asa to pix 501 vpn - tunnel up but no traffic

Unanswered Question
Mar 4th, 2010

I have several other pix setup with site to site, but this new one is not working. I am not able to ping the inside interface of the pix.

The vpn tunnel comes up, I see the ping traffic on the pix side(debug icmp), but the ping does not get back to my workstation behind the asa.

The pix is behind another NAT device I do not have access too. However I have pdm and ssh access to the pix. The tunnel does appear to come up so hopefully the nat device is not the problem.

Some sample data:


ISAMKP (0): received DPD_R_U_THERE from peer xxx.xxx.xxx.xxx
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS21: ICMP echo-request from outside:10.10.1.40 to 172.17.13.1 ID=512 seq=46850 length=40
22: ICMP echo-request from outside:10.10.1.40 to 172.17.13.1 ID=512 seq=47106 length=40

crypto_isakmp_process_block:src:xxx.xxx.xxx.xxx, dest:192.168.3.2 spt:4500 dpt:4500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 1824878617
ISAMKP (0): received DPD_R_U_THERE from peer xxx.xxx.xxx.xxx

ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS23: ICMP echo-request from outside:10.10.1.40 to 172.17.13.1 ID=512 seq=47362 length=40
24: ICMP echo-request from outside:10.10.1.40 to 172.17.13.1 ID=512 seq=47618 length=40

crypto_isakmp_process_block:src:xxx.xxx.xxx.xxx, dest:192.168.3.2 spt:4500 dpt:4500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 1763635852
ISAMKP (0): received DPD_R_U_THERE from peer xxx.xxx.xxx.xxx
ISAKMP (0): sending NOTIFY message 36137 protocol 1

config following

access-list inside_outbound_nat0_acl permit ip 172.17.13.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.17.13.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list inside_outbound_nat0_acl permit ip 172.17.13.0 255.255.255.0 10.9.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.17.13.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list outside_cryptomap_20 permit ip 172.17.13.0 255.255.255.0 10.9.1.0 255.255.255.0
pager lines 24
icmp permit xxx.xxx.xxx.xxx 255.255.255.240 outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.3.2 255.255.255.0
ip address inside 172.17.13.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VpnIPs 192.168.1.220-192.168.1.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.3.1 1
floodguard enable
sysopt connection tcpmss 1200
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer xxx.xxx.xxx.xxx
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

we have another 8 or so pix in the field with the same setup, normally I use the same config with different IPs.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ISCONTACT Thu, 03/04/2010 - 10:03

looking at the debug icmp trace for the outside interface of the pix, I see

35: ICMP echo request (len 32 id 0 seq 60930) xxx.xxx.xxx.xxx > 192.168.3.2
36: ICMP echo reply (len 32 id 0 seq 60930) 192.168.3.2 > xxx.xxx.xxx.xxx

the pix shows it replies back, however when doing it across the tunnel, the pix doesnt appear to try and reply back

something wrong with access list?

access rules as follows

access-list inside_outbound_nat0_acl permit ip 172.17.13.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.17.13.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list inside_outbound_nat0_acl permit ip 172.17.13.0 255.255.255.0 10.9.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.17.13.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list outside_cryptomap_20 permit ip 172.17.13.0 255.255.255.0 10.9.1.0 255.255.255.0
icmp permit xxx.xxx.xxx.xxx 255.255.255.240 outside
icmp permit any inside

Actions

This Discussion