12-11-2006 08:57 AM - edited 02-21-2020 02:45 PM
Apologies in advance from noobie!
I have 2 506e (version 6.3(5)) at a main site and remote site.
Configured according to the cisco site-to-site VPN configuration example.
The link seems to establish but i cannot ping clients/servers at the remote site from clients/servers at the main site (and vice versa)
Output to the commands follow:
Show crypto isakmp sa
show crypto ipsec sa
Main:
Total : 1
Embryonic : 0
dst src state pending created
193.x.x.100 62.30.168.76 QM_IDLE 0 1
interface: outside
Crypto map tag: toMayfield, local addr. 193.x.x.100
local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer: 62.30.168.76:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest 7
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 193.x.x.100, remote crypto endpt.: 62.30.168.76
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: ff02489c
inbound esp sas:
spi: 0xa7c7dc80(2814893184)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: toMayfield
sa timing: remaining key lifetime (k/sec): (4608000/28364)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xff02489c(4278339740)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: toMayfield
sa timing: remaining key lifetime (k/sec): (4607999/28361)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
Remote:
Total : 1
Embryonic : 0
dst src state pending created
193.x.x.100 62.30.168.76 QM_IDLE 0 1
interface: outside
Crypto map tag: toSchool, local addr. 62.30.168.76
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: 193.60.161.100:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 184, #pkts encrypt: 184, #pkts digest 184
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 62.30.168.76, remote crypto endpt.: 193.60.161.100
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: a7c7dc80
inbound esp sas:
spi: 0xff02489c(4278339740)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: toSchool
sa timing: remaining key lifetime (k/sec): (4607999/28293)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xa7c7dc80(2814893184)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: toSchool
sa timing: remaining key lifetime (k/sec): (4607992/28293)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
Any help/advice much appreciated!
12-11-2006 09:36 AM
Jonathan,
Can you do a "clear xlate" and then ping across the tunnel. When you do a clear xlate, the existing translations will be cleared.
Also, what is the source IP and Destination IP Address that you are trying to ping. Does your internal routing behind the Main Pix and Remote Pix know how to reach the destinations.
Regards,
Arul
** Please rate all helpful posts **
12-11-2006 09:45 AM
Hi Arul
I'm trying to ping from a device on the 192.168.3.0 subnet (gateway set to the pix) to a 172.16.1.10 device (gateway set to the remote pix)
I've cleared xlate on both devices - no difference.
General internet access is fine - outgoing and traffic coming in.
I've also tried with
isakmp nat-traversal 20
on both devices with no luck.
12-12-2006 10:10 AM
through further debugging, i can see the packets leave the main (inside) interface, arrive at the remote (inside) interface and return from the remote (inside) interface.
They never re-appear at the main site
(debug pack inside src 172.16.1.10)
is it because I'm filtering by port on my access-lists?
I need a holiday!
12-12-2006 10:40 AM
If the packets are leaving the remote site and you aren't getting them on the headend, can you check if there is anything in front of this PIX that would block ESP packets (protocol 50) coming in.
- Gilbert
Note: The ACL filtering on the outside should not affect the traffic coming in.
12-12-2006 05:49 PM
Jonathan,
Check with your ISP if they are blocking Protocol 50 (ESP). Since you have configured "Sysopt Connection Permit IPSEC", the outside access-list should not block any IPSEC Traffic.
Regards,
Arul
** Please rate all helpful posts **
12-13-2006 01:54 AM
Hi Jonathan,
VPN Tunnel is UP and you are noy able to ping PCs/servers from one end to another.
looking at your configuration, what i feel is that routing for your inside networks is not configured on your both PIX.
Try adding these routes on your main and remote PIX and see if it fix the issue.
main PIX
--------
route inside 192.168.3.0 255.255.255.0
remote PIX
----------
route inside 172.16.1.0 255.255.255.0
hope it helps .... rate if it does ....
12-13-2006 06:31 AM
Please do not implement the routing scenario on the PIX en.
You have direcly connected network and this route insertion is not needed.
Just like Arul and I, suggested - please check with your ISP to see if they are blocking protocol 50 which is ESP.
Thanks
Gilbert
12-14-2006 07:51 AM
Thanks guys.
Its a Blueyonder business connection (Telewest).
I've dropped them an email (I'm off on holiday at the moment) in the hope they'll answer by the time I return!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide