Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

No return traffic through IPSEC tunnel

Hello ,

we have a configured a Ipsec tunnel btw Pix and checkpoint peer on other end

( 206.201.227.92) . Tunnel comes up fine (phase 1&2) . But when other end tries to FTP to our server 209.216.213.149 (for that matter any traffic), i see packets coming through tunnel and hitting our server (tcpdump) , however none of the traffic goes back from the server back into the Tunnel to the other end . To confirm the issue , i cleared Sa, and generated traffic from the FTP server to client's end , My pix doesn't even tries to negotiate ISAKMP , crypto isakmp /ipsec is blank . Do you see anything wrong with my configuration ?

Any help will be appreciated

8 REPLIES

Re: No return traffic through IPSEC tunnel

i cant see the attchment

any way

first check if u have made the nat exmption AKA nat 0 !

if ur LAN is 192.168.1.0 /24

and remote LAN is 172.16.1.0/24

do the following

access-list 100 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

then

nat (inside) 0 access-list 100

assuming that ur inside or netowrk source where the ftp located is named inside maybe it is DMZ what ever just change the name based on ur config

good luck

please, if helpful Rate

Re: No return traffic through IPSEC tunnel

Another thing to check is proper routing

- Proper route on the FTP server to send the traffic towards the FW.

- Route on the firewall towards the Outside interface for the remote LAN subnet.

New Member

Re: No return traffic through IPSEC tunnel

Dhananjoy ,

Thanks for your response , Yes, the other end is receiving packets when initiated from our Ftp server , BUT traffic is clear text and NOT through the IPSEC Tunnel . Any idea what is going on ?

New Member

Re: No return traffic through IPSEC tunnel

Marwanshawi ,

Thanks a ton for your response . I don't know why you are not able to view the attachment .I cab send you the config to your E-mail ID ,if you wish .

Yes Nat 0 and access-list is already in place. Since the Client has a policy of accepting only Routable Ip's, so we had to NAT our FTP Server using

static ( inside, outside) Nat Ip , Real Ip of Ftp server .I don't know even then none of the traffic is going through the Tunnel

Re: No return traffic through IPSEC tunnel

Hi,

Your crypto ACL's and NAT 0 statements are all host to host, check whether the FTP server IP is included or not.

New Member

Re: No return traffic through IPSEC tunnel

Yes i think already have acl and NAT 0 for the server

access-list outside_cryptomap_150 permit ip host 209.216.213.149 host 206.201.227.240

access-list inside_outbound_nat0_acl permit ip host 209.216.213.149 host 206.201.227.240

.149 being our FTP server

Green

Re: No return traffic through IPSEC tunnel

You can't nat exempt an address which is already nat'd. You don't need to nat exempt 209.216.213.149. Also, if you do nat exempt it, your crypto access list should not contain the 209 address, as it won't be 209 when it goes over the tunnel.

New Member

Re: No return traffic through IPSEC tunnel

The issue is resolved now . Actually issue was that my Linux had Dual NIC , one was connected to PIX and another was connected different Network altogether . So basically traffic was entering through the Ipsec tunnel reaching our FTP server , but return traffic was going through the Second NIC (different network) ,two way communication was not happening even though Tunnel was up , I added route add command manually into the Linux ftp server and forced take route pix for the traffic going to the other end .

One thing is for sure , I cant thank enough you all for your inputs without which i would not have resolved this issue .

980
Views
0
Helpful
8
Replies
CreatePlease to create content