08-14-2006 04:34 AM - edited 02-21-2020 02:34 PM
Hello,
I have previously posted a message in the "Security / Firewalling" forum, but I had little responses... If someone here can help me, it would be very nice! Here is the content of my post :
I have a PIX 501 with an IPSec tunnel with a Linux host (openswan, net-to-net). The tunnel works fine, isakmp and ipsec sas are created and working. The problem is that I cannot start a connection from the Linux-side (outside interface on the pix) without first initiating a connection from the PIX side...
I disabled the NAT with those commands :
access-list nonat permit ip 0 0 0 0
nat (inside) 0 access-list nonat
nat (outside) 0 access-list nonat
I also tried this (IPs masked...), without result :
static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
nat (inside) 0 0 0
Is there another solution?
Thank you!
Replied by: m.sir - Aug 11, 2006, 7:33am PST
Can you check what is lifetime of ISAKMP... When initiating side has lifetime shorter than peer tunnel is not esthablished... When lifetime is longer than peers lifetime tunnel is esthablised
M.
Replied by: sebastien.leclerc - Aug 11, 2006, 7:59am PST
I changed the IKE lifetime (both 3600 secs, and pix=3600s / linux=4800s), but I still can't connect without first initiating a connection from the pix side...
Thanks for your help!
A little precision :
other connections initiated from outside the pix, but not in the ipsec tunnel are ok, I don't need to connect from inside first
Is there something in the PIX that prevents inbound connections from IPSec tunnels?
Another note : I don't use "sysopt connection permit-ipsec", I use access-lists items.
Thank you!
08-14-2006 11:47 AM
Hi Sebastien,
From what I see there might be 2 ways to solve your probleme.
First:
You may wish to check and modify this command on pix:
crypto map map-name client configuration address initiate | respond
Second: (This is a long shot but may work)
Remove pfs for this crypto-map
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/c.htm#wp1034654
Mike
08-15-2006 06:38 AM
Hi,
Thanks for your response
For PFS, there is no problem, it is not activated.
I may be wrong, but as far as I know, the other command is for giving IP adresses to vpn clients, but I use a lan-to-lan configuration...
Thank you!
08-15-2006 09:16 AM
Seb, instead of using nat-0 (inside) 0 0, could you just doing nat-0 only with your internal network eg.10.10.10.0/24 and give it a try.
You've mentionned the remote network cannot establish connection to your internal network. Could you check for any syslog related to this event.
08-15-2006 11:08 AM
I already tried this solution, without success...
There isn't any syslog message, it's just like there is no packet getting to destination, except that on the linux side, they are effectively transmitted.
I opened a case in the TAC, hope they will resolve the problem
Thank you very much for your help!
08-16-2006 05:32 AM
Did you also check Access-list for traffic encryption are they mirrored???
08-22-2006 04:09 AM
Hi,
I think you have to add the global outside address of the PIX into the crypto acl on the UNIX box. I faced this senario using the ISA server with PIX.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide