Recent content by Packet7

Hi, Policy based VPN's are simple to setup, but they have limitations. I would recommend using dial-up VPN betweens two firewalls without advanced routing. Anytime you need to add routing (Dynamic, Hub/Spoke, etc), I would go with route based VPNs. Rgds, John

Hi, Yes, you can configure a route based VPN over the T1 for the branch sites. You would then advertise your default route via the Comcast. Regarding the need to expose servers to the Internet, you can setup a MIP with a policy to permit traffic. Rgds, John

Hi, Are you using a Netgear or a Netscreen? Rgds, John

Hi, Yes, you can try to clear the arp. I would also check your policy to make sure it's configured for NAT (use interface). Rgds, John

Hi, Are you switches configured for 100/Full as well? If not, I would hard code them to match the Firewall. I would also change the interfaces to route mode and handle NAT via Policy. I didn't see an outbound policy in your config. Try "get pol". Then "get pol id xx". Check to see if NAT...

Hi Nick, Try the following: 1. Add 0.0.0.0/0 for both the Local and Remote Proxy ID. 2. Set the Proxy ID service as "any". 3. Remove your old VPN rules and add new rules that match (Trust to VPN, VPN to Trust, DMZ to VPN, etc). 4. Debug, test, and upload. I just reviewed the route based...

OK, get a good night sleep. I should be around tomorrow. Regarding the policy, did you delete your old VPN rules? If not, please remove them. When you create a new role from Trust to VPN, you can specify address ranges in the "new address" field. Action = Permit. Rgds, John

Hi, The PIX will not be able to interpret "groups". That is why your previous config had 8 VPN rules. If the remote end was a Firewall, you would have needed 4 rules. I would configure the policy below and test: Trust 192.168.1.0/24 VPN 10.10.1.0/24 ANY permit VPN 10.10.1.0/24 Trust...

Hello Nick, In a route based VPN, you created standard rules (e.g. permit), not "tunnel". Pretend that you are not creating rules that handle VPN traffic. Keep me posted. Rgds, John

Hello Nick, Based on what I can see, your old config had eight VPN Rules. I would try to delete the proxy ID and add the rules to match your old config. This should help complete the SA. I would start with the Trust to VPN if you are testing from 192.168.1.0/24. When you are done, run some...

Do you have your previous config? I would like to take a look at the VPN's and Policies. Let me know.

Hi, How many Policy-based VPN's were configured previously? Is the remote firewall a netscreen? The reason I ask is because not all firewalls treat the Proxy ID the same. Try adding the following: Proxy ID: Local IP: 192.168.1.0 Netmask: 255.255.255.0 Remote IP: 10.10.1.0 Netmask...

OK, I'm guessing we don't have access to the remote Firewall, yes? Typically, the most helpful Phase 1 messages are logged on the responding Firewall. Since we are initiating the tunnel, we need to get creative. Can you send me the address objects used on the old config and new config. Also...

I would try to start it again. undebug all debug ike detail clear db ping from PC, wait 60 secs undebug all get db str get event get ike cookie get sa Rgds, John

Are you using VPN Monitor? If so, can you disable it and send the results from another debug? Do you have access to the remote Firewall?