PIX515 to PIX 515 ipsec tunnel ping anomalies

Unanswered Question
Sep 20th, 2007
User Badges:

PIX515A to PIX515B, IPSEC tunnel. I can ping from inside subnet A to inside subnet B. I can ping from PIXA at CLI to inside subnet B. However, I can't ping from PIXB CLI to inside A. This doesn't make sense. As stated, I can ping from anywhere in subnet B to inside subnet A, just not from PIXB CLI.

My configs are quite large so I haven't posted them. I can, but I was hoping for some hints as where to look as this must be a common problem.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jon.humphries Thu, 09/20/2007 - 15:05
User Badges:

Hi,


Are you sure that you have created the acl's and nat exemptions for the traffic at the site that isn't working.


Are you using any internal ACL's for the inside interface, have you enabled any by mistake etc ?


I don't think it will be a mtu or fragmentation issue, as you have icmp traffic one way. You can post the configs if you wish.


Thanks,


Jon Humphries CCIE Drake

murray-davis Fri, 09/21/2007 - 07:02
User Badges:

Hi, Jon

I thought a bit more deeply about the config after reading your reply. There were two NONAT entries on PIXB that were no longer needed that pointed to an old internal LAN subnet. I hadn't removed these from the NONAT list when I redesigned the LAN. I just didn't think that they would cause any issue. What I learned: NONAT rules must be mirrors of each other on the ipsec tunnel endpoints for the PIX firewalls.


Thanks again for your reply.

murray-davis Fri, 09/21/2007 - 07:10
User Badges:

Hi, Jon

Please ignore my last email. I will send config. I did my ping from the wrong device.

murray-davis Fri, 09/21/2007 - 07:22
User Badges:

Here are config clips:

PIXB's rules


access-list NONAT permit ip 10.9.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 10.9.0.0 255.255.0.0 10.1.0.0 255.255.0.0

access-list NONAT permit ip 10.10.0.0 255.255.0.0 10.1.0.0 255.255.0.0

access-list EDM permit ip 10.9.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list EDM permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list EDM permit ip 10.9.0.0 255.255.0.0 10.1.0.0 255.255.0.0

access-list EDM permit ip 10.10.0.0 255.255.0.0 10.1.0.0 255.255.0.0


The LAN side of PIXB has two subnets 10.9.0.0 and 10.10.0.0. EDM of course is the ACL for PIXA network.


PIXA's rules


access-list NONAT permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 192.168.0.0 255.255.0.0 10.9.0.0 255.255.0.0

access-list NONAT permit ip 192.168.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list NONAT permit ip 10.1.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 10.1.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list NONAT permit ip 10.1.0.0 255.255.0.0 10.9.0.0 255.255.0.0

access-list NONAT permit ip 10.1.0.0 255.255.0.0 10.147.0.0 255.255.0.0

access-list NONAT permit ip 10.2.0.0 255.255.0.0 192.168.5.0 255.255.255.0

access-list NONAT permit ip 10.3.0.0 255.255.0.0 192.168.5.0 255.255.255.0

access-list BEAVERRIVER permit ip 192.168.0.0 255.255.0.0 10.9.0.0 255.255.0.0

access-list BEAVERRIVER permit ip 192.168.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list BEAVERRIVER permit ip 10.1.0.0 255.255.0.0 10.9.0.0 255.255.0.0

access-list BEAVERRIVER permit ip 10.1.0.0 255.255.0.0 10.10.0.0 255.255.0.0


The LAN side of PIXA is 10.1.0.0. The 192.168.0.0 addresses and 10.147.0.0 are for other subnets in the WAN. BEAVERRIVER refers to PIXB network.

Actions

This Discussion