Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco vpn 3005 to PIX 501(6.3(3)) lan-to-lan ipsec problem

Hi all,

I'm trying to configure a lan-to-lan ipsec between cisco vpn 3005/work and pix 501/home.

Both of the peers have public ips. The host on the cisco vpn side is behind the

pix which is in parallel with the cisco vpn and gets a public ip through the static

translation at the pix.

On the pix 501 i have host which translates to public ip.

The tunnel is setup without any problem. on the cisco vpn side i see the transmitted and

received packets. And there are no errors.

When i try to ping from either end. the packet gets lost at pix 501. It's coming from the host at the Cisco VPN side

to the pix 501 but it's not untranslating to the private address. I don't assume it's a routing issue as it can reach from

to the pix.

I have followed the cisco document for cisco vpn to pix configuration to every detail.

Debugging at the pix 501 i see that ipsec packets doesn't get decrypted.

I've included some debugging info:

interface: outside

Crypto map tag: ktmap, local addr. <pix_peer_ip>

local ident (addr/mask/prot/port): (<pix_side_host>/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (<cisco_vpn_side_host>/255.255.255.255/0/0)

current_peer: <cisco_vpn_peer_ip>:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 72, #pkts encrypt: 72, #pkts digest 72

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 3, #recv errors 0

local crypto endpt.: <pix_peer_ip>, remote crypto endpt.: <cisco_vpn_peer_ip>

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 76b257dc

inbound esp sas:

spi: 0xeccc6bb7(3972819895)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 4, crypto map: ktmap

sa timing: remaining key lifetime (k/sec): (4608000/23335)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x76b257dc(1991399388)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3, crypto map: ktmap

sa timing: remaining key lifetime (k/sec): (4607997/23137)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

237: ICMP echo-request from inside:<pix_inside_host_privateip> to <cisco_vpn_side_host> ID=41000 seq=1 length=64

238: ICMP echo-request: translating inside:<pix_inside_host_privateip> to outside:<pix_inside_host_publicip>

239: ICMP echo-reply from outside:<cisco_vpn_side_host> to <pix_inside_host_publicip> ID=41000 seq=1 length=64

Please let me know if you need more information.Appreciate any help . Thanks.

2 REPLIES

Re: Cisco vpn 3005 to PIX 501(6.3(3)) lan-to-lan ipsec problem

Just to get the scenario right, you have a VPN between a PIX and VPN 3000. There is a host behind the VPN, through another PIX firewall. The packet reaches from source PIX, comes to the VPN 3005 through IPSEC and the routed to the PC through another PIX... is that right??

host ---- internal PIX ---- VPN ---- VPN PIX --- host

please confirm this. Hope you have configured the PIX and VPN as per the document below:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml#conf

Raj

Community Member

Re: Cisco vpn 3005 to PIX 501(6.3(3)) lan-to-lan ipsec problem

Hi Raj,

Yeah thats the scenario. I'm using the translated public ip at both ends. Yeah i did configure according to the document.

Hoping to hear from you again.

Thanks

141
Views
0
Helpful
2
Replies
CreatePlease to create content