Thread: VPN Problem
View Single Post
  #1 (permalink)  
Old 2006-01-11
jimytri jimytri is offline
Junior Member
  
Join Date: 2006-01-05
Posts: 13
Rep Power: 0
jimytri has an average reputation (10+)
Default VPN Problem
Hi All,

I got an issue on the VPN between CP and PIX.
CP to PIX (share secret)
CP inside network 172.25.1.0/24
CP outside network 202.202.1.0/30
CP with SPLAT R60

PIX inside network 192.168.10.0/24
PIX outside network 202.202.1.0/30
PIX Version 6.3

VPN setup fine, I could check the IPsec and ISAKMP status in PIX. from PIX inside network could ping CP inside network, and also can browse the CP inside web server.

But from the CP side, CP inside network could not ping PIX inside network. Below it's the PIX configure:

interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list 101 permit ip 192.168.10.0 255.255.255.0 172.25.1.0 255.255.255.0
access-list 101 permit ip 172.25.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat permit ip 192.168.10.0 255.255.255.0 172.25.1.0 255.255.255.0
access-list nonat permit ip 172.25.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 102 permit icmp any any
access-list 102 permit tcp any host 202.202.1.2 eq www
access-list 102 permit ip any any
access-list 102 permit tcp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 202.202.1.2 255.255.255.248
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 202.202.1.2 www 192.168.10.2 www netmask 255.255.255
.255 0 0
access-group 102 in interface outside
route outside 0.0.0.0 0.0.0.0 202.202.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set rtptac esp-3des esp-md5-hmac
crypto map rtprules 10 ipsec-isakmp
crypto map rtprules 10 match address 101
crypto map rtprules 10 set peer 202.202.1.1
crypto map rtprules 10 set transform-set rtptac
crypto map rtprules interface outside
isakmp enable outside
isakmp key ******** address 202.202.1.1 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
Reply With Quote