PIx VPN NAT question

Unanswered Question
Jul 10th, 2007
User Badges:

I have this scenario with a PIX 525 6.3, this has worked for months and suddenly stopped.


I have a device on the inside network that needs to access a remote site network through a VPN tunnel.


Inside network device is 10.11.150.1, needs to access remote device 10.79.15.3.


The remote side is supposed to see my device as a 10.91.6.1 address, I am supposed to see his 10.79.15.3 as my destination.


Debugs show the tunnel never attempts to come up, but I see hits on all of the access-lists associated with this config.


My question is, if something happened to the peer (according to them nothing has changed) config, or it is not accessable from my end, would the access-lists show hits and the traffic just get dropped?


crypto map p 30 ipsec-isakmp

crypto map p 30 match address Translate

crypto map p 30 set peer 1.23.45.67

crypto map p 30 set transform-set 3dessha



static (inside,outside) 10.91.6.1 access-list translation 0 0


access-list Translation permit ip host 10.11.150.1 10.79.8.0 255.255.248.0


access-list Translate permit ip 10.91.6.0 255.255.255.240 10.79.8.0 255.255.248.0



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 07/10/2007 - 23:06
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


When you initiate the connection can you run


i) debug crypto isa

2) debug crypto ipsec


That will at least tell you whether your firewall is trying to initiate the tunnel or not and should help narrow down the problem.


Jon



Edit - should have said, i agree that if it has been working for last 4 months and now it doesn't if you haven't changed angthing chances are they have :-)


Actions

This Discussion