Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
596
Views
10
Helpful
8
Replies

Vpn tunnel is up but cannot ping or access anything

assalihin
Level 1
Level 1

‎08-13-2008 11:22 AM - edited ‎02-21-2020 03:53 PM

I have a Vpn tunnel between our Pix 515e and an Asa box at a remote location.

The Vpn client says we are connected but I cannot ping or access anything at the remote location.

When I check my Ipconfig, I see that I got an ip from the asa box at the remote location.

Funny thing is that we can ping and access the remote computers when we establish the Vpn tunnel from our sister company.

Our subnet Ip scheme is the same at the 3 locations.

Thanks for your time.

Labels:
0 Helpful
8 Replies 8

acomiskey
Level 10
Level 10

‎08-13-2008 11:29 AM

Could you clarify what type of vpn your are trying to establish. You mention a tunnel between a pix and asa, but you also mention the vpn client. Is this lan to lan or remote access?

0 Helpful

assalihin
Level 1
Level 1
In response to acomiskey

‎08-13-2008 11:52 AM

Remote Access

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni

‎08-13-2008 11:30 AM

The VPN client is connecting to which server, ASA or PIX? What is the version of PIX/ASA?

Have you enabled NAT-T? (You might need to enable it in the client as well in the Transport tab...its enabled by default tough on the client and disabled on ASA/PIX 7.x)

isakmp nat-traversal is the command to enable it on the PIX/ASA.

Regards

Farrukh

acomiskey
Level 10
Level 10
In response to Farrukh Haroon

‎08-13-2008 11:57 AM

Farrukh is right on here. If's it's not nat-t then look at your nat exemption config. In 7.2 and greater the command is now

crypto isakmp nat-traversal

assalihin
Level 1
Level 1
In response to acomiskey

‎08-18-2008 06:57 AM

I checked my config on my pix and I have the "isakmp nat-traversal" command in there.

This is is what I am trying to do:

User--->Pix--->Asa---rdp to any machine in the network protected by the asa.

Thanks for your time

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to assalihin

‎08-18-2008 10:41 AM

So on what port is the VPN connection established? 500 and ESP (Prot 50) or on port 4500? You can verify this by 'show conn' and by the 'show crypto isakmp/ipsec sa det' command.

Regards

Farrukh

0 Helpful

assalihin
Level 1
Level 1
In response to Farrukh Haroon

‎08-18-2008 11:05 AM

On which device should I run this command.

On the pix (Client) or on the Asa (Server)?

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to assalihin

‎08-18-2008 11:24 AM

The first suggestion (to enable NAT-T) is on the client. Its on the 'Transport' tab in the VPN client GUI. Its on by default, but just double check.

The second set of commands are on the firewall (Server).

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents