Cisco – pix 501 – site to site vpn subnet problem

ciscosite-to-site-vpnsubnet

I've configured a site to site vpn tunnel which is up and working as I would like. I have configured persistant routes on the pc's at each end that need to speak to each other. The subnets are as follows:

Site 1: 10.0.0.0/11
Site 2: 192.168.200.0/24

I am running into problems when I try and access site 2 from site 1 on a pc with an ip starting with anything else than 10.0.x.x For example if my pc is configured with ip 10.0.0.77/11 I can access site 2. If it is configured with 10.1.100.1/11, I can't. It seems to me that the pix is forcing the subnet mask for site 1 to be 255.255.0.0 instead of 255.224.0.0.

Is anyone aware that this is the case and how to get around it?

My running configs are:

Running config Site 1:

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password sdf4536gdsfgsd encrypted
passwd 3425sdfsdfg2345 encrypted
hostname our-side
domain-name domain.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.200.0 their_network
name 10.0.0.8 svr1
name 10.0.0.245 svr2
name 10.0.0.248 svr3
name 10.0.0.235 printer
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.224.0.0 their_network 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.0.0.0 255.224.0.0 their_network 255.255.255.0
access-list outside_access_in permit tcp their_network 255.255.255.0 any eq www
access-list outside_access_in permit tcp their_network 255.255.255.0 any eq https
access-list outside_access_in permit tcp their_network 255.255.255.0 host svr2 eq domain
access-list outside_access_in permit udp their_network 255.255.255.0 host svr2 eq domain
access-list outside_access_in permit udp their_network 255.255.255.0 any eq ntp
access-list outside_access_in permit tcp their_network 255.255.255.0 host svr3 eq ssh
access-list outside_access_in permit icmp their_network 255.255.255.0 any
access-list inside_access_in permit tcp any their_network 255.255.255.0 eq ftp
access-list inside_access_in permit icmp any their_network 255.255.255.0
access-list inside_access_in permit tcp host svr2 their_network 255.255.255.0 eq domain
access-list inside_access_in permit udp host svr2 their_network 255.255.255.0 eq domain
access-list inside_access_in permit tcp host svr1 their_network 255.255.255.0 eq ssh
access-list inside_access_in permit udp any eq ntp their_network 255.255.255.0
access-list inside_access_in remark requested for remote management
access-list inside_access_in permit tcp any their_network 255.255.255.0 eq 3389
access-list inside_access_in remark rsync svr1 to build server
access-list inside_access_in permit tcp host svr1 their_network 255.255.255.0 eq 873
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 219.148.111.77 255.255.255.192
ip address inside 10.0.0.4 255.224.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.0 255.224.0.0 inside
pdm location their_network 255.255.255.0 outside
pdm location svr2 255.255.255.255 inside
pdm location svr1 255.255.255.255 inside
pdm location svr3 255.255.255.255 inside
pdm location awe_printer 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 219.148.111.77 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.224.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 219.148.111.76
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 219.148.111.76 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
username user1 password asdfafddafaf encrypted privilege 15
terminal width 80
Cryptochecksum:43dfhsd34fghh
: end
[OK]

Running config Site 2:

PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password iCEghfhgeC10Q80xp encrypted
passwd iCEghgfhC10Q80xp encrypted
hostname vietnam-their-side
domain-name domain1.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.0.0 our_network
access-list acl_inside permit tcp 192.168.200.0 255.255.255.0 host 219.148.111.76 eq www
access-list inside_outbound_nat0_acl permit ip 192.168.200.0 255.255.255.0 our_network 255.224.0.0
access-list outside_cryptomap_20 permit ip 192.168.200.0 255.255.255.0 our_network 255.224.0.0
access-list outside_access_in permit icmp our_network 255.224.0.0 any
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 219.148.111.76 255.255.255.192
ip address inside 192.168.200.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.160.0.0 255.224.0.0 inside
pdm location our_network 255.224.0.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 219.148.111.76 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http our_network 255.224.0.0 outside
http 192.168.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hma
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 219.148.111.77
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 219.148.111.77 netmask 255.255.255.255 no-xauth no-c
onfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh 192.168.200.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
username user1 password tjqqn/L/teN49dfsgsdfgZbw encrypted privilege 15
terminal width 80
Cryptochecksum:bf200a9175be27sdfgsfdgdb91320d6df7ce5b21
: end

I can't see any incorrect masks but I may be blind to it.

Thanks

Cammy

Best Answer

I haven't poked about much with PIXes, but I'm wondering if there's an "ip classless" needed on both sides? I've had curious issues with IOS devices deciding on odd class-full (or at least octet-boundary) netmasks in the past because of that missing.

Related Topic