Tom's Hardware > Forum > General Networking > Firewall > [CISCO PIX]VPN IPSec problem

[CISCO PIX]VPN IPSec problem

Forum General Networking : Firewall - [CISCO PIX]VPN IPSec problem

Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions. Sign up now! Its free!
Ask the community Add a reply
Word :    Username :           
 
vortex   04-23-2004 at 02:42:03 PM

Archived from groups: comp.security.firewalls (More info?)

 

Hi,

I've just configured an IPSec tunnel between a PIX 525 and a PIX 501 but my
problem is that the first time I want to up the tunnel, I need to generate
flow from the remote network (behind the 501) to the local network (behind
the 525) AND another flow simultaneously from the local network to the
remote network...If I dont do that...the tunnel refuses to permit any
traffic...

In reality, it's not always possible for me to initiate a flow from the
remote LAN to the local one...
So, here is my question :
How can I do to obtain the fully "upped" VPN as soon as I initiate a flow
from my local network to the remote one ???
What is the problem in my configuration ? I don't understand...


Best regards,
Laurent.



Here is a sample of my configuration :

Remote Net<-->PIX501<---WAN--->PIX525<-->Local Net
With :
Remote Net = 192.168.2.0/24
PIX501's IP = 192.168.2.1 and 172.16.2.1 (Wan IP)
PIX525's IP = 192.168.1.1 and 172.16.1.1 (Wan IP)
Local Net = 192.168.1.0/24

Sample of the config on the PIX 501:
access-list 90 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.2.0 255.255.255.0
192.168.1.0 255.255.255.0
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map central 20 ipsec-isakmp
crypto map central 20 match address 90
crypto map central 20 set peer 172.16.1.1
crypto map central 20 set transform-set strong
crypto map central interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address 172.16.1.1 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 10
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400


Sample of the config on the PIX 525:
access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 90 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map remote 20 ipsec-isakmp
crypto map remote 20 match address 90
crypto map remote 20 set peer 172.16.2.1
crypto map remote 20 set transform-set strong
crypto map remote interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address 172.16.2.1 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 10
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400

Add a reply
Sponsored Links
Register or log in to remove.
Ask the community Add a reply
Tom's Hardware > Forum > General Networking > Firewall > [CISCO PIX]VPN IPSec problem
Go to:

There are 1093 identified and unidentified users. To see the list of identified users, Click here.

Forum map
Bestofmedia Forum ©
2000-2009 Bestofmedia Group
Page generated in 0.262 seconds
Please mind

You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.

Add a reply Cancel
Sponsored links
  • Ask the community now
  • Publish
Ad
Related Topics
See all relatives topics
They won a badge
Join us in greeting them