cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2516
Views
0
Helpful
8
Replies

No return traffic through IPSEC tunnel

ciscosom
Level 1
Level 1

Hello ,

we have a configured a Ipsec tunnel btw Pix and checkpoint peer on other end

( 206.201.227.92) . Tunnel comes up fine (phase 1&2) . But when other end tries to FTP to our server 209.216.213.149 (for that matter any traffic), i see packets coming through tunnel and hitting our server (tcpdump) , however none of the traffic goes back from the server back into the Tunnel to the other end . To confirm the issue , i cleared Sa, and generated traffic from the FTP server to client's end , My pix doesn't even tries to negotiate ISAKMP , crypto isakmp /ipsec is blank . Do you see anything wrong with my configuration ?

Any help will be appreciated

8 Replies 8

Marwan ALshawi
VIP Alumni
VIP Alumni

i cant see the attchment

any way

first check if u have made the nat exmption AKA nat 0 !

if ur LAN is 192.168.1.0 /24

and remote LAN is 172.16.1.0/24

do the following

access-list 100 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

then

nat (inside) 0 access-list 100

assuming that ur inside or netowrk source where the ftp located is named inside maybe it is DMZ what ever just change the name based on ur config

good luck

please, if helpful Rate

Another thing to check is proper routing

- Proper route on the FTP server to send the traffic towards the FW.

- Route on the firewall towards the Outside interface for the remote LAN subnet.

Dhananjoy ,

Thanks for your response , Yes, the other end is receiving packets when initiated from our Ftp server , BUT traffic is clear text and NOT through the IPSEC Tunnel . Any idea what is going on ?

Marwanshawi ,

Thanks a ton for your response . I don't know why you are not able to view the attachment .I cab send you the config to your E-mail ID ,if you wish .

Yes Nat 0 and access-list is already in place. Since the Client has a policy of accepting only Routable Ip's, so we had to NAT our FTP Server using

static ( inside, outside) Nat Ip , Real Ip of Ftp server .I don't know even then none of the traffic is going through the Tunnel

Hi,

Your crypto ACL's and NAT 0 statements are all host to host, check whether the FTP server IP is included or not.

Yes i think already have acl and NAT 0 for the server

access-list outside_cryptomap_150 permit ip host 209.216.213.149 host 206.201.227.240

access-list inside_outbound_nat0_acl permit ip host 209.216.213.149 host 206.201.227.240

.149 being our FTP server

You can't nat exempt an address which is already nat'd. You don't need to nat exempt 209.216.213.149. Also, if you do nat exempt it, your crypto access list should not contain the 209 address, as it won't be 209 when it goes over the tunnel.

The issue is resolved now . Actually issue was that my Linux had Dual NIC , one was connected to PIX and another was connected different Network altogether . So basically traffic was entering through the Ipsec tunnel reaching our FTP server , but return traffic was going through the Second NIC (different network) ,two way communication was not happening even though Tunnel was up , I added route add command manually into the Linux ftp server and forced take route pix for the traffic going to the other end .

One thing is for sure , I cant thank enough you all for your inputs without which i would not have resolved this issue .

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: