Vpn tunnel is up but cannot ping or access anything

Unanswered Question
Aug 13th, 2008
User Badges:

I have a Vpn tunnel between our Pix 515e and an Asa box at a remote location.

The Vpn client says we are connected but I cannot ping or access anything at the remote location.

When I check my Ipconfig, I see that I got an ip from the asa box at the remote location.

Funny thing is that we can ping and access the remote computers when we establish the Vpn tunnel from our sister company.

Our subnet Ip scheme is the same at the 3 locations.

Thanks for your time.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
acomiskey Wed, 08/13/2008 - 11:29
User Badges:
  • Green, 3000 points or more

Could you clarify what type of vpn your are trying to establish. You mention a tunnel between a pix and asa, but you also mention the vpn client. Is this lan to lan or remote access?

Farrukh Haroon Wed, 08/13/2008 - 11:30
User Badges:
  • Red, 2250 points or more

The VPN client is connecting to which server, ASA or PIX? What is the version of PIX/ASA?


Have you enabled NAT-T? (You might need to enable it in the client as well in the Transport tab...its enabled by default tough on the client and disabled on ASA/PIX 7.x)


isakmp nat-traversal is the command to enable it on the PIX/ASA.


Regards


Farrukh

acomiskey Wed, 08/13/2008 - 11:57
User Badges:
  • Green, 3000 points or more

Farrukh is right on here. If's it's not nat-t then look at your nat exemption config. In 7.2 and greater the command is now


crypto isakmp nat-traversal

assalihin Mon, 08/18/2008 - 06:57
User Badges:

I checked my config on my pix and I have the "isakmp nat-traversal" command in there.


This is is what I am trying to do:


User--->Pix--->Asa---rdp to any machine in the network protected by the asa.


Thanks for your time

Farrukh Haroon Mon, 08/18/2008 - 10:41
User Badges:
  • Red, 2250 points or more

So on what port is the VPN connection established? 500 and ESP (Prot 50) or on port 4500? You can verify this by 'show conn' and by the 'show crypto isakmp/ipsec sa det' command.


Regards


Farrukh

assalihin Mon, 08/18/2008 - 11:05
User Badges:

On which device should I run this command.

On the pix (Client) or on the Asa (Server)?

Farrukh Haroon Mon, 08/18/2008 - 11:24
User Badges:
  • Red, 2250 points or more

The first suggestion (to enable NAT-T) is on the client. Its on the 'Transport' tab in the VPN client GUI. Its on by default, but just double check.


The second set of commands are on the firewall (Server).


Regards


Farrukh

Actions

This Discussion