12-31-2008 05:13 AM - edited 03-11-2019 07:31 AM
HI,
We are using PIX 515E firewall with 6.3 version.we tried to establish the IPSEC vpn between our PIX and Cisco concentrator
now the issue is when i start to push interesting traffic from my PIX to establish tunnel its not working and tunnel is not establishing
with the same config from the concentrator i tried its working and tunnel is established
Can i know the root cause for the issue since i tried debugging for my PIX outside interface but i am not able to see the request going to Peer IP
Regards,
Vinoth
01-06-2009 08:52 AM
It could be that the sourced traffic to your specified remote network defined in the interesting traffic is not being routed as expected.
Try putting a static route in for your remote network(s) pointing them to the outside address of your VPN concentrator.
So if your remote network is 192.168.1.0/24 and your external VPN is 1.2.3.4, you would want:
route
01-06-2009 10:14 AM
Vinoth
I can think of two things that could produce the symptoms that you describe:
1) if the access list to define interesting traffic for the VPN on the PIX does not match the traffic you are trying to use to initiate the tunnel (for example if you were trying to ping from the PIX to the concentrator to bring up the tunnel but the access list did not include ping sourced from the PIX).
2) if the PIX is using a dynamic map for peering with the concentrator. If the PIX does not have a specific peer statement for the concentrator and is using a dynamic entry then the tunnel can only be initiated from the concentrator.
Are either of these happening in your PIX?
HTH
Rick
01-06-2009 11:18 PM
thanks for your reply
iam getting the hit on my both access-list (no nat and crypto)when i try t push my interesting traffic when i debug packet
I have forwareded my config
access-list 123 permit ip host 10.196.254.254 host 10.194.150.16
access-list 112 permit ip host 10.196.254.254 host 10.194.150.16
nat (inside) 0 access-list 123
crypto map eplus-map 22 ipsec-isakmp
crypto map eplus-map 22 match address 112
crypto map eplus-map 22 set peer XX.XX.174.66
crypto map eplus-map 22 set transform-set test-set
crypto map eplus-map interface outside
crypto ipsec transform-set test-set esp-3des esp-sha-hmac
isakmp key xxxxxx address XX.XX.174.66 netmask 255.255.255.255
isakmp policy 18 authentication pre-share
isakmp policy 18 encryption 3des
isakmp policy 18 hash sha
isakmp policy 18 group 2
isakmp policy 18 lifetime 86400
I captured packet going out of my outside interface but still i have not found any request coming from my peer IP
Please advice on this
Regards,
Vinoth
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide