07-30-2008 12:50 PM - edited 02-21-2020 03:52 PM
I am fairly new to the PIX and have spun my wheels long enough. I have a L2L VPN tunnel set up between a PIX 506 and a PIX 525. The PIX 506 is running 6.2(2) of the PIX OS and is the remote peer. The PIX 525 is running 7.2(3). The tunnel is up between the two peers so I know at least that portion is correct.
When I try to ping a host on the remote network, I can see decaps but no encaps on the remote PIX 506. If I run a debug icmp trace on the 506, I see the request coming in but no reply going out. I am also unable to ping the inside interface of the 506. I have also tried to use VNC to gain access to the remote PCs that have VNC installed and have no luck with that either. I also tried to SSH into the inside interface of the remote 506 and was also unsuccessful.
I am sure it is something simple but since I have spent a good amount of the afternoon on it, I can't seem to figure out what it is.
My config for the remote peer's PIX 506 is attached as I believe that is the problem child. I have cleaned the configuration of outside address info.
If you need additional info or clarification, please let me know.
07-30-2008 06:28 PM
Config seems to be OK, if possible post the other PIX's config. And also debugs from the PIX 506:
debug crypto ipsec
debug crypto isakmp
Which IP are you trying to ping from?
Regards
Farrukh
07-30-2008 09:51 PM
try
crypto isakmp nat-traversal 20
07-31-2008 04:29 AM
Apparently, that command is not supported in version 6.2(2). I just get the usual keyword list after typing the command and pressing Enter.
07-31-2008 05:29 AM
Yes I think this is a 6.3.x and later feature.
However you only need this if there is NAT in the transit path. This can be seen from the isakmp phase 1 (exchange 3/4) debugs. Something like 'NAT matchines MINE HASH ...'
Regards
Farrukh
07-31-2008 01:33 AM
Similarly iam also facing the same problem like VPN is getting connected ,but the user not able to access the URL's inside the VPN and internet also not working.
Thanks in advance.
07-31-2008 03:48 AM
Dear suresh
i think your case has two problems
one check the nat exmption also called NAT 0
and for internet you need to make split tunneling
in spilte tuneling u gonna include only the required traffic in your vpn tunnel such as traffic to spesific network of from a sfesific network to a spesfied network
and all other traffic such as internet will use what ever route or default route u have
then u can use the internet and the vpn togather
good luck
please Rate if helpful
07-31-2008 08:55 AM
Never overlook the obvious. I called the remote site and found out that the Windows Firewall was turned on. We don't typically turn it on so it was the furthest from my mind. Once Windows Firewall was turned off, I could ping the PC.
Thanks for the second and third pair of eyes and for the suggestions.
07-31-2008 11:09 AM
Thats great, glad you have it working. Thanks for the update :)
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide