <--PIX B-->
10.2.0.0
I can talk from
10.1.0.0 to 10.3.0.0
10.3.0.0 to 10.1.0.0
10.1.0.0 to 10.2.0.0
10.2.0.0 to 10.1.0.0
I'd like to be able to talk from
10.2.0.0 to 10.3.0.0
10.3.0.0 to 10.2.0.0
Seems that my Packet leaving 10.3.0.0 Hit the PIX on 10.1.0.0 but it
does not know to send it over the VPN Link
How does routing work over a VPN?
Trace route from 10.2.0.0 to 10.3.0.0 dies at PIX B
Traceroute from 10.3.0.0 to 10.2.0.0 Dies at PIX A
Both PIXs are set up similar to this:
access-list inside_nat extended permit ip 10.2.0.0 255.255.0.0 10.1.0.0
255.255.0.0
access-list inside_nat extended permit ip 10.2.0.0 255.255.0.0 10.3.0.0
255.255.0.0
access-list outside-SF_nat0_outbound extended permit ip 10.2.0.0
255.255.0.0 10.1.0.0 255.255.0.0
access-list outside-SF_nat0_outbound extended permit ip 10.1.0.0
255.255.0.0 10.2.0.0 255.255.0.0
access-list outside-SF_nat0_outbound extended permit ip 10.1.0.0
255.255.0.0 10.3.0.0 255.255.0.0
access-list outside-SF_nat0_outbound extended permit ip 10.3.0.0
255.255.0.0 10.1.0.0 255.255.0.0
access-list outside-SF_nat0_outbound extended permit ip 10.2.0.0
255.255.0.0 10.3.0.0 255.255.0.0
access-list outside-SF_nat0_outbound extended permit ip 10.3.0.0
255.255.0.0 10.2.0.0 255.255.0.0
access-list outside-SF_nat0_inbound extended permit ip 10.2.0.0
255.255.0.0 10.1.0.0 255.255.0.0
access-list outside-SF_nat0_inbound extended permit ip 10.1.0.0
255.255.0.0 10.2.0.0 255.255.0.0
access-list outside-SF_nat0_inbound extended permit ip 10.1.0.0
255.255.0.0 10.3.0.0 255.255.0.0
access-list outside-SF_nat0_inbound extended permit ip 10.3.0.0
255.255.0.0 10.1.0.0 255.255.0.0
access-list outside-SF_nat0_inbound extended permit ip 10.2.0.0
255.255.0.0 10.3.0.0 255.255.0.0
access-list outside-SF_nat0_inbound extended permit ip 10.3.0.0
255.255.0.0 10.2.0.0 255.255.0.0
access-list outside-SF_cryptomap_20 extended permit ip 10.2.0.0
255.255.0.0 10.3.0.0 255.255.0.0
access-list outside-SF_cryptomap_20 extended permit ip 10.3.0.0
255.255.0.0 10.2.0.0 255.255.0.0
access-list outside-SF_cryptomap_20 extended permit ip 10.1.0.0
255.255.0.0 10.2.0.0 255.255.0.0
access-list outside-SF_cryptomap_20 extended permit ip 10.2.0.0
255.255.0.0 10.1.0.0 255.255.0.0
access-list outside-SF_cryptomap_20 extended permit ip 10.1.0.0
255.255.0.0 10.3.0.0 255.255.0.0
access-list outside-SF_cryptomap_20 extended permit ip 10.3.0.0
255.255.0.0 10.1.0.0 255.255.0.0
access-list charlie_tunnel extended permit ip 10.2.0.0 255.255.0.0
10.1.0.0 255.255.0.0
access-list charlie_tunnel extended permit ip 10.1.0.0 255.255.0.0
10.2.0.0 255.255.0.0
access-list charlie_tunnel extended permit ip 10.1.0.0 255.255.0.0
10.3.0.0 255.255.0.0
access-list charlie_tunnel extended permit ip 10.3.0.0 255.255.0.0
10.1.0.0 255.255.0.0
access-list charlie_tunnel extended permit ip 10.2.0.0 255.255.0.0
10.3.0.0 255.255.0.0
access-list charlie_tunnel extended permit ip 10.3.0.0 255.255.0.0
10.2.0.0 255.255.0.0
nat (outside-SF) 0 access-list outside-SF_nat0_outbound
nat (outside-SF) 0 access-list outside-SF_nat0_inbound outside
nat (inside-SF) 0 access-list inside_nat
nat (inside-SF) 1 10.2.0.0 255.255.0.0
nat (dmz-sf) 0 access-list dmz-sf_nat0_outbound
access-group acl_outside in interface outside-SF
route outside-SF 0.0.0.0 0.0.0.0 <gateway IP> 1
group-policy charlie internal
group-policy charlie attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value charlie_tunnel
crypto map outside-SF_map 20 match address outside-SF_cryptomap_20
.
- Follow-Ups:
- Re: Access to remote network across a VPN
- From: Scott Townsend
- Re: Access to remote network across a VPN
- From: Scott Townsend
- Re: Access to remote network across a VPN
- References:
- Access to remote network across a VPN
- From: Scott Townsend
- Re: Access to remote network across a VPN
- From: mcaissie
- Re: Access to remote network across a VPN
- From: Scott Townsend
- Access to remote network across a VPN
- Prev by Date: Re: Access to remote network across a VPN
- Next by Date: Re: Fake Cisco
- Previous by thread: Re: Access to remote network across a VPN
- Next by thread: Re: Access to remote network across a VPN
- Index(es):
Relevant Pages
|
