Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

PIX 501 Not Passing All VPN Traffic

  • Filter
  • Time
  • Show
Clear All
new posts

  • PIX 501 Not Passing All VPN Traffic


    I have a client with multiple locations. All of the locations are connected with site-to-site VPN's using SonicWALL appliances. Over this last weekend, there was a storm and one of the sites was hit by lighting. The SonicWALL at this remote site was damaged and unusable. So I put a Cisco PIX 501 in it's place until a permanent solution is put in place. Here is the problem...

    Main location has a database server that syncronizes it's database with a server at this remote location. This syncronization is no longer working after putting the PIX in place. I ultimately am needing to allow ALL traffic over this VPN tunnel. I am not sure what I am missing, but I am sure it is something simple. I am including a copy of the config (with IP's changed) for someone to look over.

    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password cfJ5jlQu.rO8n8OJ encrypted
    passwd cfJ5jlQu.rO8n8OJ encrypted
    hostname pixfirewall
    domain-name aec2020.local
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    access-list pixtosw permit ip
    access-list acl_out permit icmp any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside
    ip address inside
    ip audit info action alarm
    ip audit attack action alarm
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list pixtosw
    nat (inside) 1 0 0
    nat (inside) 1 0 0
    access-group outside_in in interface outside
    route outside 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http inside
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt noproxyarp inside
    crypto ipsec transform-set keokukaec esp-3des esp-sha-hmac
    crypto map maptosw 67 ipsec-isakmp
    crypto map maptosw 67 match address pixtosw
    crypto map maptosw 67 set peer
    crypto map maptosw 67 set transform-set keokukaec
    crypto map maptosw interface outside
    isakmp enable outside
    isakmp key ******** address netmask
    isakmp identity address
    isakmp nat-traversal 13
    isakmp policy 13 authentication pre-share
    isakmp policy 13 encryption 3des
    isakmp policy 13 hash sha
    isakmp policy 13 group 2
    isakmp policy 13 lifetime 28800
    telnet inside
    telnet timeout 5
    ssh outside
    ssh inside
    ssh timeout 60
    console timeout 0
    terminal width 80
    : end

    Thanks for the help


  • #2
    Re: PIX 501 Not Passing All VPN Traffic

    Give this a try:

    access-list 101 permit ip
    You actually need to create two identical access-lists. One for the crypto map and the other for the no-nat. They just need to be named different.
    CCNA, Network+