Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN tunnel between pix6.3 and pix 7.0

i have installed a pix 7.0(1) at one of our offices and configured a site-to-site vpn tunnel to head office pix6.3(3).

the tunnel comes up fine and you can see packets being transferred through the tunnel (sh crypto ipsec sa).

i have tried and successfully tftp new image to the pix 7.0(1) and can also poll it for snmp but when i try to telnet to it i get:

"%PIX-4-402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 194.x.x.x, src_addr= 192.x.x.x, prot= tcp"

i have been looking through bug toolkit and found the following CSCei00497.

i was wondering if this could be the problem or if anyone knows of this?

thanks

FC

7 REPLIES
Gold

Re: VPN tunnel between pix6.3 and pix 7.0

you mentioned the issue occurs when you try to telnet to the pix with v7.

just wondering from where are you trying to telnet from. from the internet? inside? remote lan via vpn? also to which interface of the pix with v7, is it inside? outside?

New Member

Re: VPN tunnel between pix6.3 and pix 7.0

telneting from the pix with ver 6.3 to the outside interface from the internet. i have read somewhere that this message i get has to do with the isakmp policies not being the same on both sides but they definately are.

thanks

Gold

Re: VPN tunnel between pix6.3 and pix 7.0

net1 <--> pix7 <--> internet/vpn <--> pix6 <--> net2

net2 pc tries to establish a telnet session to the pix7 outside interface? if so, you need to apply the followings on pix7, and telnet to the pix7 inside interface instead:

management-access inside

telnet inside

New Member

Re: VPN tunnel between pix6.3 and pix 7.0

vpn is setup from pix6 to outside interface of pix7. it is not setup for lan to lan only for management purposes to be able to telnet into pix7 and not access net1.

thanks

Gold

Re: VPN tunnel between pix6.3 and pix 7.0

telnet is not allowed on the pix outside interface, regardless it's over ipsec or not.

one way is to configure ssh by using the commands below:

hostname xxx

domain-name xxx.com.au

ca generate rsa key 1024

ca save all

ssh 255.255.255.255 outside

New Member

Re: VPN tunnel between pix6.3 and pix 7.0

thanks jackko for your replies.

are you saying that telneting to outside interface is not supported anymore with pix 7.0?

Gold

Re: VPN tunnel between pix6.3 and pix 7.0

i guess it may work with v7, however, you need to include the pix outside interface as part of the cyrpto acl.

i have had some issue with that solution. e.g. the lan-lan vpn wasn't a 100% lan-lan. from one site one specific hosts are included as part of the crypto acl. however, the rest of the site has access to the vpn as well. after some troubleshooting, i found that the reason being that the pix will pat all the outbound traffic and since the pix outside interface is part of the crypto acl. so the rest of the site have access to the vpn as well. it may or may not be your case.

regardless, i would suggest allowing telnet to the inside interface only, not outside.

156
Views
0
Helpful
7
Replies
CreatePlease login to create content