cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
784
Views
0
Helpful
6
Replies

VPN- Easy VPN Hardware Client Connects, but No Traffic

vdinenna71
Level 1
Level 1

Hi,

I have a PIX 515E and 501 acting as a hardware client. Several remote location are connected as Easy VPN clients, but one location will connect, but no traffic flows. I switched from network-extension-mode to client-mode and I can connect thru to the other network hosts.

I'm not sure why this PIX 501 one is different. There are no ACLs except what is pulled from the headend.

Any ideas where I should look?

Thanks,

Vince

1 Accepted Solution

Accepted Solutions

Couple of quick comments:

1. I do not see 192.168.0.0 part of that inside_outbound_nat0_acl ACL.

2. I see a crypto map instance 40 with "incomplete" crypto map, which is actually missing a match address.

crypto map outside_map 40 ipsec-isakmp

crypto map outside_map 40 set peer 216.27.161.109

crypto map outside_map 40 set transform-set ESP-DES-MD5

! Incomplete

Not sure if this is the current configuration from the pix. If there is a crypto map instance with a incomplete match address, all traffic will be encrypted.

Regards,

Arul

View solution in original post

6 Replies 6

vdinenna71
Level 1
Level 1

Here is the headend config. I'll attach the client side, but there isn't much configured there.

What is the inside subnet that the Pix 501 is connecting from. Could you be NAT 0 ACL issue or overlapping access-lists or interesting traffic.

Regards,

Arul

The subnet on the PIX 501 is 192.168.0.0.

The headend inside subnet is 192.168.1.0.

There are no access-lists on the 501 other than what is pushed down and explicit to the PIX.

Couple of quick comments:

1. I do not see 192.168.0.0 part of that inside_outbound_nat0_acl ACL.

2. I see a crypto map instance 40 with "incomplete" crypto map, which is actually missing a match address.

crypto map outside_map 40 ipsec-isakmp

crypto map outside_map 40 set peer 216.27.161.109

crypto map outside_map 40 set transform-set ESP-DES-MD5

! Incomplete

Not sure if this is the current configuration from the pix. If there is a crypto map instance with a incomplete match address, all traffic will be encrypted.

Regards,

Arul

#1- might be the issue.

#2- is an old entry i haven't removed. The site used to be site2site. It's now ez vpn.

I'll add the access-list and see what happens.

thanks

I think the ACL that was missing on the headend was the problem. I was able to PING the server on the 192.168.0.0 network. I wasn't able to do this before. I'm going to try to connect from the other side tonight.

thank very much for your help!

Vince

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: