test for ISAKMP/IPSec port being available

tato386 · ‎07-31-2007

I suspect that the ISP managed router that is sitting in front of my PIX is somehow blocking ISAKMP (UDP 500) packets from reaching my PIX. Is there a way I can test if this is the case? Maybe something like telnetting to port 25 to see if an SMTP host is responding or something similar?

Thanks,

Diego

srue · ‎07-31-2007

what model pix and what OS version? is there a lan switch that connects the PIX and isp managed router?

you have a couple options...

capturing traffic on the pix...

using span if there's a switch between the two.

last but not least, call the isp and ask them.

Jon Marshall · ‎07-31-2007

Hi

In addition to all Steven's suggestions you could run "debug crypto isa" and then initiate a connection. If you see nothing on your pix then yes it could be getting blocked.

Jon

purohit_810 · ‎07-31-2007

You can use Ethereal and USE TCPDUMP utility.

It will show you easyly... How traffic floow in between two device.

Sniffer: You can SPAN switch port use ETHERPEAK ANALYZER NX. You will get idea.

3) Implement below

access-list capin permit ip host {Firewall outside IP} host (Router Outside)

access-list capin permit ip host (Router outside) host {Firewall Outside}

access-list capin permit ip host (Firewall Outside IP) host {Router IP}

access-list capin permit ip host {Router IP} host {Fiewall Outside IP} capture capin access-list capin interface Outside

See show capin callin command Output

Regards,

Dharmesh Purohit

tato386 · ‎08-01-2007

Thanks for all your help guys. I had already called the ISP and was told that there was no blocking. I called again, got a different tech, and my problem was solved when the 2nd tech reconfigured the router fronting my PIX.

Thanks,

Diego

srue · ‎08-02-2007

that usually means something was being blocked and they didn't want to admit it the second time - and the first time you called they didn't even look at it. Same thing has happened to me before.