I have two sites that talk to each other over a DES vpn. One site on a MPLS cloud in the UK talking to a site in Luxemburg. The traffic is routed from the MPLS to my PIX on my site then encyrpted to Lux and vice versa. Both end VPN devices are 515E's running 6.3(3) versions. My client is running a 2003 exchange which is replicating over this link, but experienced very odd connectivity which I shall explain with what we see in the pings.
UK machine -10.33.16.23
Lux machine -10.127.16.15
RDP from UK to Lux trying to ping UK=no responce.
Then ping from UK to Lux=responce
Then Ping from Lux to UK=responce
All rules allow any talking between the two sites. No firewalls are on the machines. They are only running sophos anitvirus.
I seem to have found the cause although it is rather odd.
The internal network local to the PIX, 172.18.*.* has none of these issues. It is only when you traverse this network to get to the MPLS that causes this rather odd problem. Initiating the ping from Lux to 172.18.*.* works with only a simple protect IP rule on either end of the link IE on both the 515E's. To get it to work so that Lux can ping the UK site without the UK site pinging Lux first I have had to specifically add the protect ICMP back to Lux and also add a NAT exemption rule in the same direction. Not touching the config in LUX. This I could understand if the PIX was natting, but the PIX this end does not nat a thing. Everything should be left as original anyway. I am trying to find an expination for this but not having a lot of joy. Why has this only starting happening resently? It never did before about 2 months ago. Why does the ping work fine once you have pinged a machine in LUX? The tunnel I imagine must already be up but surely the data going across with still adhear to all the rules both NAT and Protect on the way to Lux?
Anyway, its working for now. If anyone has any ideas or documentation that may help that woudl be grand!
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...