10-18-2006 11:41 PM - edited 02-21-2020 02:40 PM
Dear All,
I have created a VPN between PIX 501 with OS 6.3 and 515E with OS 7.0
VPN status is good but i am unable to ping to the inside interface of both sides.
Could you please help me how to set the routing for private addresses in VPN and also how can i set the access control for private addrresses .
PIX HO ( 501 with ios 6.3)
Inside 172.16.1.30/24
outside 121.115.30.110
PIX Branch office ( Pix 515E with IOS 7.0)
Inside 172.16.73.3
outside 10.1.1.162
I am unable to ping the 172.16.73.3 from HO firewall.
Attached below are the full configuration of both firewalls.
I am stuck now ,Could any one please help me to resolve my trouble.
Thanks
10-23-2006 01:34 AM
hi,bhatti.imran
Are you sure vpn status is good.Could you check it with below command?
HO(config)# sh crypto ipsec sa
..............
inbound esp sas:
spi: 0x9b48c914(2605238548)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: newmap
sa timing: remaining key lifetime (k/sec): (4607996/26794)
IV size: 8 bytes
replay detection support: Y
..................
outbound esp sas:
spi: 0xa2bc66f2(2730256114)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: newmap
sa timing: remaining key lifetime (k/sec): (4607998/26767)
IV size: 8 bytes
replay detection support: Y
If the result is similar with above information,I suggestion you check it using ping test with a pc connected inside interface of PIX instead of inside interface.
If you do not see inbound esp sas and outbound esp sas through command "show crypto ipsec sa",I think the tunnel is not really setup.According to your config ,I need more information to troubleshoot.
On HO PIX
crypto map newmap 10 set peer 83.136.10.162
isakmp key ******** address 83.x.x.162 netmask 255.255.255.255
I do not know what device is been configured 83.x.x.162.Could the device configure the static map between 83.x.x.162 and 10.1.1.162(outside of Branch PIX)?How did HO PIX get the private network 10.1.1.0/28
10-26-2006 12:06 AM
Dear martin i am fed up and now setup again the test env. using 2 pix 501 with back to back cable connectivity for outside interface and 02 pcs on inside interface i was able to see the vpn tunnel but again i was not able to ping (Why ???) from inside pc and also from the inside interface of PIX to other side pc and firewall.
Attached are the complete Config and below is also the out put of the command you told me.
inbound esp sas:
spi: 0x918bdc56(2441862230)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: newmap
sa timing: remaining key lifetime (k/sec): (4608000/28375)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x69b6dd53(1773591891)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: newmap
sa timing: remaining key lifetime (k/sec): (4607999/28357)
IV size: 8 bytes
replay detection support: Y
i think result is same as you told me i checked the ping to outside interface and it was working
also green led of VPN tunnel shows that tunnel has created
sh crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
10.1.1.162 10.1.1.164 QM_IDLE 0 1
How can i ping to remote side inside network.?
Please help me i am in great trouble .............
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide