PIX sending the VPN request

Unanswered Question
Dec 31st, 2008


We are using PIX 515E firewall with 6.3 version.we tried to establish the IPSEC vpn between our PIX and Cisco concentrator

now the issue is when i start to push interesting traffic from my PIX to establish tunnel its not working and tunnel is not establishing

with the same config from the concentrator i tried its working and tunnel is established

Can i know the root cause for the issue since i tried debugging for my PIX outside interface but i am not able to see the request going to Peer IP



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jjohnston1127 Tue, 01/06/2009 - 08:52

It could be that the sourced traffic to your specified remote network defined in the interesting traffic is not being routed as expected.

Try putting a static route in for your remote network(s) pointing them to the outside address of your VPN concentrator.

So if your remote network is and your external VPN is, you would want:


Richard Burts Tue, 01/06/2009 - 10:14


I can think of two things that could produce the symptoms that you describe:

1) if the access list to define interesting traffic for the VPN on the PIX does not match the traffic you are trying to use to initiate the tunnel (for example if you were trying to ping from the PIX to the concentrator to bring up the tunnel but the access list did not include ping sourced from the PIX).

2) if the PIX is using a dynamic map for peering with the concentrator. If the PIX does not have a specific peer statement for the concentrator and is using a dynamic entry then the tunnel can only be initiated from the concentrator.

Are either of these happening in your PIX?



vinoth.kumar Tue, 01/06/2009 - 23:18

thanks for your reply

iam getting the hit on my both access-list (no nat and crypto)when i try t push my interesting traffic when i debug packet

I have forwareded my config

access-list 123 permit ip host host

access-list 112 permit ip host host

nat (inside) 0 access-list 123

crypto map eplus-map 22 ipsec-isakmp

crypto map eplus-map 22 match address 112

crypto map eplus-map 22 set peer XX.XX.174.66

crypto map eplus-map 22 set transform-set test-set

crypto map eplus-map interface outside

crypto ipsec transform-set test-set esp-3des esp-sha-hmac

isakmp key xxxxxx address XX.XX.174.66 netmask

isakmp policy 18 authentication pre-share

isakmp policy 18 encryption 3des

isakmp policy 18 hash sha

isakmp policy 18 group 2

isakmp policy 18 lifetime 86400

I captured packet going out of my outside interface but still i have not found any request coming from my peer IP

Please advice on this




This Discussion