|
Question : PIX to PIX to PIX Fully Meshed - Sites 1 and 2 work fine but can't talk to Site 3, but Site 3 can talk to Site 1 and 2????
|
|
2 PIX 520 1 PIX 506
Followed the CIsco documentation for setting up PIX to PIX to PIX Fully Meshed
Site's 1 and 2 are fully functional - see servers from either site in either site Site 3 can talk to Site 1 and 2 - see servers from either site Site 1 and 2 can not talk to Site 3 - servers from 1 and 2 can't get to Site 3 subnet??
What am I missing?
Site 1 Configuration local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0) current_peer: IP:500 dynamic allocated peer ip: 0.0.0.0
PERMIT, flags={origin_is_acl,} #pkts encaps: 2014, #pkts encrypt: 2014, #pkts digest 2014 #pkts decaps: 1849, #pkts decrypt: 1849, #pkts verify 1849 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0
local crypto endpt.: IPSite1, remote crypto endpt.: IPSite3 path mtu 1500, ipsec overhead 56, media mtu 1500 current outbound spi: 55c811f9
inbound esp sas: spi: 0xb7fcec62(3086806114) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5, crypto map: tonlpix sa timing: remaining key lifetime (k/sec): (4607606/271) IV size: 8 bytes replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas: spi: 0x55c811f9(1439175161) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 6, crypto map: tonlpix sa timing: remaining key lifetime (k/sec): (4607565/271) IV size: 8 bytes replay detection support: Y
outbound ah sas:
outbound pcp sas:
churchpix(config)# show crypto isakmp sa Total : 2 Embryonic : 0 dst src state pending created Site2IP SITE1IP QM_IDLE 0 2 Site3IP Site1IP QM_IDLE 0 2 churchpix(config)# write terminal Building configuration... : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto interface ethernet2 vlan10 logical interface ethernet2 vlan20 logical interface ethernet3 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz1 security10 nameif ethernet3 dmz2 security10 nameif vlan10 wlan_10_m7cl security1 nameif vlan20 wlan_20_efc security1 enable password DvJtRb4iQJWgid.l encrypted passwd rDvqQ7QpsNN9g3ZX encrypted hostname churchpix domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 90 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list 91 permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list 91 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list 91 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list 91 permit ip 192.168.0.0 255.255.255.0 10.0.6.0 255.255.255.0 access-list 91 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list 92 permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 pager lines 24 icmp permit any inside mtu outside 1500 mtu inside 1500 mtu dmz1 1500 mtu dmz2 1500 ip address outside site1ip 255.255.255.224 ip address inside 192.168.0.253 255.255.255.0 ip address dmz1 10.0.11.1 255.255.255.0 no ip address dmz2 ip address wlan_10_m7cl 10.0.12.1 255.255.255.0 ip address wlan_20_efc 10.0.10.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpnpool1 192.168.100.1-192.168.100.254 no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address dmz1 no failover ip address dmz2 no failover ip address wlan_10_m7cl no failover ip address wlan_20_efc pdm location 192.168.1.0 255.255.255.0 outside pdm location 192.168.1.0 255.255.255.0 inside pdm location 192.168.100.0 255.255.255.0 inside pdm location 192.168.0.191 255.255.255.255 inside pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 91 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (wlan_10_m7cl) 1 0.0.0.0 0.0.0.0 0 0 nat (wlan_20_efc) 1 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 IPGateware 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa-server vpn-auth protocol radius aaa-server vpn-auth max-failed-attempts 3 aaa-server vpn-auth deadtime 10 aaa-server vpn-auth (inside) host 192.168.0.191 password timeout 5 http server enable http 192.168.0.0 255.255.255.0 inside http 192.168.100.0 255.255.255.0 inside snmp-server host inside 192.168.0.191 snmp-server location happytown snmp-server contact me snmp-server community public snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto dynamic-map map2 10 set transform-set strong crypto map tonlpix 20 ipsec-isakmp crypto map tonlpix 20 match address 90 crypto map tonlpix 20 set peer IPSITE2 crypto map tonlpix 20 set transform-set strong crypto map tonlpix 30 ipsec-isakmp crypto map tonlpix 30 match address 92 crypto map tonlpix 30 set peer IPSITE3 crypto map tonlpix 30 set transform-set strong crypto map tonlpix 80 ipsec-isakmp dynamic map2 crypto map tonlpix client authentication vpn-auth crypto map tonlpix interface outside isakmp enable outside isakmp key ******** address IPSITE2 netmask 255.255.255.255 isakmp key ******** address IPSITE3 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 9 authentication pre-share isakmp policy 9 encryption 3des isakmp policy 9 hash sha isakmp policy 9 group 1 isakmp policy 9 lifetime 86400 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 28800 vpngroup vpn2 address-pool vpnpool1 vpngroup vpn2 dns-server 192.168.0.190 192.168.0.202 vpngroup vpn2 default-domain cisco.com vpngroup vpn2 split-tunnel 101 vpngroup vpn2 idle-time 1800 vpngroup vpn2 password ******** telnet timeout 5 ssh 192.168.0.0 255.255.255.0 inside ssh 192.168.1.0 255.255.255.0 inside ssh 192.168.100.0 255.255.255.0 inside ssh 192.168.2.0 255.255.255.0 inside ssh timeout 30 console timeout 0 dhcpd address 10.0.12.2-10.0.12.10 wlan_10_m7cl dhcpd address 10.0.10.2-10.0.10.100 wlan_20_efc dhcpd dns 209.234.64.240 192.168.0.190 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd domain pix.com dhcpd enable wlan_20_efc terminal width 80 Cryptochecksum:f61eed5e5b10032750179203aa936d63 : end [OK] churchpix(config)#
SITE 3 Config
college(config)# write terminal Building configuration... : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password DvJtRb4iQJWgid.l encrypted passwd rDvqQ7QpsNN9g3ZX encrypted hostname college domain-name pix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list 91 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list 91 permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list 90 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list 92 permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 pager lines 24 icmp permit any inside mtu outside 1500 mtu inside 1500 ip address outside SITE3IP 255.255.255.224 ip address inside 192.168.2.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 91 nat (inside) 1 192.168.2.0 255.255.255.0 0 0 route outside 0.0.0.0 0.0.0.0 IPGATEWAY 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 192.168.2.0 255.255.255.0 inside http 192.168.0.0 255.255.255.0 inside snmp-server host inside 192.168.0.191 snmp-server location happy place snmp-server contact help me snmp-server community public snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set strong esp-3des esp-sha-hmac crypto ipsec transform-set strong2 esp-3des esp-sha-hmac crypto map site2sitevpn 20 ipsec-isakmp crypto map site2sitevpn 20 match address 90 crypto map site2sitevpn 20 set peer SITE2IP crypto map site2sitevpn 20 set transform-set strong crypto map site2sitevpn 30 ipsec-isakmp crypto map site2sitevpn 30 match address 92 crypto map site2sitevpn 30 set peer SITE1IP crypto map site2sitevpn 30 set transform-set strong crypto map site2sitevpn interface outside isakmp enable outside isakmp key ******** address SITE2IP netmask 255.255.255.255 isakmp key ******** address SITE1IP netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 telnet timeout 5 ssh 192.168.2.0 255.255.255.0 inside ssh 192.168.1.0 255.255.255.0 inside ssh 192.168.0.0 255.255.255.0 inside ssh timeout 30 console timeout 0 dhcpd address 192.168.2.2-192.168.2.239 inside dhcpd dns 192.168.0.190 192.168.1.2 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable inside terminal width 80 Cryptochecksum:1e7f5d6d9dbff9c0c050a6eec383b7e5 : end [OK] college(config)#
THANKS FOR HELPING!
|
Answer : PIX to PIX to PIX Fully Meshed - Sites 1 and 2 work fine but can't talk to Site 3, but Site 3 can talk to Site 1 and 2????
|
|
Change you isakmp policy at site 3 to use group 2
isakmp policy 10 group 1 <= should be group 2
>isakmp policy 10 lifetime 86400 Match the other site isakmp policy 10 lifetime 28800
|
|
|
|