PIX 501 behind router...

Unanswered Question
Sep 8th, 2008

I have a PIX 501 that I am setting up at a site that has one static ip address and a router. I have never setup a PIX 501 without a public address on the WAN so this is new to me. I have assigned the outside interface of the pix to 192.168.0.254. On the router I have forwarded UDP 500 and 4500 to the 192.168.0.254 (PIX WAN) address. The tunnel light comes on on the PIX and when I do a sh crypto isakmp sa I see the tunnel appears to be up in state QM_IDLE. However, I cannot transmit data across the tunnel or ping. Any ideas? Any help would be greatly appeciated. I have attached the config for review.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ccosper08 Wed, 09/10/2008 - 06:45

Ok I got one tunnel to work fine (192.168.8.0 to 192.168.1.0). ICMP and data traverse the

tunnel. However I cannot seem to get the other tunnel working (192.168.5.0 to 192.168.1.0). If I do a sh crypto ipsec sa on both sides I can see the encapsulated

packets getting incremented but the decapsulated stays at 0 on both sides. I have poured over the configs and cannot see what is wrong. In my previous post I included the config for the 192.168.1.0 location and I will included the config for the 192.168.5.0 location in this post. Any help would be greatly appreciated.

Attachment: 
singhsaju Wed, 09/10/2008 - 07:00

Hello,

You are using same access-list "80" for both NAT 0 ( nat bypass ) and crypto acl.

I am wondering how could you create a extended access-list as numbered "80"

Standard access-list are numbered 1-99 (supports only source address)

First of all change your access-list number to 100 or more and secondly do not use same access-list to do NAT0 and crypto acl.

Create two separate identical access-lists. For example :

access-list 100 permit ip 192.168.5.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 100 permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 120 permit ip 192.168.5.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 120 permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list 100

crypto map lafayette 10 match address 120

Then post result for following

show access-list 100 (check the hitcounts when pkts bypasses )

and

show crypto ipsec sa

HTH

Saju

Pls rate if it helps

Actions

This Discussion