headers
alastair.johnson | 2 Dec 2003 02:52
Picon
Picon

cisco PIX VPN tunnel config problem

I'm having a problem configuring a couple of cisco PIX 501
units to provide a VPN tunnel between the office and a 
branch location.

I can make the tunnel and I can get as far as forcing all 
traffic at the branch down the tunnel and not try to NAT 
anything directly out the branch's ADSL line.

The problem is the PIX at the office end. I want the traffic
from the branch that uses private IP addresses and that emerges 
out of the tunnel to go through a masquerading firewall
so that I can better analyse/filter the traffic and NAT
it back to a public IP address. The problem is therefore
that I need the office PIX's inside interface to send all
traffic that is not to/from the branch's private IP address
network to the masquerading firewall inside the office. This 
means I need the default route to be defined on the inside 
interface of the office PIX and just define a single static 
route for the outside interface to define all traffic to the 
VPN peer IP address to go through the office outside router.
ie,:
  route inside 0 0 10.12.0.1
  route outside 213.16.240.80 255.255.255.255 163.1.63.254

The office PIX appears to accept these commands but then
the VPN tunnel doesnt work.

Reverting to:
  route outside 0 0 163.1.63.254
  route inside 163.1.63.0 255.255.255.0 10.12.0.1
(Continue reading)

Permalink | Reply | 1 comment |
headers
Kelly Koons | 2 Dec 2003 06:39
Picon
Favicon

IPSec on configration on Yamaha router RTX1000 -

This might sound interesting to you guys. But has anyone worked before setting up

Lan2Lan VPN using Yamaha router YAMAHA RTX1000. Any information/documentation would be appreciated.

 

Thanks

-kelly

Join the Yahoo! Search Contest
- Stand a chance to win prizes!

_______________________________________________
VPN mailing list
VPN <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
Permalink | Reply | 0 comments |
headers
Dana J. Dawson | 3 Dec 2003 21:04
Favicon

Re: cisco PIX VPN tunnel config problem

You also need a route to the branch site's private address(es) that 
points out the outside interface.  The traffic going through the VPN has 
to first be routed out the interface which terminates the VPN.  
Ordinarily this is done with a default route, but a more specific route 
will work too, as long as it includes the remote destination network(s).

Make sense?

-- 
Dana J. Dawson                     djdawso <at> qwest.com
Sr. Staff Engineer                 CCIE #1937
Qwest Communications               (612) 664-3364
600 Stinson Blvd., Suite 1S        (612) 664-4778 (FAX)
Minneapolis  MN  55413-2620

"Hard is where the money is."

alastair.johnson <at> unix1.trinity.ox.ac.uk wrote:

>I'm having a problem configuring a couple of cisco PIX 501
>units to provide a VPN tunnel between the office and a 
>branch location.
>
>I can make the tunnel and I can get as far as forcing all 
>traffic at the branch down the tunnel and not try to NAT 
>anything directly out the branch's ADSL line.
>
>The problem is the PIX at the office end. I want the traffic
>from the branch that uses private IP addresses and that emerges 
>out of the tunnel to go through a masquerading firewall
>so that I can better analyse/filter the traffic and NAT
>it back to a public IP address. The problem is therefore
>that I need the office PIX's inside interface to send all
>traffic that is not to/from the branch's private IP address
>network to the masquerading firewall inside the office. This 
>means I need the default route to be defined on the inside 
>interface of the office PIX and just define a single static 
>route for the outside interface to define all traffic to the 
>VPN peer IP address to go through the office outside router.
>ie,:
>  route inside 0 0 10.12.0.1
>  route outside 213.16.240.80 255.255.255.255 163.1.63.254
>
>The office PIX appears to accept these commands but then
>the VPN tunnel doesnt work.
>
>Reverting to:
>  route outside 0 0 163.1.63.254
>  route inside 163.1.63.0 255.255.255.0 10.12.0.1
>
>does work - the VPN tunnel works - but then remote machines
>at the other end of the tunnel can only get to office machines
>ie, in 163.1.63
>It would be rather tiresome to have to define static routes
>for the whole of the internet subnet by subnet!
>
>What i just dont get is why the tunnel doesnt work with
>  route outside 213.16.240.80 255.255.255.255 163.1.63.254
>where 213.16.240.80 is the IP address of the PIX at the
>other end:
>  crypto map branch 10 set peer 213.16.240.80
>  isakmp key ******** address 213.16.240.80 netmask 255.255.255.255
>
>I have also tried:
>  route outside 213.16.240.0 255.255.255.0 163.1.63.254
>but that doesnt work with the VPN tunnel either.
>
>The PIX is running 6.2 (see detailed config below) but I know
>that 6.3 is out. I dont know if this "firmware" upgrade would help. 
>
>If anyone knows why I cant make a VPN tunnel with a default route
>on the inside and a single route to the VPN peer on the outside
>interface then please let me know. I would be very appreciative.
>
>Many thanks,
>
>Sincerely,
>
>A. Johnson
>
>----------------------------------------------------------------
>Cisco PIX Firewall Version 6.2(2)
>Cisco PIX Device Manager Version 2.0(2)
>
>Compiled on Fri 07-Jun-02 17:49 by morlee
>
>officepix up 6 hours 30 mins
>
>Hardware:   PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
>Flash E28F640J3  <at>  0x3000000, 8MB
>BIOS Flash E28F640J3  <at>  0xfffd8000, 128KB
>
>0: ethernet0: address is 000b.be57.63ef, irq 9
>1: ethernet1: address is 000b.be57.63f0, irq 10
>Licensed Features:
>Failover:           Disabled
>VPN-DES:            Enabled
>VPN-3DES:           Enabled
>Maximum Interfaces: 2
>Cut-through Proxy:  Enabled
>Guards:             Enabled
>URL-filtering:      Enabled
>Inside Hosts:       10
>Throughput:         Limited
>IKE peers:          5
>
>Serial Number: 806505814 (0x30124d56)
>Running Activation Key: 0x56dd0701 0xa800be04 0xc2bcc8d0 0xf6e11654
>Configuration last modified by enable_15 at 16:33:25.310 UTC Mon Dec 1 2003
>
>------------------ show config (run time) ------------------
>
>:
>PIX Version 6.2(2)
>nameif ethernet0 outside security0
>nameif ethernet1 inside security100
>_______________________________________________
>VPN mailing list
>VPN <at> lists.shmoo.com
>http://lists.shmoo.com/mailman/listinfo/vpn
>
>  
>
Permalink | Reply | 0 comments |
headers
Arijit.Mukherjee | 4 Dec 2003 07:51
Picon

Tunneling Between Cisco 2503 and Nortel ARN router

Dear Sir

I want to establish a GRE tunnel between Cisco 2503 and Nortel ARN router.
After configuring the tunnel between these two routers it is showing that
the status is up on both the ends but it was not pinging.Can you provide me
any solution of this situation.

Thanks & Regards
Arijit Mukherjee
Haldia Petrochemicals Limited
Haldia
Phone No. - 953224274384/877/007
Extn. - 3090
Permalink | Reply | 1 comment |
headers
Little, Mike (BHS | 4 Dec 2003 17:19

Contivity 2700 to PIX 515 config.

All,

 

I'll keep this brief.  I have a Nortel Contivity 2700 that I'm setting up a site-to-site with a PIX 515.  It's a pretty straight setup - no NAT, etc.  I can initiate the tunnel fine from my end, but can't ping anything in their network.  They are not able to bring up the tunnel from the PIX side.  With the tunnel up, I'm seeing packets leaving my Contivity and, judging by what I've seen in their log files, see them arriving on their side.

 

I'm very familiar with the Contivity configs but much less familiar with the PIX.  I think it's their problem but don't know what to suggest or look for.

 

If someone has any suggestions, or can point me to some configuration information for these devices, it would be very much appreciated.

 

 

As always, thanks for the help,

 

Mike Little

Network Services

Baptist Healthcare System

 

 

_______________________________________________
VPN mailing list
VPN <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
Permalink | Reply | 2 comments |
headers
Jean-Francois Dive | 5 Dec 2003 09:42

Re: Contivity 2700 to PIX 515 config.

it is probably a little bit low on information to provide any possible
help

J.

On Thu, Dec 04, 2003 at 11:19:23AM -0500, Little, Mike (BHS) wrote:
> All,
> 
>  
> 
> I'll keep this brief.  I have a Nortel Contivity 2700 that I'm setting up a
> site-to-site with a PIX 515.  It's a pretty straight setup - no NAT, etc.  I
> can initiate the tunnel fine from my end, but can't ping anything in their
> network.  They are not able to bring up the tunnel from the PIX side.  With
> the tunnel up, I'm seeing packets leaving my Contivity and, judging by what
> I've seen in their log files, see them arriving on their side.
> 
>  
> 
> I'm very familiar with the Contivity configs but much less familiar with the
> PIX.  I think it's their problem but don't know what to suggest or look for.
> 
>  
> 
> If someone has any suggestions, or can point me to some configuration
> information for these devices, it would be very much appreciated.
> 
>  
> 
>  
> 
> As always, thanks for the help,
> 
>  
> 
> Mike Little
> 
> Network Services
> 
> Baptist Healthcare System
> 
>  
> 
>  
> 

> _______________________________________________
> VPN mailing list
> VPN <at> lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn

--

-- 

-> Jean-Francois Dive
--> jef <at> linuxbe.org

  I think that God in creating Man somewhat overestimated his ability.
  -- Oscar Wilde
Permalink | Reply | 0 comments |
headers
Siddhartha Jain | 5 Dec 2003 13:47
Picon
Favicon

Re: Tunneling Between Cisco 2503 and Nortel ARN router

Arijit,

Provide more information about the network topology.
>From where are you pinging and to which host?? Did you
try to traceroute?

 --- Arijit.Mukherjee <at> hpl.co.in wrote: > Dear Sir
> 
> I want to establish a GRE tunnel between Cisco 2503
> and Nortel ARN router.
> After configuring the tunnel between these two
> routers it is showing that
> the status is up on both the ends but it was not
> pinging.Can you provide me
> any solution of this situation.
> 
> Thanks & Regards
> Arijit Mukherjee
> Haldia Petrochemicals Limited
> Haldia
> Phone No. - 953224274384/877/007
> Extn. - 3090
> 
> _______________________________________________
> VPN mailing list
> VPN <at> lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn 

________________________________________________________________________
Download Yahoo! Messenger now for a chance to win Live At Knebworth DVDs
http://www.yahoo.co.uk/robbiewilliams
Permalink | Reply | 0 comments |
headers
Siddhartha Jain | 5 Dec 2003 13:57
Picon
Favicon

Re: Contivity 2700 to PIX 515 config.

Mike,

Check this 
http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

Depending on the PIX config, they might need to add
extra access-lists to allow the traffic from the
tunnel.

Its a example configuration of a simple IPSec tunnel
between two PIX firewalls. This should give you an
idea of where you are going wrong.

 --- "Little, Mike (BHS)" <MLittle <at> bhsi.com> wrote: >
All,
> 
>  
> 
> I'll keep this brief.  I have a Nortel Contivity
> 2700 that I'm setting up a
> site-to-site with a PIX 515.  It's a pretty straight
> setup - no NAT, etc.  I
> can initiate the tunnel fine from my end, but can't
> ping anything in their
> network.  They are not able to bring up the tunnel
> from the PIX side.  With
> the tunnel up, I'm seeing packets leaving my
> Contivity and, judging by what
> I've seen in their log files, see them arriving on
> their side.
> 
>  
> 
> I'm very familiar with the Contivity configs but
> much less familiar with the
> PIX.  I think it's their problem but don't know what
> to suggest or look for.
> 
>  
> 
> If someone has any suggestions, or can point me to
> some configuration
> information for these devices, it would be very much
> appreciated.
> 
>  
> 
>  
> 
> As always, thanks for the help,
> 
>  
> 
> Mike Little
> 
> Network Services
> 
> Baptist Healthcare System
> 
>  
> 
>  
> 
> > _______________________________________________
> VPN mailing list
> VPN <at> lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn 

________________________________________________________________________
Download Yahoo! Messenger now for a chance to win Live At Knebworth DVDs
http://www.yahoo.co.uk/robbiewilliams
Permalink | Reply | 0 comments |
headers
Zimmerman, Mark | 5 Dec 2003 15:36

RE: Contivity 2700 to PIX 515 config.

Mike,
 
We've tested both the Nortel Contivity 2700 and the PIX against each other in our Interoperability Tests.
Detailed Configuration information is documented in each of the product Lab Reports at:
 
 
Also on the front page is an Advanced Troubleshooting Guide with steps to help troubleshoot
problems such as these.
 
If we can assist further, please let me know.
 
Regards,
 
-----Original Message-----
From: vpn-bounces+mzimmerman=icsalabs.com <at> lists.shmoo.com [mailto:vpn-bounces+mzimmerman=icsalabs.com <at> lists.shmoo.com] On Behalf Of Little, Mike (BHS)
Sent: Thursday, December 04, 2003 11:19 AM
To: vpn <at> lists.shmoo.com
Subject: [VPN] Contivity 2700 to PIX 515 config.

All,

 

I'll keep this brief.  I have a Nortel Contivity 2700 that I'm setting up a site-to-site with a PIX 515.  It's a pretty straight setup - no NAT, etc.  I can initiate the tunnel fine from my end, but can't ping anything in their network.  They are not able to bring up the tunnel from the PIX side.  With the tunnel up, I'm seeing packets leaving my Contivity and, judging by what I've seen in their log files, see them arriving on their side.

 

I'm very familiar with the Contivity configs but much less familiar with the PIX.  I think it's their problem but don't know what to suggest or look for.

 

If someone has any suggestions, or can point me to some configuration information for these devices, it would be very much appreciated.

 

 

As always, thanks for the help,

 

Mike Little

Network Services

Baptist Healthcare System

 

 

_______________________________________________
VPN mailing list
VPN <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
Permalink | Reply | 0 comments |
headers
vpn-bounces | 7 Dec 2003 07:30

Your message to VPN awaits moderator approval

Your mail to 'VPN' with the subject

    Samba with PPTP

Is being held until the list moderator can review it for approval.

The reason it is being held:

    Post to moderated list

Either the message will get posted to the list, or you will receive
notification of the moderator's decision.  If you would like to cancel
this posting, please visit the following URL:

    http://lists.shmoo.com/mailman/confirm/vpn/e4d0e3ba03afbca2b3d8c886c0c103df7f59a008
Permalink | Reply | 0 comments |

Gmane