You are a hero ! Thats got my VPN tunnel up thanks. For some reason the people we are connecting to insist on us coming in with a real routable address.

I still have a problem with this that you may be able to shed some light on.

If I ping a host at the other end of the VPN tunnel, the IPSEC tunnel comes up and they can see encrypted packets coming into them from me and they can also see a response being sent back to me, but I don't get the response back to my host. All I get prom the ping is request timed out.

We have an old Cisco 5500 switch that the host is connected to and this is then connected to the PIX520 firewall. I can ping other sites on the internet without any problems and get the response back. It seems to only be hosts at the other end of the VPN that I lose the packets from.

I'm not sure if it's the 5500 routeing or the PIX routing that is a problem but as I can ping other sites ( eg www.google.co.uk ) I am thinking it is something to do with the VPN setup in the firewall.

Any Ideas ?

Is it only ping you are having problems with? Or you cannot communicate at all?

I would check what the other end has defined as interesting traffic. It should be something like...

access-list crypto permit ip

Please rate helpful posts.

No I can't get anything back from the other end. The people at the other end of the tunnel where the server is, say they can see my encrypted packet come into them and they can see their encrypted response packet go out back to me but it just doesn't seem to make it back to my host. If i do a ping from the PIX cli interface i get responses back but from anywhere else it jus times out. I'm looking at the routes setup in both the PIX and the switch behind it.

Do you mind posting your pix config? Clean out passwords/public ip's etc.

I have attached my PIX config. I think I have removed everything sensitive without removing anything you do need to see .....

You don't have impulse-cns defined? Maybe you just took that part out.

Anyway, so if you ping something on impulse-cns from the pix command line, it works? And from a client machine inside the pix, it doesnt work? PIX config looks ok.

Yes thats exactly right. Sorry, I probably removed that line from the file before I sent it where impulse-cns is defined.

Thanks forchecking over the config. It's tarting to look like a config problem on the 5500 switch that is on the inside interface of the PIX. The people at the other end of the tunnel say they are replying to the ping etc but it never reaches a workstation on the inside of the pix.

It must be something to do with the routing to/from the VPN because from the workstation on the inside I can ping www.google.co.uk with no problem but just get time outs when I ping a host across the tunnel.

the only thing I dont understand in the PIX config is that the outside interface is for example 195.123.123.100 and when you browse to a site from a host on the inside it reports it's ip as 195.123.123.100 which you would expect, but there is a line in the PIX config that says :

route outside 0.0.0.0 0.0.0.0 195.123.123.97

Wouldn't this route everything out via 195.123.123.97 ? Would that cause a problem if the VPN is created in your previous post using :

access-list crypto permit ip 195.123.123.100 213.195.195.122

global (outside) 1 interface

nat (inside) 1 0 0

The VPN using the above cmes up perfectly and i'm told encrypted packets from me hit the other end and they are sending packets back but they get lost along the way.

Thanks.

The route outside command is just your default gateway.

Any chance of getting config from remote end?

OK thanks. Will it not cause problems having the default gateway on the PIX not set to it's outside interface IP ?

There is no chance of getting the config from the other end - it connects to a government department !

I'm starting to thing it's an issue with the routing module in the 5500 switch that is on the inside interface and that all the inside hosts connect to.

I can ping the remote hosts across the tunnel from the PIX cli, but if i then go to the 5500 cli and try to ping the same remote host all i get is time out.

What i can't understand is that the 5500 has a really simple config so you would think i could spot the error !

I will keep looking at it.

Your default gateway is not the outside interface ip. It is the next hop up from your outside interface.

Want to post the config from the switch?

OK Thanks. I will check that that is the IP of the router to the internet. It must be if the internet is working but I will check it.

I have attached the config of the 5500 switch, both the switch module and the "router" rsm module.

I am trying at the moment to get this working from a workstation on vlan1 ( default vlan ) with an IP of 192.168.0.129.

Thanks for all your help/time with this. These are not bits of kit that I have setup or configured so i'm trying to make sense of someone else's work at the moment.

Thanks.

Dean,

You don't have any inside routes defined on your pix. For example, it needs to know how to get to your inside networks, for example 192.168.0.0/24. Add this line to your pix...

route inside 192.168.0.0 255.255.255.0 10.192.10.1

...and try again from 192.168.0.129.

Sorry - I probably removed more of the PIX config than I should have when I sent it the first time.

There is an inside route setup. We have 2 sections. one is :

name 10.192.20.62 marshal2

name 192.168.0.0 tsclients

name 192.168.10.0 tswireless

and the second is :

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 10.144.16.0 255.255.240.0 10.192.0.1 1

route inside tsgi 255.240.0.0 10.192.0.1 1

route inside mkone 255.255.0.0 10.192.20.1 1

route inside psmbilston 255.255.255.0 10.192.10.1 1

route inside tsclients 255.255.255.0 192.168.0.1 1

route inside 195.51.133.0 255.255.255.0 10.192.10.1 1

so that should cover it but it still does not work.