cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
223
Views
0
Helpful
1
Replies

PIx VPN NAT question

wilson_1234_2
Level 3
Level 3

I have this scenario with a PIX 525 6.3, this has worked for months and suddenly stopped.

I have a device on the inside network that needs to access a remote site network through a VPN tunnel.

Inside network device is 10.11.150.1, needs to access remote device 10.79.15.3.

The remote side is supposed to see my device as a 10.91.6.1 address, I am supposed to see his 10.79.15.3 as my destination.

Debugs show the tunnel never attempts to come up, but I see hits on all of the access-lists associated with this config.

My question is, if something happened to the peer (according to them nothing has changed) config, or it is not accessable from my end, would the access-lists show hits and the traffic just get dropped?

crypto map p 30 ipsec-isakmp

crypto map p 30 match address Translate

crypto map p 30 set peer 1.23.45.67

crypto map p 30 set transform-set 3dessha

static (inside,outside) 10.91.6.1 access-list translation 0 0

access-list Translation permit ip host 10.11.150.1 10.79.8.0 255.255.248.0

access-list Translate permit ip 10.91.6.0 255.255.255.240 10.79.8.0 255.255.248.0

1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

Hi

When you initiate the connection can you run

i) debug crypto isa

2) debug crypto ipsec

That will at least tell you whether your firewall is trying to initiate the tunnel or not and should help narrow down the problem.

Jon

Edit - should have said, i agree that if it has been working for last 4 months and now it doesn't if you haven't changed angthing chances are they have :-)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: