Re: Basic routing or ACL problem in IPSEC VPN

bhatti.imran · ‎10-18-2006

Dear All,

I have created a VPN between PIX 501 with OS 6.3 and 515E with OS 7.0

VPN status is good but i am unable to ping to the inside interface of both sides.

Could you please help me how to set the routing for private addresses in VPN and also how can i set the access control for private addrresses .

PIX HO ( 501 with ios 6.3)

Inside 172.16.1.30/24

outside 121.115.30.110

PIX Branch office ( Pix 515E with IOS 7.0)

Inside 172.16.73.3

outside 10.1.1.162

I am unable to ping the 172.16.73.3 from HO firewall.

Attached below are the full configuration of both firewalls.

I am stuck now ,Could any one please help me to resolve my trouble.

Thanks

martin_lx1980 · ‎10-23-2006

hi,bhatti.imran

Are you sure vpn status is good.Could you check it with below command?

HO(config)# sh crypto ipsec sa

..............

inbound esp sas:

spi: 0x9b48c914(2605238548)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: newmap

sa timing: remaining key lifetime (k/sec): (4607996/26794)

IV size: 8 bytes

replay detection support: Y

..................

outbound esp sas:

spi: 0xa2bc66f2(2730256114)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: newmap

sa timing: remaining key lifetime (k/sec): (4607998/26767)

IV size: 8 bytes

replay detection support: Y

If the result is similar with above information,I suggestion you check it using ping test with a pc connected inside interface of PIX instead of inside interface.

If you do not see inbound esp sas and outbound esp sas through command "show crypto ipsec sa",I think the tunnel is not really setup.According to your config ,I need more information to troubleshoot.

On HO PIX

crypto map newmap 10 set peer 83.136.10.162

isakmp key ******** address 83.x.x.162 netmask 255.255.255.255

I do not know what device is been configured 83.x.x.162.Could the device configure the static map between 83.x.x.162 and 10.1.1.162(outside of Branch PIX)?How did HO PIX get the private network 10.1.1.0/28

bhatti.imran · ‎10-26-2006

Dear martin i am fed up and now setup again the test env. using 2 pix 501 with back to back cable connectivity for outside interface and 02 pcs on inside interface i was able to see the vpn tunnel but again i was not able to ping (Why ???) from inside pc and also from the inside interface of PIX to other side pc and firewall.

Attached are the complete Config and below is also the out put of the command you told me.

inbound esp sas:

spi: 0x918bdc56(2441862230)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: newmap

sa timing: remaining key lifetime (k/sec): (4608000/28375)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x69b6dd53(1773591891)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: newmap

sa timing: remaining key lifetime (k/sec): (4607999/28357)

IV size: 8 bytes

replay detection support: Y

i think result is same as you told me i checked the ping to outside interface and it was working

also green led of VPN tunnel shows that tunnel has created

sh crypto isakmp sa

Total : 1

Embryonic : 0

dst src state pending created

10.1.1.162 10.1.1.164 QM_IDLE 0 1

How can i ping to remote side inside network.?

Please help me i am in great trouble .............