Site-to-site VPN issues

Unanswered Question
Mar 19th, 2007
User Badges:

Hi, I'm having issues establishing a site-to-site vpn between us and a 3rd party's efility firewall (we're using a Pix 515 running 6.3). Their LAN range is 192.168.2.x but their IT people tell me they're NATting traffic to The tunnel appears to be up but they cannot ping anything at our site. I want them to access 128.31.x.x, 128.51.x.x and 128.60.x.x on our LAN.

Just to complicate matters, I believe this site was set up with some port forwarding rules in the past to allow them access to specific servers on our site.

I've checked the logs and can see traffic from them (on going to which I believe is the port forwarding, but can't see anything else (they have a continuous ping to on our network).

Unfortunately I dont know enough to determine if the port forwarding rules are affecting the site VPN, any help would be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.6 (5 ratings)
acomiskey Mon, 03/19/2007 - 07:50
User Badges:
  • Green, 3000 points or more

What do you mean by "appears to be up"? What is working and what's not? Explain what you mean by the port forwarding, I do not see any reference to in your config.

Rex Biesty Mon, 03/19/2007 - 08:51
User Badges:

Thanks for the reply.

The 'Appears to be up' comment refers to feedback from the remote site saying that the tunnel appears to be in place at their end. Dont know how to check it on the Cisco but if you could point me in the right direction I'd appreciate it.

The is a typo, sorry, should read

They currently use the following URLs to access selected servers on our site (where is one of our public IP addresses)

Sorry I'm a bit vague on this, their existing access was setup before I becase involved with the firewall.

Rex Biesty Mon, 03/19/2007 - 09:24
User Badges:

Result of show crypto isakmp sa is

Total : 12

Embryonic : 1

dst src state pending created MM_KEY_EXCH 0 0 QM_IDLE 0 2 QM_IDLE 0 1 QM_IDLE 0 2 QM_IDLE 0 2 QM_IDLE 0 1 QM_IDLE 0 1 QM_IDLE 0 1 QM_IDLE 0 1 host217-155-130-97 QM_IDLE 0 0 host217-155-130-97 QM_IDLE 0 0 Metalogic_Warwick_Public QM_IDLE 0 0

Result of show crypto ipsec sa is quite large, what am I looking for on it?

acomiskey Mon, 03/19/2007 - 09:53
User Badges:
  • Green, 3000 points or more

Do you want




You currently have a static for to, but you also have a nat 0 for traffic from to Metalogic_Support_Host.

Rex Biesty Mon, 03/19/2007 - 10:00
User Badges:

I'm trying to set up a site-to-site so access would be to private IP addresses on our networks (i.e. all addresses on, and I've already done this sucesfully for another of their sites (Metalogic_Warwick_Public). I think the rules you mention are possibly related to their old setup.

Rex Biesty Mon, 03/19/2007 - 10:22
User Badges:

I appreciate your help and have no problem with you asking as many questions as is needed (it is a complcated setup I know and one I've only have a limited involvement with until now).

At the moment works. I dont know if works yet as I'm awaiting feedback. However, if they try to ping another device on our network (e.g. they get no reply and it's this that we're trying to get working.

acomiskey Mon, 03/19/2007 - 10:44
User Badges:
  • Green, 3000 points or more

Are the pings coming from or 192.168.2.x ?

Rex Biesty Tue, 03/20/2007 - 02:57
User Badges:

Their pings should show as coming from as their IT folk say their internal traffic is being NATted to that address. I've checked the logs for traffic from 192.168.2.x also (in case their IT dept are telling my untruths) but nothing there.

Rex Biesty Thu, 03/22/2007 - 04:23
User Badges:

Hi, was wondering if you've got any further forward with this, thanks.

acomiskey Thu, 03/22/2007 - 05:43
User Badges:
  • Green, 3000 points or more

Is it possible to get some logs going while you try to pass traffic over the tunnel? Any chance of getting the config from the remote peer as well? Their nat exemption traffic should be a mirror image of yours etc.


This Discussion