Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Traffic is being decrypted but not Encrypted

I am usin a PIX 6.2(2) creating an IPSEC tunnel. I have several access-list setup to allow subnets on the tunnel however, any traffic destined for the 192.168.10.0/24 network is being decrypted on the way to the PIX but then the PIX is not encrypting the traffic outbound...Here is the config:

access-list TONORTEL permit ip 192.168.230.0 255.255.255.0 146.225.0.0 255.255.0.0

access-list TONORTEL permit ip 192.168.230.0 255.255.255.0 172.16.0.0 255.240.0.0

access-list TONORTEL permit ip 192.168.230.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list TONORTEL permit ip 192.168.230.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list TONORTEL permit ip 192.168.230.0 255.255.255.0 host 172.21.16.14

access-list TONORTEL permit ip 192.168.230.0 255.255.255.0 host 172.21.16.32

access-list TONORTEL permit ip 192.168.230.0 255.255.255.0 172.25.0.0 255.255.0.0

access-list nonat permit ip 192.168.230.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list nonat permit ip 192.168.230.0 255.255.255.0 146.225.0.0 255.255.0.0

access-list nonat permit ip 192.168.230.0 255.255.255.0 172.16.0.0 255.240.0.0

access-list nonat permit ip 192.168.230.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list nonat permit ip 192.168.230.0 255.255.255.0 host 172.21.16.14

access-list nonat permit ip 192.168.230.0 255.255.255.0 host 172.21.16.32

access-list nonat permit ip 192.168.230.0 255.255.255.0 172.25.0.0 255.255.0.0

show ipsec sa:

local ident (addr/mask/prot/port): (192.168.230.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

current_peer: 198.182.40.11

PERMIT, flags={origin_is_acl,}

#pkts encaps: 4068, #pkts encrypt: 4068, #pkts digest 4068

#pkts decaps: 4226, #pkts decrypt: 4226, #pkts verify 4226

****************************************************

local ident (addr/mask/prot/port): (192.168.230.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

current_peer: 198.182.40.11

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 16, #pkts decrypt: 16, #pkts verify 16

1 REPLY
New Member

Re: Traffic is being decrypted but not Encrypted

Is 192.168.230.0 a directly connected network to the PIX? If so, then run the following debug on the PIX and see if the responses are even making it back to the PIX. After enabling the debug, run a ping from the remote site to the 192.168.230.0 network.

debug packet inside src <192.168.230.0_NW_IP_that_you_are_pinging> dst proto icmp

(to turn off "no debug packet inside)

Run the ping. See if the replies are showing up to console. If they are not, then it is a local LAN issue. If they show up, then check the ACL for these networks in ACL nonat and see it the hitcount is incrementing. If yes, then check the ACL line in TONORTEL ACL for these networks and see if the hitcount is incrementing. If yes, then clear the ipsec and isakmp SAs and run a ping again.

Hope this helps.

141
Views
0
Helpful
1
Replies
CreatePlease to create content