Cisco Support Community
Community Member

One-way data through LAN2LAN tunnel

Hi all!

I have a PIX terminating VPN Client connections. These connections work fine. Now I'm trying to end a lan-to-lan tunnel from a concentrator to the PIX. The tunnel can be opened from both ends, but data can only be sent from the concentrator to the pix. Even though data from the pix opens the tunnel, the concentrator never gets the packets. Any idea what might be wrong?

Here's some config from the pix:

Building configuration...

: Saved


PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ***** encrypted

passwd ***** encrypted

hostname pix

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


access-list 88 permit ip

access-list 88 permit ip host

access-list 89 permit ip host

pager lines 24

logging on

logging timestamp

logging console warnings

logging buffered warnings

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN-pool

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 88

nat (inside) 1 0 0

route outside 1

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server NTIAS protocol radius

aaa-server NTIAS (inside) host Kissa timeout 10

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set strongdes esp-3des esp-md5-hmac

crypto dynamic-map dynamap 20 set transform-set strongdes

crypto map vpnmap 10 ipsec-isakmp

crypto map vpnmap 10 match address 89

crypto map vpnmap 10 set peer

crypto map vpnmap 10 set transform-set strongdes

crypto map vpnmap 20 ipsec-isakmp dynamic dynamap

crypto map vpnmap client authentication NTIAS

crypto map vpnmap interface outside

isakmp enable outside

isakmp key ******** address netmask no-xauth no-config-mode

isakmp identity address

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption 3des

isakmp policy 8 hash md5

isakmp policy 8 group 2

isakmp policy 8 lifetime 86400

vpngroup Grouppi address-pool VPN-pool

vpngroup Grouppi dns-server

vpngroup Grouppi wins-server

vpngroup Grouppi default-domain

vpngroup Grouppi idle-time 1800

vpngroup Grouppi password ********

telnet timeout 5

terminal width 80

: end



Community Member

Re: One-way data through LAN2LAN tunnel

Oh, stupid old me. The route statement was incorrect. A basic mistake.

CreatePlease to create content