Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IOS to PIX L2L VPN

Hi, hope someone can help with this. I am trying to establish a site to site tunnel between an ios router and a PIX 7.0(1). The ios router is 12.4(15)T7. At the IOS router side I have configured a static 1 to 1 NAT to translate the 172.31.x.x source address to 172.30.x.x, the crypto's at both sides of the tunnel are configured for 172.30.x.x subnet. What I can see happening is the tunnel being established, the IOS router encaps/decaps packets, but the counter on the PIX side is only encapsulating packets, absolutely none are being decapsulated. So it looks like the pix is sending packets, the ios router is sending and receiving them……

The relevant info in the configs is below, any suggestions would be welcome.

IOS Router

ip access-list extended CRYPTO

permit ip 172.30.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip 172.30.0.0 0.0.255.255 10.0.0.0 0.255.255.255

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxx address xxxxxx

!

!

crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac

!

crypto map VPN 10 ipsec-isakmp

set peer x.x.x.x

set transform-set 3DES-MD5

match address CRYPTO

ip nat inside source static network 172.31.0.0 172.30.0.0 /16

I can see the NAT translations occuring when I put in the sh ip nat translations. IP NAT inside is applied to the internal LAN interface, IP NAT outside is applied to the dialer interface.

PIX

access-list crypto extended permit ip 10.0.0.0 255.0.0.0 172.30.0.0 255.255.0.0

access-list crypto extended permit ip 192.168.0.0 255.255.0.0 172.30.0.0 255.255.0.0

access-list 102 extended permit ip 10.0.0.0 255.0.0.0 172.30.0.0 255.255.0.0

access-list 102 extended permit ip 192.168.0.0 255.255.0.0 172.30.0.0 255.255.0.0

nat (inside) 0 access-list 102

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 200 match address crypto

crypto map outside_map 200 set peer x.x.x.x

crypto map outside_map 200 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

4 REPLIES

Re: IOS to PIX L2L VPN

Here's an excellent troubleshooting guide. It should help you resolve your issue.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

New Member

Re: IOS to PIX L2L VPN

Since the pix is encapsulating and the IOS is encapsulating and decapsulating traffic then it suggests to be that there may be a firewall blocking esp over udp traffic(inbound on the filtering device in the transit path ) from the ios back to the pix hence the pix has no packets to deencapsulate

HTH

New Member

Re: IOS to PIX L2L VPN

Thanks for getting back to me. I've checked the config of the internet facing router and there is no port filtering. At present, I have VPN clients that can connect to the PIX for remote access. I still cannot see how the PIX is either not receiving packets from the ios router, or is receiving them and not identifying them as being to/from an established VPN tunnel...

New Member

Re: IOS to PIX L2L VPN

Hi

Maybe you have solved this, but if you still are looking for an answer I think you might be hitting this bug.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsd48512&from=summary

And you might need an upgrade to your pix version.

Regars

239
Views
0
Helpful
4
Replies