IPSec between a 3600 and PIX

gwarnagiris · ‎09-30-2005

We're trying to establish a LAN to LAN IPSEC connection between a Cisco 3600 12.3(6) and a PIX 6.3(4). The 3600 is behind a NAT firewall. It seems like the ISAKMP and IPSEC negotiation is successful, but we can't ping between the end points. The tunnel interface on the router shows no packets received and "sho crypto ipsec sa" shows errors and no encapsulated packets. I can see a route pointing to the tunnel interface in the 3600 for the remote network. Could you recommend more troubleshooting procedures? It would be appreciated. Configs attached.

Thank You,

George

gfullage · ‎10-02-2005

You don't need the tunnel interface on the router, that's only for doing GRE/IPSec which the PIX does NOT support. Do the following on the router:

no interface tunnel5

Then on the PIX you need to modify your crypto and "nat 0" acl's to be the exact opposite of the router acl, so cut/paste the following:

access-list inside_outbound_nat0_acl permit ip 10.228.2.0 255.255.255.0 10.0.0.0 255.0.0.0

no access-list inside_outbound_nat0_acl permit ip 10.228.2.0 255.255.255.0 any

access-list outside_cryptomap_B permit ip 10.228.2.0 255.255.255.0 10.0.0.0 255.0.0.0

no access-list outside_cryptomap_B permit ip host Router-Cisco B 255.255.0.0

no access-list outside_cryptomap_B permit ip host Brick-interna Babcock_Brown 255.255.0.0

no access-list outside_cryptomap_B permit ip host Tacacs B 255.255.0.0

Actually with your current PIX config is any internal user traffic getting out through this device? Add the following to PAT standard (non-encrypted) traffic to the outside interface address:

nat (inside) 1 10.228.2.0 255.255.255.0

That should get you a bit closer to a tunnel being built and it passing traffic correctly.