VPN NAT Issues on PIX 515e

Unanswered Question
Feb 1st, 2007

I'm trying to configure a site to site VPN connection with PIX5153 6.3(5) on my end and Checkpoint at the other end.

host (172.30.10.x)--->PIX 515e---------Ceckpoint<---host.

The problem is when communications are initiated from the 172.30.10.x host, I can see the PIX encrypt packets leaving my PIX and decrypt packets coming back in (using PDM VPN Ipsec monitoring), but it appears that the packets aren't making it through the PIX back to the host.

I have also captured this traffic at the PIX and see only the outgoing packets

03:40:56.187154 172.30.10.x.3453 > y.y.y.y.699: S 242989206:242989206(0) w

in 16384 <mss 1460,nop,nop,sackOK>

Host 172.30.10.x is NAT'd to 65.125.108.x at the PIX. I have a local Cisco tech working on this as well as a TAC case open. No one seems to be able to determine what is going on. Is there a bug in 6.3(5) that prevents NATing over a Site-to-Site VPN configuration like this?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 02/01/2007 - 06:45


Sorry, it a bit too sanistised. Usually people just get rid of public IP address from the config + passwords etc.

It's difficult to tell anything without some of the addressing



This Discussion