Vpn tunnel is up but cannot ping or access anything

Unanswered Question
Aug 13th, 2008

I have a Vpn tunnel between our Pix 515e and an Asa box at a remote location.

The Vpn client says we are connected but I cannot ping or access anything at the remote location.

When I check my Ipconfig, I see that I got an ip from the asa box at the remote location.

Funny thing is that we can ping and access the remote computers when we establish the Vpn tunnel from our sister company.

Our subnet Ip scheme is the same at the 3 locations.

Thanks for your time.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
acomiskey Wed, 08/13/2008 - 11:29

Could you clarify what type of vpn your are trying to establish. You mention a tunnel between a pix and asa, but you also mention the vpn client. Is this lan to lan or remote access?

Farrukh Haroon Wed, 08/13/2008 - 11:30

The VPN client is connecting to which server, ASA or PIX? What is the version of PIX/ASA?

Have you enabled NAT-T? (You might need to enable it in the client as well in the Transport tab...its enabled by default tough on the client and disabled on ASA/PIX 7.x)

isakmp nat-traversal is the command to enable it on the PIX/ASA.



acomiskey Wed, 08/13/2008 - 11:57

Farrukh is right on here. If's it's not nat-t then look at your nat exemption config. In 7.2 and greater the command is now

crypto isakmp nat-traversal

assalihin Mon, 08/18/2008 - 06:57

I checked my config on my pix and I have the "isakmp nat-traversal" command in there.

This is is what I am trying to do:

User--->Pix--->Asa---rdp to any machine in the network protected by the asa.

Thanks for your time

Farrukh Haroon Mon, 08/18/2008 - 10:41

So on what port is the VPN connection established? 500 and ESP (Prot 50) or on port 4500? You can verify this by 'show conn' and by the 'show crypto isakmp/ipsec sa det' command.



assalihin Mon, 08/18/2008 - 11:05

On which device should I run this command.

On the pix (Client) or on the Asa (Server)?

Farrukh Haroon Mon, 08/18/2008 - 11:24

The first suggestion (to enable NAT-T) is on the client. Its on the 'Transport' tab in the VPN client GUI. Its on by default, but just double check.

The second set of commands are on the firewall (Server).




This Discussion