IPsec tunnel between PIX and 3745 Router

Unanswered Question
Nov 17th, 2008

Hi every one.im trying to run L2L vpn with ipsec tunnel between my pix and 3745 router.my problem is that tunnel goes up only when traffic flows from one direction.let me describe my senario.



ethernet 1:connected to host A

Host A:

ethernet 0( to R3745


ethernet 0/0 ( to pix

etherb=net 0/1( to Host B

Host B:


PIX Version 7.2(3)


interface Ethernet0

nameif outside

security-level 0

ip address


interface Ethernet1

nameif inside

security-level 100

ip address


ftp mode passive

access-list nonat extended permit ip

access-list tr extended permit ip

access-list ping extended permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list nonat

access-group ping in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ipsec esp-3des esp-sha-hmac

crypto map crymap 1 match address tr

crypto map crymap 1 set peer

crypto map crymap 1 set transform-set ipsec

crypto map crymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0


class-map inspection_default

match default-inspection-traffic


policy-map global_policy

class inspection_default

inspect icmp


service-policy global_policy global

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 10 retry 2

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *


version 12.4




crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key ***** address

crypto isakmp keepalive 10


crypto ipsec transform-set sec esp-3des esp-sha-hmac


crypto ipsec profile sevan

set transform-set sec


crypto map map 10 ipsec-isakmp

set peer

set transform-set sec

match address 110


interface Tunnel10

ip unnumbered Ethernet0/0

tunnel source Ethernet0/0

tunnel destination

tunnel mode ipsec ipv4

tunnel protection ipsec profile sevan


interface Ethernet0/0

ip address



interface Ethernet0/1

ip address

ip policy route-map sevan



ip http server

no ip http secure-server

ip route


access-list 110 permit ip


route-map sevan permit 10

match interface Ethernet0/1

set interface Tunnel10


***when i ping host B from Host A ping is working and tunnel on Router 3745 goes up but when i do not ping host b from host A after some secondes tunnel goes down and if i first ping host A from host B ping never works and tunnel never comes up.so when traffic is generated from pix Lan every thing is ok but when traffic is generated from Router Lan nothing about vpn works.i dont know why this senario works in this way!!!???

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ajagadee Tue, 11/18/2008 - 05:34


I dont think this set up is going to work. The reason being, your tunnel destination on the router is an ASA and ASA do not support GRE Tunnel termination. You have to terminate a GRE Tunnel on a router.

Reconfigure the router without using the GRE Tunnel interface and test the tunnel.



*Pls rate if it helps*


This Discussion