No return traffic through IPSEC tunnel

Unanswered Question
Aug 19th, 2008

Hello ,

we have a configured a Ipsec tunnel btw Pix and checkpoint peer on other end

( . Tunnel comes up fine (phase 1&2) . But when other end tries to FTP to our server (for that matter any traffic), i see packets coming through tunnel and hitting our server (tcpdump) , however none of the traffic goes back from the server back into the Tunnel to the other end . To confirm the issue , i cleared Sa, and generated traffic from the FTP server to client's end , My pix doesn't even tries to negotiate ISAKMP , crypto isakmp /ipsec is blank . Do you see anything wrong with my configuration ?

Any help will be appreciated

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Tue, 08/19/2008 - 22:25

i cant see the attchment

any way

first check if u have made the nat exmption AKA nat 0 !

if ur LAN is /24

and remote LAN is

do the following

access-list 100 permit ip


nat (inside) 0 access-list 100

assuming that ur inside or netowrk source where the ftp located is named inside maybe it is DMZ what ever just change the name based on ur config

good luck

please, if helpful Rate

dhananjoy chowdhury Wed, 08/20/2008 - 01:08

Another thing to check is proper routing

- Proper route on the FTP server to send the traffic towards the FW.

- Route on the firewall towards the Outside interface for the remote LAN subnet.

ciscosom Wed, 08/20/2008 - 05:44

Dhananjoy ,

Thanks for your response , Yes, the other end is receiving packets when initiated from our Ftp server , BUT traffic is clear text and NOT through the IPSEC Tunnel . Any idea what is going on ?

ciscosom Wed, 08/20/2008 - 05:42

Marwanshawi ,

Thanks a ton for your response . I don't know why you are not able to view the attachment .I cab send you the config to your E-mail ID ,if you wish .

Yes Nat 0 and access-list is already in place. Since the Client has a policy of accepting only Routable Ip's, so we had to NAT our FTP Server using

static ( inside, outside) Nat Ip , Real Ip of Ftp server .I don't know even then none of the traffic is going through the Tunnel

dhananjoy chowdhury Wed, 08/20/2008 - 08:12


Your crypto ACL's and NAT 0 statements are all host to host, check whether the FTP server IP is included or not.

ciscosom Wed, 08/20/2008 - 08:18

Yes i think already have acl and NAT 0 for the server

access-list outside_cryptomap_150 permit ip host host

access-list inside_outbound_nat0_acl permit ip host host

.149 being our FTP server

acomiskey Wed, 08/20/2008 - 12:23

You can't nat exempt an address which is already nat'd. You don't need to nat exempt Also, if you do nat exempt it, your crypto access list should not contain the 209 address, as it won't be 209 when it goes over the tunnel.

ciscosom Wed, 08/20/2008 - 13:58

The issue is resolved now . Actually issue was that my Linux had Dual NIC , one was connected to PIX and another was connected different Network altogether . So basically traffic was entering through the Ipsec tunnel reaching our FTP server , but return traffic was going through the Second NIC (different network) ,two way communication was not happening even though Tunnel was up , I added route add command manually into the Linux ftp server and forced take route pix for the traffic going to the other end .

One thing is for sure , I cant thank enough you all for your inputs without which i would not have resolved this issue .


This Discussion