Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 501 behind router...

I have a PIX 501 that I am setting up at a site that has one static ip address and a router. I have never setup a PIX 501 without a public address on the WAN so this is new to me. I have assigned the outside interface of the pix to 192.168.0.254. On the router I have forwarded UDP 500 and 4500 to the 192.168.0.254 (PIX WAN) address. The tunnel light comes on on the PIX and when I do a sh crypto isakmp sa I see the tunnel appears to be up in state QM_IDLE. However, I cannot transmit data across the tunnel or ping. Any ideas? Any help would be greatly appeciated. I have attached the config for review.

4 REPLIES

Re: PIX 501 behind router...

Firstly - are you allowing ESP thru the router? ity sounds like you are only bringing up phase 1 = IKE which does use UDP 500 & 4500, but you also need to allow protocol 50 thru also.

HTH>

New Member

Re: PIX 501 behind router...

Ok I got one tunnel to work fine (192.168.8.0 to 192.168.1.0). ICMP and data traverse the

tunnel. However I cannot seem to get the other tunnel working (192.168.5.0 to 192.168.1.0). If I do a sh crypto ipsec sa on both sides I can see the encapsulated

packets getting incremented but the decapsulated stays at 0 on both sides. I have poured over the configs and cannot see what is wrong. In my previous post I included the config for the 192.168.1.0 location and I will included the config for the 192.168.5.0 location in this post. Any help would be greatly appreciated.

Re: PIX 501 behind router...

what is the ouput from the remote end from:-

sh crypto isakmp sa

sh crypto ispec sa

Silver

Re: PIX 501 behind router...

Hello,

You are using same access-list "80" for both NAT 0 ( nat bypass ) and crypto acl.

I am wondering how could you create a extended access-list as numbered "80"

Standard access-list are numbered 1-99 (supports only source address)

First of all change your access-list number to 100 or more and secondly do not use same access-list to do NAT0 and crypto acl.

Create two separate identical access-lists. For example :

access-list 100 permit ip 192.168.5.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 100 permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 120 permit ip 192.168.5.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list 120 permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list 100

crypto map lafayette 10 match address 120

Then post result for following

show access-list 100 (check the hitcounts when pkts bypasses )

and

show crypto ipsec sa

HTH

Saju

Pls rate if it helps

277
Views
0
Helpful
4
Replies