cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
502
Views
0
Helpful
1
Replies

One-way data through LAN2LAN tunnel

tsaxelin
Level 1
Level 1

Hi all!

I have a PIX terminating VPN Client connections. These connections work fine. Now I'm trying to end a lan-to-lan tunnel from a concentrator to the PIX. The tunnel can be opened from both ends, but data can only be sent from the concentrator to the pix. Even though data from the pix opens the tunnel, the concentrator never gets the packets. Any idea what might be wrong?

Here's some config from the pix:

Building configuration...

: Saved

:

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ***** encrypted

passwd ***** encrypted

hostname pix

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 88 permit ip 172.20.32.0 255.255.252.0 10.10.10.0 255.255.255.0

access-list 88 permit ip 172.20.32.0 255.255.252.0 host 123.123.123.123

access-list 89 permit ip 172.20.32.0 255.255.252.0 host 123.123.123.123

pager lines 24

logging on

logging timestamp

logging console warnings

logging buffered warnings

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 111.111.111.111 255.255.255.0

ip address inside 172.20.32.3 255.255.252.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN-pool 10.10.10.1-10.10.10.254

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 88

nat (inside) 1 172.20.32.0 255.255.252.0 0 0

route outside 0.0.0.0 0.0.0.0 111.111.111.1 1

route outside 123.123.123.123 255.255.255.255 222.222.222.222 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server NTIAS protocol radius

aaa-server NTIAS (inside) host 172.20.32.29 Kissa timeout 10

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set strongdes esp-3des esp-md5-hmac

crypto dynamic-map dynamap 20 set transform-set strongdes

crypto map vpnmap 10 ipsec-isakmp

crypto map vpnmap 10 match address 89

crypto map vpnmap 10 set peer 222.222.222.222

crypto map vpnmap 10 set transform-set strongdes

crypto map vpnmap 20 ipsec-isakmp dynamic dynamap

crypto map vpnmap client authentication NTIAS

crypto map vpnmap interface outside

isakmp enable outside

isakmp key ******** address 222.222.222.222 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption 3des

isakmp policy 8 hash md5

isakmp policy 8 group 2

isakmp policy 8 lifetime 86400

vpngroup Grouppi address-pool VPN-pool

vpngroup Grouppi dns-server 172.20.32.5

vpngroup Grouppi wins-server 172.20.32.5

vpngroup Grouppi default-domain planar.fi

vpngroup Grouppi idle-time 1800

vpngroup Grouppi password ********

telnet timeout 5

terminal width 80

: end

[OK]

Thanks!

1 Reply 1

tsaxelin
Level 1
Level 1

Oh, stupid old me. The route statement was incorrect. A basic mistake.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: