Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Recent content by Packet7

  1. Packet7

    How to decide which VPN

    Hi, Policy based VPN's are simple to setup, but they have limitations. I would recommend using dial-up VPN betweens two firewalls without advanced routing. Anytime you need to add routing (Dynamic, Hub/Spoke, etc), I would go with route based VPNs. Rgds, John
  2. Packet7

    External Traffic to specific IP

    Hi, Yes, you can configure a route based VPN over the T1 for the branch sites. You would then advertise your default route via the Comcast. Regarding the need to expose servers to the Internet, you can setup a MIP with a policy to permit traffic. Rgds, John
  3. Packet7

    Mutliple External Static IP's on NS5GT

    Hi, Are you using a Netgear or a Netscreen? Rgds, John
  4. Packet7

    Change a ns100 to ns208

    Hi, Yes, you can try to clear the arp. I would also check your policy to make sure it's configured for NAT (use interface). Rgds, John
  5. Packet7

    Change a ns100 to ns208

    Hi, Are you switches configured for 100/Full as well? If not, I would hard code them to match the Firewall. I would also change the interfaces to route mode and handle NAT via Policy. I didn't see an outbound policy in your config. Try "get pol". Then "get pol id xx". Check to see if NAT...
  6. Packet7

    IPSEC tunnel to internal network assistance

    Hi Nick, Try the following: 1. Add 0.0.0.0/0 for both the Local and Remote Proxy ID. 2. Set the Proxy ID service as "any". 3. Remove your old VPN rules and add new rules that match (Trust to VPN, VPN to Trust, DMZ to VPN, etc). 4. Debug, test, and upload. I just reviewed the route based...
  7. Packet7

    IPSEC tunnel to internal network assistance

    OK, get a good night sleep. I should be around tomorrow. Regarding the policy, did you delete your old VPN rules? If not, please remove them. When you create a new role from Trust to VPN, you can specify address ranges in the "new address" field. Action = Permit. Rgds, John
  8. Packet7

    IPSEC tunnel to internal network assistance

    Hi, The PIX will not be able to interpret "groups". That is why your previous config had 8 VPN rules. If the remote end was a Firewall, you would have needed 4 rules. I would configure the policy below and test: Trust 192.168.1.0/24 VPN 10.10.1.0/24 ANY permit VPN 10.10.1.0/24 Trust...
  9. Packet7

    IPSEC tunnel to internal network assistance

    Hello Nick, In a route based VPN, you created standard rules (e.g. permit), not "tunnel". Pretend that you are not creating rules that handle VPN traffic. Keep me posted. Rgds, John
  10. Packet7

    IPSEC tunnel to internal network assistance

    Hello Nick, Based on what I can see, your old config had eight VPN Rules. I would try to delete the proxy ID and add the rules to match your old config. This should help complete the SA. I would start with the Trust to VPN if you are testing from 192.168.1.0/24. When you are done, run some...
  11. Packet7

    IPSEC tunnel to internal network assistance

    Do you have your previous config? I would like to take a look at the VPN's and Policies. Let me know.
  12. Packet7

    IPSEC tunnel to internal network assistance

    Hi, How many Policy-based VPN's were configured previously? Is the remote firewall a netscreen? The reason I ask is because not all firewalls treat the Proxy ID the same. Try adding the following: Proxy ID: Local IP: 192.168.1.0 Netmask: 255.255.255.0 Remote IP: 10.10.1.0 Netmask...
  13. Packet7

    IPSEC tunnel to internal network assistance

    OK, I'm guessing we don't have access to the remote Firewall, yes? Typically, the most helpful Phase 1 messages are logged on the responding Firewall. Since we are initiating the tunnel, we need to get creative. Can you send me the address objects used on the old config and new config. Also...
  14. Packet7

    IPSEC tunnel to internal network assistance

    I would try to start it again. undebug all debug ike detail clear db ping from PC, wait 60 secs undebug all get db str get event get ike cookie get sa Rgds, John
  15. Packet7

    IPSEC tunnel to internal network assistance

    Are you using VPN Monitor? If so, can you disable it and send the results from another debug? Do you have access to the remote Firewall?

Part and Inventory Search

Back
Top