PIX 501 behind router...

Unanswered Question
Sep 8th, 2008
User Badges:

I have a PIX 501 that I am setting up at a site that has one static ip address and a router. I have never setup a PIX 501 without a public address on the WAN so this is new to me. I have assigned the outside interface of the pix to 192.168.0.254. On the router I have forwarded UDP 500 and 4500 to the 192.168.0.254 (PIX WAN) address. The tunnel light comes on on the PIX and when I do a sh crypto isakmp sa I see the tunnel appears to be up in state QM_IDLE. However, I cannot transmit data across the tunnel or ping. Any ideas? Any help would be greatly appeciated. I have attached the config for review.




Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ccosper08 Wed, 09/10/2008 - 06:45
User Badges:

Ok I got one tunnel to work fine (192.168.8.0 to 192.168.1.0). ICMP and data traverse the

tunnel. However I cannot seem to get the other tunnel working (192.168.5.0 to 192.168.1.0). If I do a sh crypto ipsec sa on both sides I can see the encapsulated

packets getting incremented but the decapsulated stays at 0 on both sides. I have poured over the configs and cannot see what is wrong. In my previous post I included the config for the 192.168.1.0 location and I will included the config for the 192.168.5.0 location in this post. Any help would be greatly appreciated.



Attachment: 
singhsaju Wed, 09/10/2008 - 07:00
User Badges:
  • Silver, 250 points or more

Hello,

You are using same access-list "80" for both NAT 0 ( nat bypass ) and crypto acl.

I am wondering how could you create a extended access-list as numbered "80"

Standard access-list are numbered 1-99 (supports only source address)

First of all change your access-list number to 100 or more and secondly do not use same access-list to do NAT0 and crypto acl.

Create two separate identical access-lists. For example :


access-list 100 permit ip 192.168.5.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 100 permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0


access-list 120 permit ip 192.168.5.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 120 permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0


nat (inside) 0 access-list 100

crypto map lafayette 10 match address 120


Then post result for following


show access-list 100 (check the hitcounts when pkts bypasses )

and

show crypto ipsec sa



HTH

Saju

Pls rate if it helps



Actions

This Discussion