|
Posted by on December 28, 2005, 1:06 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hey all,
I have a strange question. We are trying to use 2 Pix 501's to secure
traffic between 2 wireless access points. There is no router between
the 2 access points. I currently have a lab setup with the 2 Pix's
connecting them with a crossover cable to each of their outside
interfaces.
I can get the tunnel to come up with no problem, but no traffic will
pass between the 2 inside interfaces. I have a computer connected to
each inside interface of each Pix with the default gateway set to the
inside interface of each computer's corresponding Pix.
Here is the config from the Pix1:
: Saved
: Written by enable_15 at 11:49:28.125 UTC Wed Dec 28 2005
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password
passwd
hostname Pix1
domain-name something.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 80 permit ip 10.16.0.0 255.255.0.0 10.16.2.0 255.255.255.0
pager lines 24
icmp permit any echo outside
icmp permit any echo inside
mtu outside 1500
mtu inside 1500
ip address outside 10.16.1.2 255.255.255.0
ip address inside 10.16.0.221 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 80
route outside 0.0.0.0 0.0.0.0 10.16.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
crypto map toRemotePix 10 ipsec-isakmp
crypto map toRemotePix 10 match address 80
crypto map toRemotePix 10 set peer 10.16.1.1
crypto map toRemotePix 10 set transform-set vpnset
crypto map toRemotePix interface outside
isakmp enable outside
isakmp key atmconnection address 10.16.1.1 netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption aes
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:0de231c6c91acbf0282ffbf1d1ca209e
: end
The other Pix is exactly the same just reverse the src and dst IP
addresses in the access list and the IP's are different of course.
Any help would be greatly appreciated.
|
|
Posted by Walter Roberson on December 29, 2005, 1:07 pm
If you were Registered and logged in, you could reply and use other advanced thread options
:I have a strange question. We are trying to use 2 Pix 501's to secure
:traffic between 2 wireless access points.
:I can get the tunnel to come up with no problem, but no traffic will
:pass between the 2 inside interfaces.
:PIX Version 6.3(5)
:access-list 80 permit ip 10.16.0.0 255.255.0.0 10.16.2.0 255.255.255.0
:ip address outside 10.16.1.2 255.255.255.0
:ip address inside 10.16.0.221 255.255.0.0
Your inside network is 10.16/16 and your outside network is
10.16.1/24 which is a subnet of your inside network. You should
not expect that to work.
:nat (inside) 0 access-list 80
Your inside network is 10.16/16 and your nat 0 access-list implies
that you will be attempting to communicate with 10.16.2/24 . You
should not expect that to work.
:sysopt connection permit-ipsec
Okay, that explains why you don't have any outside access lists.
:crypto map toRemotePix 10 match address 80
:crypto map toRemotePix 10 set peer 10.16.1.1
There are not many situations on the PIX in which you can
safely reuse an access list. You should copy the contents of
the access list under a different name and use that as ACL
for "match address" purposes. PIX 6.x software may internally
modify ACLs for its own purposes. Some of the instances of
that are documented, but others are not.
Small note: on the PIX, you do not need to use numbers as the
ACL labels, you can use names such as "tunnel_acl" instead.
--
Prototypes are supertypes of their clones. -- maplesoft
|
| Similar Threads | Posted | | PIX 501 issue | July 24, 2006, 5:53 pm |
| Sonicwall VPN Issue | August 1, 2004, 11:46 pm |
| Network issue | March 11, 2005, 7:18 am |
| Connection Issue | September 15, 2005, 10:11 am |
| Pix Firewall Issue | November 20, 2005, 9:31 pm |
| Web server issue | May 6, 2006, 12:46 am |
| FW1 NGX R62 on IP530 issue | January 8, 2007, 4:53 am |
| NLB Firewall Issue? | June 1, 2007, 11:56 am |
| Re: Router Issue. | October 16, 2007, 5:18 am |
| Re: Router Issue. | October 17, 2007, 7:20 am |
|
XML site map