04-16-2002 03:47 AM - edited 03-08-2019 10:20 PM
Hi all!
I have a PIX terminating VPN Client connections. These connections work fine. Now I'm trying to end a lan-to-lan tunnel from a concentrator to the PIX. The tunnel can be opened from both ends, but data can only be sent from the concentrator to the pix. Even though data from the pix opens the tunnel, the concentrator never gets the packets. Any idea what might be wrong?
Here's some config from the pix:
Building configuration...
: Saved
:
PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname pix
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 88 permit ip 172.20.32.0 255.255.252.0 10.10.10.0 255.255.255.0
access-list 88 permit ip 172.20.32.0 255.255.252.0 host 123.123.123.123
access-list 89 permit ip 172.20.32.0 255.255.252.0 host 123.123.123.123
pager lines 24
logging on
logging timestamp
logging console warnings
logging buffered warnings
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside 111.111.111.111 255.255.255.0
ip address inside 172.20.32.3 255.255.252.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN-pool 10.10.10.1-10.10.10.254
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 88
nat (inside) 1 172.20.32.0 255.255.252.0 0 0
route outside 0.0.0.0 0.0.0.0 111.111.111.1 1
route outside 123.123.123.123 255.255.255.255 222.222.222.222 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server NTIAS protocol radius
aaa-server NTIAS (inside) host 172.20.32.29 Kissa timeout 10
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set strongdes esp-3des esp-md5-hmac
crypto dynamic-map dynamap 20 set transform-set strongdes
crypto map vpnmap 10 ipsec-isakmp
crypto map vpnmap 10 match address 89
crypto map vpnmap 10 set peer 222.222.222.222
crypto map vpnmap 10 set transform-set strongdes
crypto map vpnmap 20 ipsec-isakmp dynamic dynamap
crypto map vpnmap client authentication NTIAS
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address 222.222.222.222 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
vpngroup Grouppi address-pool VPN-pool
vpngroup Grouppi dns-server 172.20.32.5
vpngroup Grouppi wins-server 172.20.32.5
vpngroup Grouppi default-domain planar.fi
vpngroup Grouppi idle-time 1800
vpngroup Grouppi password ********
telnet timeout 5
terminal width 80
: end
[OK]
Thanks!
04-16-2002 04:31 AM
Oh, stupid old me. The route statement was incorrect. A basic mistake.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: