×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

DUAL SITE TO SITE VPN PIX

DUAL SITE TO SITE VPN PIX

DUAL SITE TO SITE VPN PIX

(OP)
Hi,

I am going nuts with this, if anybody has been there..... this is a cry for help winky smile.

This is my situation.

LAN1 - 2 ISP's, 2 PIX's
LAN2 - 1 ISP, 1 PIX

I have a vpn tunnel from PIX1-LAN1 going to PIX1-LAN2. Now I'm trying to create a secondary vpn tunnel from PIX2-LAN1 going to PIX1-LAN2.

The Phase 1 completes, but the IPSec tunnel doesn't connect. I've opened a TAC case with CISCO, and I'm still waiting for their solution.

Basically, they said the PIX1-LAN2 has two crypto map entries going to the same destination (LAN1's internal subnet)

Any suggestion would be highly appreciated!

Julian Dragut
 

RE: DUAL SITE TO SITE VPN PIX

Show us a config. I bet we can fix it faster than Cisco.

RE: DUAL SITE TO SITE VPN PIX

(OP)
Relevant config:


access-list ymx1acl permit ip 192.168.1.0/24 192.168.0.0/24
access-list ymx2acl permit ip 192.168.1.0/24 192.168.0.0/24

crypto map outside 20ipsec-isakmp
crypto map outside 20match address ymx1acl
crypto map outside 20set peer X.X.X.X
crypto map outside 20 set transform-set strongdes

crypto map outside 30 ipsec-isakmp
crypto map outside 30 match address ymx2acl
crypto map outside 30 set peer Y.Y.Y.Y
crypto map outside 30 set transform-set strongdes

This PIX should create 2 VPN's to the LAN1 (ymx1acl ymx2acl), but it creates only one.

I kind of fixed the problem by adding the second pier to the crypto map 20 as in:

crypto map outside 20ipsec-isakmp
crypto map outside 20match address ymx1acl
crypto map outside 20set peer X.X.X.X Y.Y.Y.Y
crypto map outside 20 set transform-set strongdes

Any ideas?

RE: DUAL SITE TO SITE VPN PIX

So the internal networks are the same range?

192.168.0.0


Thats definitly a problem. If thats the case the only real options are to subnet that on the acl to maybe only establishing a tunnel for a range of address 1 - 63 for one tunnel and 64 - 127 on another. The option is change the subnet at one of the sites, or put a router in front of the traffic and behind the pix  and NAT it.

RE: DUAL SITE TO SITE VPN PIX

(OP)
Take a look at this:

Cisco's VPN engineer's respons:

Thanks you for all your concern and providing all the info in this regard.
 
Please see that I was not feeling well, so couldn't get back to you soon. My apologies for any production impact caused.
 
What we need to do in this scenario is to do a static nat from the inside network behind PIX 506 to a private IP range without requiring any set of public Ip range and thus
 
the interesting traffic from PIX 501 will be 192.168.1.0 towards translated private ip range  
 
and
 
the interesting traffic from PIX 506 will be from translated private ip range to 192.168.1.0 network
 
And this should make the set up running. Please bear with me for today if possible and I will get back to you tomorrow at the begining of my shift and will configure the same for you.

RE: DUAL SITE TO SITE VPN PIX

(OP)
No the internal IP's are not the same.

RemoteSite's IP address is 192.168.1.0

HQSite = 192.168.0.0
PIX1 - ISP1
PIX2 - ISP2

PIX1 + PIX2 protect the same LAN (192.168.0.0), that's why RemoteSitePIX has two maps with the same proxy source, but using two diferent peer addresses

Hope this helps!

RE: DUAL SITE TO SITE VPN PIX

Thats the problem though. The ymx1acl and ymx2acl you are using to define what traffic is interesting to the pix. If you are using the same lan 192.168.0.0 then there will be problems because the traffic will only work to one pix. My suggestion and I know it could be a pain is to reegineer one of those subnets to be 192.168.2.0 rather than trying to nat. The nat solution is a short fix. The problem is further down the road  with new implementations you may have to keep making small fixes that can become a pain in the rear. If you change it now, you wont have to worry about ip problems later. The upside is if you have a small amount of clients the changes goes easy. Ive done this before. The downside is if you have a large amount of servers, then it sucks.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close