Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIx VPN NAT question

I have this scenario with a PIX 525 6.3, this has worked for months and suddenly stopped.

I have a device on the inside network that needs to access a remote site network through a VPN tunnel.

Inside network device is 10.11.150.1, needs to access remote device 10.79.15.3.

The remote side is supposed to see my device as a 10.91.6.1 address, I am supposed to see his 10.79.15.3 as my destination.

Debugs show the tunnel never attempts to come up, but I see hits on all of the access-lists associated with this config.

My question is, if something happened to the peer (according to them nothing has changed) config, or it is not accessable from my end, would the access-lists show hits and the traffic just get dropped?

crypto map p 30 ipsec-isakmp

crypto map p 30 match address Translate

crypto map p 30 set peer 1.23.45.67

crypto map p 30 set transform-set 3dessha

static (inside,outside) 10.91.6.1 access-list translation 0 0

access-list Translation permit ip host 10.11.150.1 10.79.8.0 255.255.248.0

access-list Translate permit ip 10.91.6.0 255.255.255.240 10.79.8.0 255.255.248.0

1 REPLY
Hall of Fame Super Blue

Re: PIx VPN NAT question

Hi

When you initiate the connection can you run

i) debug crypto isa

2) debug crypto ipsec

That will at least tell you whether your firewall is trying to initiate the tunnel or not and should help narrow down the problem.

Jon

Edit - should have said, i agree that if it has been working for last 4 months and now it doesn't if you haven't changed angthing chances are they have :-)

105
Views
0
Helpful
1
Replies