bigdogg2
join:2004-08-11
1 edit | reply to bigdogg2
Re: Issues with Cisco 871 tunnel with Pix515e
871 Config
871w-rtr#sh run
Building configuration...
Current configuration : 4168 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 871w-rtr
!
boot-start-marker
boot-end-marker
!
logging buffered 20000
enable password ************
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization template
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-3262587873
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3262587873
revocation-check none
rsakeypair TP-self-signed-3262587873
!
!
crypto pki certificate chain TP-self-signed-3262587873
certificate self-signed 01
*******************************************************
quit
dot11 syslog
ip cef
ip dhcp excluded-address 10.10.10.1
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip domain lookup
ip domain name local.test.local
!
!
!
username ***********
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key ************* address 192.168.10.20
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
!
crypto map IPSec 1 ipsec-isakmp
set peer 192.168.10.20
set transform-set myset
match address tunnel
!
crypto map testmap 10 ipsec-isakmp
set peer 192.168.10.20
set security-association idle-time 300
set transform-set myset
match address tunnel
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 192.168.10.50 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map IPSec
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description test user
ip address 10.44.44.2 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.10.20
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip access-list extended tunnel
permit ip 10.44.44.0 0.0.0.255 10.35.1.0 0.0.0.255
!
no cdp run
!
!
!
control-plane
!
banner motd ^C
******************************************
* Unauthorized access prohibited
******************************************
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end
871w-rtr# |
|
nfx
The Wire
Premium
join:2001-05-21
Vancouver, BC
clubs:
2 edits | crypto map SiteToSiteVPN 1 match address inside_cryptomap
crypto map SiteToSiteVPN 1 set peer 10.44.44.2
crypto map SiteToSiteVPN 1 set transform-set ESP-3DES-MD5 ESP-DES-MD5 xform-3des-md5
crypto map SiteToSiteVPN interface inside
Is this the crypto map you're using for the site-to-site VPN?
If so, the ACL it's matching, inside_cryptomap, only allows IP traffic.
This is the ACL it's matching: access-list inside_cryptomap extended permit ip 10.35.1.0 255.255.255.0 10.44.44.0 255.255.255.0
You need to add ICMP to that ACL.
edit: Same for the 871 config, you need to add ICMP to the ACL called "tunnel".
--
nfx |
|
bigdogg2
join:2004-08-11
| When you do a "permit ip" you are permitting everything over the protocol stack which would include TCP, UDP and ICMP.
I did fix the issue by removing "ip nat inside" on "int vlan1" and removing "ip nat outside" from "int f4". Since vlan 1 was not coming up I added my Loop Back IP into the tunnel ACL and then I was able to ping and telnet to ports on both sides of the crypto tunnel. |
|
nfx
The Wire
Premium
join:2001-05-21
Vancouver, BC
clubs: | You're right. I had to go back and review CCNA material to realize this. Thanks.
--
nfx |
|
