Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
608
Views
0
Helpful
4
Replies

PIX 501 behind router...

ccosper08
Level 1
Level 1

‎09-08-2008 07:32 PM - edited ‎02-21-2020 03:00 AM

I have a PIX 501 that I am setting up at a site that has one static ip address and a router. I have never setup a PIX 501 without a public address on the WAN so this is new to me. I have assigned the outside interface of the pix to 192.168.0.254. On the router I have forwarded UDP 500 and 4500 to the 192.168.0.254 (PIX WAN) address. The tunnel light comes on on the PIX and when I do a sh crypto isakmp sa I see the tunnel appears to be up in state QM_IDLE. However, I cannot transmit data across the tunnel or ping. Any ideas? Any help would be greatly appeciated. I have attached the config for review.

Preview file
4 KB
0 Helpful
4 Replies 4

andrew.prince
Level 10
Level 10

‎09-09-2008 12:55 AM

Firstly - are you allowing ESP thru the router? ity sounds like you are only bringing up phase 1 = IKE which does use UDP 500 & 4500, but you also need to allow protocol 50 thru also.

HTH>

0 Helpful

ccosper08
Level 1
Level 1
In response to andrew.prince

‎09-10-2008 06:45 AM

Ok I got one tunnel to work fine (192.168.8.0 to 192.168.1.0). ICMP and data traverse the

tunnel. However I cannot seem to get the other tunnel working (192.168.5.0 to 192.168.1.0). If I do a sh crypto ipsec sa on both sides I can see the encapsulated

packets getting incremented but the decapsulated stays at 0 on both sides. I have poured over the configs and cannot see what is wrong. In my previous post I included the config for the 192.168.1.0 location and I will included the config for the 192.168.5.0 location in this post. Any help would be greatly appreciated.

Preview file
3 KB
0 Helpful

andrew.prince
Level 10
Level 10
In response to ccosper08

‎09-10-2008 06:53 AM

what is the ouput from the remote end from:-

sh crypto isakmp sa

sh crypto ispec sa

0 Helpful

singhsaju
Level 4
Level 4
In response to ccosper08

‎09-10-2008 07:00 AM

Hello,

You are using same access-list "80" for both NAT 0 ( nat bypass ) and crypto acl.

I am wondering how could you create a extended access-list as numbered "80"

Standard access-list are numbered 1-99 (supports only source address)

First of all change your access-list number to 100 or more and secondly do not use same access-list to do NAT0 and crypto acl.

Create two separate identical access-lists. For example :

access-list 100 permit ip 192.168.5.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 100 permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 120 permit ip 192.168.5.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 120 permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list 100

crypto map lafayette 10 match address 120

Then post result for following

show access-list 100 (check the hitcounts when pkts bypasses )

and

show crypto ipsec sa

HTH

Saju

Pls rate if it helps

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card