IPSec L2L Not Passing Traffic

Unanswered Question
Jul 30th, 2008
User Badges:

I am fairly new to the PIX and have spun my wheels long enough. I have a L2L VPN tunnel set up between a PIX 506 and a PIX 525. The PIX 506 is running 6.2(2) of the PIX OS and is the remote peer. The PIX 525 is running 7.2(3). The tunnel is up between the two peers so I know at least that portion is correct.


When I try to ping a host on the remote network, I can see decaps but no encaps on the remote PIX 506. If I run a debug icmp trace on the 506, I see the request coming in but no reply going out. I am also unable to ping the inside interface of the 506. I have also tried to use VNC to gain access to the remote PCs that have VNC installed and have no luck with that either. I also tried to SSH into the inside interface of the remote 506 and was also unsuccessful.


I am sure it is something simple but since I have spent a good amount of the afternoon on it, I can't seem to figure out what it is.


My config for the remote peer's PIX 506 is attached as I believe that is the problem child. I have cleaned the configuration of outside address info.


If you need additional info or clarification, please let me know.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Wed, 07/30/2008 - 18:28
User Badges:
  • Red, 2250 points or more

Config seems to be OK, if possible post the other PIX's config. And also debugs from the PIX 506:


debug crypto ipsec

debug crypto isakmp


Which IP are you trying to ping from?


Regards


Farrukh

Marwan ALshawi Wed, 07/30/2008 - 21:51
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

try

crypto isakmp nat-traversal 20

pcaddict1 Thu, 07/31/2008 - 04:29
User Badges:

Apparently, that command is not supported in version 6.2(2). I just get the usual keyword list after typing the command and pressing Enter.

Farrukh Haroon Thu, 07/31/2008 - 05:29
User Badges:
  • Red, 2250 points or more

Yes I think this is a 6.3.x and later feature.


However you only need this if there is NAT in the transit path. This can be seen from the isakmp phase 1 (exchange 3/4) debugs. Something like 'NAT matchines MINE HASH ...'


Regards


Farrukh

suresh555 Thu, 07/31/2008 - 01:33
User Badges:

Similarly iam also facing the same problem like VPN is getting connected ,but the user not able to access the URL's inside the VPN and internet also not working.


Thanks in advance.


Marwan ALshawi Thu, 07/31/2008 - 03:48
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

Dear suresh


i think your case has two problems

one check the nat exmption also called NAT 0


and for internet you need to make split tunneling

in spilte tuneling u gonna include only the required traffic in your vpn tunnel such as traffic to spesific network of from a sfesific network to a spesfied network

and all other traffic such as internet will use what ever route or default route u have

then u can use the internet and the vpn togather


good luck


please Rate if helpful

pcaddict1 Thu, 07/31/2008 - 08:55
User Badges:

Never overlook the obvious. I called the remote site and found out that the Windows Firewall was turned on. We don't typically turn it on so it was the furthest from my mind. Once Windows Firewall was turned off, I could ping the PC.


Thanks for the second and third pair of eyes and for the suggestions.

Farrukh Haroon Thu, 07/31/2008 - 11:09
User Badges:
  • Red, 2250 points or more

Thats great, glad you have it working. Thanks for the update :)


Regards


Farrukh

Actions

This Discussion