I am no security expert but it appears that our pix firewall is blocking traffic from a higher security level interface to the outside interface when there are no access-lists specifically blocking this traffic.
a ping from 217.nn.n.164 to a host on remote subnet 10.0.32.1 accross an IPSEC VPN tunnel which does not terminate on this firewall is unsuccessful. I have determined that the traffic is entering our inside interface and is not reaching the outside interface.
access-list sniffer line 1 extended permit ip host 217.nn.n.164 host 10.0.32.1 log informational interval 300 (hitcnt=123) 0x70a2c4d4
capture sniffercap2 access-list sniffer interface outside
capture sniffercap access-list sniffer interface vlan309-e3
LIV-SVR-01(config)# sh capture sniffercap
10 packets captured
1: 14:25:26.759665 217.nn.n.164 > 10.0.32.1: icmp: echo request
2: 14:25:28.259660 217.nn.n.164 > 10.0.32.1: icmp: echo request
3: 14:25:29.759650 217.nn.n.164 > 10.0.32.1: icmp: echo request
4: 14:25:31.259691 217.nn.n.164 > 10.0.32.1: icmp: echo request
5: 14:25:32.759619 217.nn.n.164 > 10.0.32.1: icmp: echo request
LIV-SVR-01(config)# sh capture sniffercap2
0 packet captured
0 packet shown
I have been looking into this all yesterday and am at a loss as to why this is happening.
The route to the 10.0.32.0 network is in place also and I know it is valid because other routes such as to 10.184.0.0, another customer subnet are routed fine out this interface.
S 10.0.32.0 255.255.255.0 [1/0] via 18.104.22.168, outside
If anyone can help me out on this issue I would be grateful.
Are you allowing the correct protocols and tcp/udp ports thru the PIX to be able to terminate the VPN on the 26xx.
From your description - VPN traffic should be passin THRU the pix to terminate on the 26xx, is this correct?
Check your NAT statements - alsi check that the remote end device is/or not using NAT-T, as the ASA does understand VPN pass-thru?