05-03-2005 07:25 AM - edited 03-09-2019 11:08 AM
I have an access list that defines interesting traffic to initiate a VPN tunnel. However, when I ping the remote network the access list hitcount does not increase and the packet does not go through. Any advice? The actual access list is: access-list 204 permit ip 10.10.0.0 255.255.0.0 10.40.0.0 255.255.0.0
Thanks!
05-03-2005 08:08 AM
Hi!
Can you be more specific about both VPN enabled gateways (ios, pix...). Can you post VPN/IPSec configuration from both sides?
The ACL you describe should enable you to ping network 10.40.0.0/16 from network 10.10.0.0/16.
Regards.
05-03-2005 10:36 AM
Thanks for your response ovieira. I have a pix 515 connecting to a pix 505 through a site-to-site VPN. They are both running 6.3(3). I have a network application at the remote side (pix 505) which is able to connect to a server on our local side. However, other than that I cant get any other traffic to go through the VPN.
here is our local (pix 515) configuration
cisco-pix-col# sh cry map
Crypto Map: "xxx" interfaces: { outside }
Crypto Map "xxx" 1 ipsec-isakmp
Peer = remote pix outside port
access-list 204; 1 elements
access-list 204 line 1 permit ip 10.10.0.0 255.255.0.0 10.40.0.0 255.255
.0.0 (hitcnt=8128)
Current peer: remote pix outside port
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ yyy, }
here is our remote (pix 505) configuration
Crypto map "xxx" 1 ipsec-isakmp
Peer=remote pix outside port
access list 101
current peer: remote pix outside port
etc.
access list 101 is: permit ip 10.40.0.0 255.255.0.0 10.10.0.0 255.255.0.0
thanks for your help!
05-04-2005 12:46 AM
Hi!
Can you "ping" from the client to the server and activate the "debug icmp trace" on both PIXs. Paste the log output here.
Regards.
05-04-2005 05:17 AM
I cant telnet into the remote PIX and it will be awhile before I can physically go over there. However, I think I found what might be the problem.
On our local PIX the subnet mask is wrong on the isakmp key address. Eg. isakmp key ****** address (outside remote pix) netmask (wrong net mask). Do you think this could explain my problems?
05-04-2005 09:10 AM
Hi! I don't think that explains the problem because if so you shouldn't be able to access the remote server as well.
Regards.
05-04-2005 10:13 AM
Your right. That did not fix the problem. The incorrect subnet mask was actually 255.255.255.255 which is a valid wildcard.
I don't know if I explained the situation well enough though. There is no remote server. The network setup is as follows.
Local net---Pix515-----Router-----pub address/internet----Router--Pix501--Remote net.
There are not servers on the remote network. There is an application on computers on the remote network that are able to connect to a server on our local network. However, other than that connection there is no connectivity between the two networks. I cant ping remote computers and remote computers can't ping my workstation on the local network.
P.S. The crypto maps and isakmp key and address is correct on the remote pix
Thanks for your help and interest in this problem ovieira
05-05-2005 12:32 AM
You're welcome. Like i said before, those icmp debugs would really help.
Regards.
05-05-2005 05:39 AM
I don't know what the debug icmp trace would tell you but I have pasted below the trace from my workstation to a node on the remote network. I cant get the remote icmp trace right now but I will post it when I get it.
4208: ICMP echo-request from inside:10.2.2.4 to 10.40.0.255 ID=512 seq=16429 length=40
this line just repeats several times
10-27-2005 05:45 AM
I have problems of a similar nature. I have Site-To-Site VPN on PIX 515e. When I ping the remote network the access list hitcount increase, but ICMP echo reply don't return. The advice http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml not to help.
10-27-2005 05:39 PM
just a quick question.
wondering if the pc/server has software firewall installed.
10-28-2005 12:08 AM
The pc/server don't have firewall istalled.
11-01-2005 10:33 PM
Inbound ICMP through the PIX is denied by default;
outbound ICMP is permitted, but the incoming reply is denied by default:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
The decision:
PIX1
!--- crypto access-list
access-list inside_outbound_nat0_acl permit ip InsidePix1Net mask InsidePix2Net mask
nat (inside) 0 access-list inside_outbound_nat0_acl
!--- access-list with access-group command
access-list outside_icmp_en permit icmp any InsidePix2Net mask echo
access-group outside_icmp_en in interface outside
access-list inside_acl permit tcp InsidePix1Net mask any eq www
access-list inside_acl permit udp InsidePix1Net mask any eq domain
access-list inside_acl permit tcp InsidePix1Net mask any eq pop3
access-list inside_acl permit tcp InsidePix1Net mask any eq imap4
!--- PDM
access-list inside_acl permit tcp InsidePix1Net mask any eq https
........
!---
access-list inside_acl permit ip any InsidePix2Net mask
!---
access-group inside_acl in interface inside
PIX2 - mirror
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide