Re: PIX515 to PIX 515 ipsec tunnel ping anomalies

murray-davis · ‎09-20-2007

PIX515A to PIX515B, IPSEC tunnel. I can ping from inside subnet A to inside subnet B. I can ping from PIXA at CLI to inside subnet B. However, I can't ping from PIXB CLI to inside A. This doesn't make sense. As stated, I can ping from anywhere in subnet B to inside subnet A, just not from PIXB CLI.

My configs are quite large so I haven't posted them. I can, but I was hoping for some hints as where to look as this must be a common problem.

jon.humphries · ‎09-20-2007

Hi,

Are you sure that you have created the acl's and nat exemptions for the traffic at the site that isn't working.

Are you using any internal ACL's for the inside interface, have you enabled any by mistake etc ?

I don't think it will be a mtu or fragmentation issue, as you have icmp traffic one way. You can post the configs if you wish.

Thanks,

Jon Humphries CCIE Drake

murray-davis · ‎09-21-2007

Hi, Jon

I thought a bit more deeply about the config after reading your reply. There were two NONAT entries on PIXB that were no longer needed that pointed to an old internal LAN subnet. I hadn't removed these from the NONAT list when I redesigned the LAN. I just didn't think that they would cause any issue. What I learned: NONAT rules must be mirrors of each other on the ipsec tunnel endpoints for the PIX firewalls.

Thanks again for your reply.

murray-davis · ‎09-21-2007

Hi, Jon

Please ignore my last email. I will send config. I did my ping from the wrong device.

murray-davis · ‎09-21-2007

Here are config clips:

PIXB's rules

access-list NONAT permit ip 10.9.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 10.9.0.0 255.255.0.0 10.1.0.0 255.255.0.0

access-list NONAT permit ip 10.10.0.0 255.255.0.0 10.1.0.0 255.255.0.0

access-list EDM permit ip 10.9.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list EDM permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list EDM permit ip 10.9.0.0 255.255.0.0 10.1.0.0 255.255.0.0

access-list EDM permit ip 10.10.0.0 255.255.0.0 10.1.0.0 255.255.0.0

The LAN side of PIXB has two subnets 10.9.0.0 and 10.10.0.0. EDM of course is the ACL for PIXA network.

PIXA's rules

access-list NONAT permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 192.168.0.0 255.255.0.0 10.9.0.0 255.255.0.0

access-list NONAT permit ip 192.168.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list NONAT permit ip 10.1.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 10.1.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list NONAT permit ip 10.1.0.0 255.255.0.0 10.9.0.0 255.255.0.0

access-list NONAT permit ip 10.1.0.0 255.255.0.0 10.147.0.0 255.255.0.0

access-list NONAT permit ip 10.2.0.0 255.255.0.0 192.168.5.0 255.255.255.0

access-list NONAT permit ip 10.3.0.0 255.255.0.0 192.168.5.0 255.255.255.0

access-list BEAVERRIVER permit ip 192.168.0.0 255.255.0.0 10.9.0.0 255.255.0.0

access-list BEAVERRIVER permit ip 192.168.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list BEAVERRIVER permit ip 10.1.0.0 255.255.0.0 10.9.0.0 255.255.0.0

access-list BEAVERRIVER permit ip 10.1.0.0 255.255.0.0 10.10.0.0 255.255.0.0

The LAN side of PIXA is 10.1.0.0. The 192.168.0.0 addresses and 10.147.0.0 are for other subnets in the WAN. BEAVERRIVER refers to PIXB network.