IPSec L2L Not Passing Traffic

Unanswered Question
Jul 30th, 2008

I am fairly new to the PIX and have spun my wheels long enough. I have a L2L VPN tunnel set up between a PIX 506 and a PIX 525. The PIX 506 is running 6.2(2) of the PIX OS and is the remote peer. The PIX 525 is running 7.2(3). The tunnel is up between the two peers so I know at least that portion is correct.

When I try to ping a host on the remote network, I can see decaps but no encaps on the remote PIX 506. If I run a debug icmp trace on the 506, I see the request coming in but no reply going out. I am also unable to ping the inside interface of the 506. I have also tried to use VNC to gain access to the remote PCs that have VNC installed and have no luck with that either. I also tried to SSH into the inside interface of the remote 506 and was also unsuccessful.

I am sure it is something simple but since I have spent a good amount of the afternoon on it, I can't seem to figure out what it is.

My config for the remote peer's PIX 506 is attached as I believe that is the problem child. I have cleaned the configuration of outside address info.

If you need additional info or clarification, please let me know.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Wed, 07/30/2008 - 18:28

Config seems to be OK, if possible post the other PIX's config. And also debugs from the PIX 506:

debug crypto ipsec

debug crypto isakmp

Which IP are you trying to ping from?



pcaddict1 Thu, 07/31/2008 - 04:29

Apparently, that command is not supported in version 6.2(2). I just get the usual keyword list after typing the command and pressing Enter.

Farrukh Haroon Thu, 07/31/2008 - 05:29

Yes I think this is a 6.3.x and later feature.

However you only need this if there is NAT in the transit path. This can be seen from the isakmp phase 1 (exchange 3/4) debugs. Something like 'NAT matchines MINE HASH ...'



suresh555 Thu, 07/31/2008 - 01:33

Similarly iam also facing the same problem like VPN is getting connected ,but the user not able to access the URL's inside the VPN and internet also not working.

Thanks in advance.

Marwan ALshawi Thu, 07/31/2008 - 03:48

Dear suresh

i think your case has two problems

one check the nat exmption also called NAT 0

and for internet you need to make split tunneling

in spilte tuneling u gonna include only the required traffic in your vpn tunnel such as traffic to spesific network of from a sfesific network to a spesfied network

and all other traffic such as internet will use what ever route or default route u have

then u can use the internet and the vpn togather

good luck

please Rate if helpful

pcaddict1 Thu, 07/31/2008 - 08:55

Never overlook the obvious. I called the remote site and found out that the Windows Firewall was turned on. We don't typically turn it on so it was the furthest from my mind. Once Windows Firewall was turned off, I could ping the PC.

Thanks for the second and third pair of eyes and for the suggestions.


This Discussion