Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX515 to PIX 515 ipsec tunnel ping anomalies

PIX515A to PIX515B, IPSEC tunnel. I can ping from inside subnet A to inside subnet B. I can ping from PIXA at CLI to inside subnet B. However, I can't ping from PIXB CLI to inside A. This doesn't make sense. As stated, I can ping from anywhere in subnet B to inside subnet A, just not from PIXB CLI.

My configs are quite large so I haven't posted them. I can, but I was hoping for some hints as where to look as this must be a common problem.

4 REPLIES
New Member

Re: PIX515 to PIX 515 ipsec tunnel ping anomalies

Hi,

Are you sure that you have created the acl's and nat exemptions for the traffic at the site that isn't working.

Are you using any internal ACL's for the inside interface, have you enabled any by mistake etc ?

I don't think it will be a mtu or fragmentation issue, as you have icmp traffic one way. You can post the configs if you wish.

Thanks,

Jon Humphries CCIE Drake

New Member

Re: PIX515 to PIX 515 ipsec tunnel ping anomalies

Hi, Jon

I thought a bit more deeply about the config after reading your reply. There were two NONAT entries on PIXB that were no longer needed that pointed to an old internal LAN subnet. I hadn't removed these from the NONAT list when I redesigned the LAN. I just didn't think that they would cause any issue. What I learned: NONAT rules must be mirrors of each other on the ipsec tunnel endpoints for the PIX firewalls.

Thanks again for your reply.

New Member

Re: PIX515 to PIX 515 ipsec tunnel ping anomalies

Hi, Jon

Please ignore my last email. I will send config. I did my ping from the wrong device.

New Member

Re: PIX515 to PIX 515 ipsec tunnel ping anomalies

Here are config clips:

PIXB's rules

access-list NONAT permit ip 10.9.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 10.9.0.0 255.255.0.0 10.1.0.0 255.255.0.0

access-list NONAT permit ip 10.10.0.0 255.255.0.0 10.1.0.0 255.255.0.0

access-list EDM permit ip 10.9.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list EDM permit ip 10.10.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list EDM permit ip 10.9.0.0 255.255.0.0 10.1.0.0 255.255.0.0

access-list EDM permit ip 10.10.0.0 255.255.0.0 10.1.0.0 255.255.0.0

The LAN side of PIXB has two subnets 10.9.0.0 and 10.10.0.0. EDM of course is the ACL for PIXA network.

PIXA's rules

access-list NONAT permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 192.168.0.0 255.255.0.0 10.9.0.0 255.255.0.0

access-list NONAT permit ip 192.168.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list NONAT permit ip 10.1.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 10.1.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list NONAT permit ip 10.1.0.0 255.255.0.0 10.9.0.0 255.255.0.0

access-list NONAT permit ip 10.1.0.0 255.255.0.0 10.147.0.0 255.255.0.0

access-list NONAT permit ip 10.2.0.0 255.255.0.0 192.168.5.0 255.255.255.0

access-list NONAT permit ip 10.3.0.0 255.255.0.0 192.168.5.0 255.255.255.0

access-list BEAVERRIVER permit ip 192.168.0.0 255.255.0.0 10.9.0.0 255.255.0.0

access-list BEAVERRIVER permit ip 192.168.0.0 255.255.0.0 10.10.0.0 255.255.0.0

access-list BEAVERRIVER permit ip 10.1.0.0 255.255.0.0 10.9.0.0 255.255.0.0

access-list BEAVERRIVER permit ip 10.1.0.0 255.255.0.0 10.10.0.0 255.255.0.0

The LAN side of PIXA is 10.1.0.0. The 192.168.0.0 addresses and 10.147.0.0 are for other subnets in the WAN. BEAVERRIVER refers to PIXB network.

197
Views
0
Helpful
4
Replies