Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
293
Views
0
Helpful
3
Replies

PIX sending the VPN request

vinoth.kumar
Level 1
Level 1

‎12-31-2008 05:13 AM - edited ‎03-11-2019 07:31 AM

HI,

We are using PIX 515E firewall with 6.3 version.we tried to establish the IPSEC vpn between our PIX and Cisco concentrator

now the issue is when i start to push interesting traffic from my PIX to establish tunnel its not working and tunnel is not establishing

with the same config from the concentrator i tried its working and tunnel is established

Can i know the root cause for the issue since i tried debugging for my PIX outside interface but i am not able to see the request going to Peer IP

Regards,

Vinoth

Labels:
0 Helpful
3 Replies 3

jj27
Spotlight
Spotlight

‎01-06-2009 08:52 AM

It could be that the sourced traffic to your specified remote network defined in the interesting traffic is not being routed as expected.

Try putting a static route in for your remote network(s) pointing them to the outside address of your VPN concentrator.

So if your remote network is 192.168.1.0/24 and your external VPN is 1.2.3.4, you would want:

route 192.168.1.0 255.255.255.0 1.2.3.4

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to jj27

‎01-06-2009 10:14 AM

Vinoth

I can think of two things that could produce the symptoms that you describe:

1) if the access list to define interesting traffic for the VPN on the PIX does not match the traffic you are trying to use to initiate the tunnel (for example if you were trying to ping from the PIX to the concentrator to bring up the tunnel but the access list did not include ping sourced from the PIX).

2) if the PIX is using a dynamic map for peering with the concentrator. If the PIX does not have a specific peer statement for the concentrator and is using a dynamic entry then the tunnel can only be initiated from the concentrator.

Are either of these happening in your PIX?

HTH

Rick

HTH

Rick
0 Helpful

vinoth.kumar
Level 1
Level 1

‎01-06-2009 11:18 PM

thanks for your reply

iam getting the hit on my both access-list (no nat and crypto)when i try t push my interesting traffic when i debug packet

I have forwareded my config

access-list 123 permit ip host 10.196.254.254 host 10.194.150.16

access-list 112 permit ip host 10.196.254.254 host 10.194.150.16

nat (inside) 0 access-list 123

crypto map eplus-map 22 ipsec-isakmp

crypto map eplus-map 22 match address 112

crypto map eplus-map 22 set peer XX.XX.174.66

crypto map eplus-map 22 set transform-set test-set

crypto map eplus-map interface outside

crypto ipsec transform-set test-set esp-3des esp-sha-hmac

isakmp key xxxxxx address XX.XX.174.66 netmask 255.255.255.255

isakmp policy 18 authentication pre-share

isakmp policy 18 encryption 3des

isakmp policy 18 hash sha

isakmp policy 18 group 2

isakmp policy 18 lifetime 86400

I captured packet going out of my outside interface but still i have not found any request coming from my peer IP

Please advice on this

Regards,

Vinoth

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card