09-08-2008 07:32 PM - edited 02-21-2020 03:00 AM
I have a PIX 501 that I am setting up at a site that has one static ip address and a router. I have never setup a PIX 501 without a public address on the WAN so this is new to me. I have assigned the outside interface of the pix to 192.168.0.254. On the router I have forwarded UDP 500 and 4500 to the 192.168.0.254 (PIX WAN) address. The tunnel light comes on on the PIX and when I do a sh crypto isakmp sa I see the tunnel appears to be up in state QM_IDLE. However, I cannot transmit data across the tunnel or ping. Any ideas? Any help would be greatly appeciated. I have attached the config for review.
09-09-2008 12:55 AM
Firstly - are you allowing ESP thru the router? ity sounds like you are only bringing up phase 1 = IKE which does use UDP 500 & 4500, but you also need to allow protocol 50 thru also.
HTH>
09-10-2008 06:45 AM
Ok I got one tunnel to work fine (192.168.8.0 to 192.168.1.0). ICMP and data traverse the
tunnel. However I cannot seem to get the other tunnel working (192.168.5.0 to 192.168.1.0). If I do a sh crypto ipsec sa on both sides I can see the encapsulated
packets getting incremented but the decapsulated stays at 0 on both sides. I have poured over the configs and cannot see what is wrong. In my previous post I included the config for the 192.168.1.0 location and I will included the config for the 192.168.5.0 location in this post. Any help would be greatly appreciated.
09-10-2008 06:53 AM
what is the ouput from the remote end from:-
sh crypto isakmp sa
sh crypto ispec sa
09-10-2008 07:00 AM
Hello,
You are using same access-list "80" for both NAT 0 ( nat bypass ) and crypto acl.
I am wondering how could you create a extended access-list as numbered "80"
Standard access-list are numbered 1-99 (supports only source address)
First of all change your access-list number to 100 or more and secondly do not use same access-list to do NAT0 and crypto acl.
Create two separate identical access-lists. For example :
access-list 100 permit ip 192.168.5.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 100 permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 120 permit ip 192.168.5.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 120 permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list 100
crypto map lafayette 10 match address 120
Then post result for following
show access-list 100 (check the hitcounts when pkts bypasses )
and
show crypto ipsec sa
HTH
Saju
Pls rate if it helps
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: