11-04-2007 08:52 AM - edited 02-21-2020 03:21 PM
Hi,
I have a PIX 515E and 501 acting as a hardware client. Several remote location are connected as Easy VPN clients, but one location will connect, but no traffic flows. I switched from network-extension-mode to client-mode and I can connect thru to the other network hosts.
I'm not sure why this PIX 501 one is different. There are no ACLs except what is pulled from the headend.
Any ideas where I should look?
Thanks,
Vince
Solved! Go to Solution.
11-06-2007 08:00 AM
Couple of quick comments:
1. I do not see 192.168.0.0 part of that inside_outbound_nat0_acl ACL.
2. I see a crypto map instance 40 with "incomplete" crypto map, which is actually missing a match address.
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 set peer 216.27.161.109
crypto map outside_map 40 set transform-set ESP-DES-MD5
! Incomplete
Not sure if this is the current configuration from the pix. If there is a crypto map instance with a incomplete match address, all traffic will be encrypted.
Regards,
Arul
11-05-2007 11:43 AM
11-06-2007 07:21 AM
What is the inside subnet that the Pix 501 is connecting from. Could you be NAT 0 ACL issue or overlapping access-lists or interesting traffic.
Regards,
Arul
11-06-2007 07:33 AM
The subnet on the PIX 501 is 192.168.0.0.
The headend inside subnet is 192.168.1.0.
There are no access-lists on the 501 other than what is pushed down and explicit to the PIX.
11-06-2007 08:00 AM
Couple of quick comments:
1. I do not see 192.168.0.0 part of that inside_outbound_nat0_acl ACL.
2. I see a crypto map instance 40 with "incomplete" crypto map, which is actually missing a match address.
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 set peer 216.27.161.109
crypto map outside_map 40 set transform-set ESP-DES-MD5
! Incomplete
Not sure if this is the current configuration from the pix. If there is a crypto map instance with a incomplete match address, all traffic will be encrypted.
Regards,
Arul
11-06-2007 08:18 AM
#1- might be the issue.
#2- is an old entry i haven't removed. The site used to be site2site. It's now ez vpn.
I'll add the access-list and see what happens.
thanks
11-06-2007 08:27 AM
I think the ACL that was missing on the headend was the problem. I was able to PING the server on the 192.168.0.0 network. I wasn't able to do this before. I'm going to try to connect from the other side tonight.
thank very much for your help!
Vince
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: