Attempting to setup a site to site vpn between a pix 515e and ASA 5505. The tunnel comes up on both ends but passes no traffic. The nat weirdness is happening on the internet router on the asa side, the serial link to the internet is privately addressed. The ethernet port has a public address, but is a nat inside interface. Would appreciate comments suggestions.
Thanks, as you can see on the output, your ASA receives and sends back the packets encrypts and decrypts are almost even, however your pix is not receiving any packets at all, this indicates a blocking issue infront of the pix check for the router infront of it and make sure that protocol 50 ESP is opened (note protocol not port) and also udp 500 and 4500.
No, if that was the case then who would not be seeing packets will be the ASA, unless of course those packets leaving the ASA are getting stuck on that serial interface, however if that private segment knows how to route traffic and so this is not the problem.
That is my point exactly. I'm wondering if the pix is not seeing the packets because of the router on the ASA side. Here is a copy of the current router config that manages the internet connection for the ASA side. I will work on getting the config for the pix side as well.
I guess I didn't think of that since the acl's are not applied to anything. I added them anyway. The tunnel still passes no traffic, even after logout and reestablishing.
So phase 1 establishes.. which is udp 500 SA completes which is ESP but traffic does not go back yet the ASA shows packets sent and received and PIX only shows sent but not received packets.. are you aware of any NAT on the path for these devices? can you check if nat-t is enabled on both sides? if it was not enabled, can you please enable it and restart the tunnel?
Sorry, I have been on other things for the past couple days. Nat-t is enabled on the asa side. The only place I could find it in the pix was under the ike policy and it is enabled.