Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

cco
New Member

'trigger ping' needed to get VPN going

Dear friends,

I have a PIX515 between me IntraLAN and the Internet. VPN access is configured (crypto map and isakmp with a pre shared key) for remote access to the IntraLAN. My WinXP laptop has some IPsec policy's set and the remote access works fine.. accept, before my laptop can reach hostA on the LAN hostA on the LAN must send a ping to the laptop to get the traffic going. (very inconvenient as you might imagine.)

Once hostA triggers the vpn, the Laptop can make every connection to hostA. Communicating from the laptop to hostB fails until hostB sends a ping (I have not tried other types of packets) through the tunnel.

The PIX forgets the triggered tunnel after some time. During this time a VPN disconnect and reconnect does not require the ‘trigger ping’.

How sheds light for me over this dark problem?

Al responses are greatly appreciated,

Bart

5 REPLIES
Bronze

Re: 'trigger ping' needed to get VPN going

To make sure that we understand your scenario... you are not connecting to the PIX with the Cisco VPN client, but with the Microsoft IPSEC client? If with the VPN client, you should not have to generate a ping any ip traffic destined to your internal lan should count as a "trigger" for the phase 2 SAs to come up after you have established the IKE negotiation with the VPN client.

If you are using the microsoft client we will not be able to shed any lights without looking at your configuration and IPSEC debugs from your PIX.

cco
New Member

Re: 'trigger ping' needed to get VPN going

Hello omsantos,

I'm not connecting using the Cisco VPN client. And I’m not quite sure what you mean with the Microsoft Client. I’m using the IPsec support built in Windows XP Professional. (Using Linux with Freeswan shows the exact same problem). Phase 2 SA after IKE negotiation is not the problem, works perfectly, but getting the packets flowing requires a, as I call it, trigger from the LAN to the remote. NAT is not the issue here. After the trigger from the LAN to the remote everything works fine. Everything is in me first message and I’ll be happy to share my PIX config with you:

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dialin security40

nameif ethernet3 ent security30

enable password ***** encrypted

passwd ***** encrypted

hostname FW-KCB-BOR-01

domain-name p3he.nl

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no names

access-list outside2pix permit tcp any host 212.115.200.139 eq smtp

access-list outside2pix deny ip any any

access-list dialin2pix permit ip 172.17.64.0 255.255.240.0 any

access-list dialin2pix permit icmp any any

access-list dialin2pix deny ip any any

access-list ent2pix permit ip any host 172.17.1.2

access-list ent2pix permit ip host 145.46.203.238 host 172.17.1.0

access-list ent2pix permit ip host 145.46.203.238 host 172.17.1.1

access-list ent2pix permit icmp any any

access-list ent2pix deny ip any any

access-list inside2pix permit ip 172.17.0.0 255.255.252.0 host 145.46.203.238

access-list inside2pix permit ip 172.17.0.0 255.255.252.0 host 145.46.203.239

access-list inside2pix permit ip 172.17.0.0 255.255.252.0 host 145.46.203.134

access-list inside2pix permit udp host 172.17.1.20 any eq domain

access-list inside2pix permit tcp host 172.17.1.20 any eq domain

access-list inside2pix permit tcp host 172.17.1.20 any eq ftp

access-list inside2pix permit tcp host 172.17.1.20 any eq www

access-list inside2pix permit tcp host 172.17.1.20 any eq 443

access-list inside2pix permit udp host 172.17.1.20 any eq ntp

access-list inside2pix permit tcp host 172.17.98.2 any eq smtp

access-list inside2pix permit tcp host 172.17.98.2 any eq ftp

access-list inside2pix permit tcp host 172.17.98.2 any eq www

access-list inside2pix permit tcp 172.17.0.0 255.255.252.0 any eq telnet

access-list inside2pix permit tcp host 172.17.1.29 any eq lpd

access-list inside2pix permit tcp host 172.17.1.44 any eq lpd

access-list inside2pix permit esp host 172.17.0.2 any

access-list inside2pix permit ip host 172.17.2.51 any

access-list inside2pix permit udp host 172.17.1.23 any eq bootps

access-list inside2pix permit icmp any any

access-list inside2pix deny ip any any

access-list wtunnel permit ip host 212.115.200.142 192.168.100.0 255.255.255.0

pager lines 33

logging on

logging console emergencies

logging monitor critical

logging buffered critical

interface ethernet0 10baset

interface ethernet1 10baset

interface ethernet2 10baset

interface ethernet3 10baset

mtu outside 1500

mtu inside 1500

mtu dialin 1500

mtu ent 1500

ip address outside 132.15.22.128 255.255.255.248

ip address inside 172.17.98.1 255.255.255.0

ip address dialin 172.17.79.1 255.255.255.252

ip address ent 135.46.22.84 255.255.252.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address dialin 0.0.0.0

failover ip address ent 0.0.0.0

pdm history enable

arp timeout 14400

global (outside) 55551 212.115.200.142

global (ent) 55551 interface

nat (inside) 55551 172.17.1.20 255.255.255.255 0 0

nat (inside) 55551 172.17.2.51 255.255.255.255 0 0

nat (inside) 0 172.17.0.0 255.255.252.0 0 0

nat (dialin) 0 172.17.64.0 255.255.240.0 0 0

static (inside,ent) 172.17.1.2 172.17.1.2 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.20 172.17.1.20 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.0 172.17.1.0 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.23 172.17.1.23 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.26 172.17.1.26 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.27 172.17.1.27 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.28 172.17.1.28 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.29 172.17.1.29 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.30 172.17.1.30 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.31 172.17.1.31 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.34 172.17.1.34 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.33 172.17.1.33 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.35 172.17.1.35 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.61 172.17.1.61 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.62 172.17.1.62 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.63 172.17.1.63 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.64 172.17.1.64 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.65 172.17.1.65 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.66 172.17.1.66 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.67 172.17.1.67 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.68 172.17.1.68 netmask 255.255.255.255 0 0

static (inside,outside) 212.115.200.139 172.17.98.2 netmask 255.255.255.255 0 0

static (inside,ent) 172.17.1.0 172.17.1.0 netmask 255.255.255.255 0 0

static (inside,ent) 172.17.1.1 172.17.1.1 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.50 172.17.1.50 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.44 172.17.1.44 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.101 172.17.1.101 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.0.2 172.17.0.2 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.45 172.17.1.45 netmask 255.255.255.255 0 0

static (inside,dialin) 172.17.1.11 172.17.1.11 netmask 255.255.255.255 0 0

access-group outside2pix in interface outside

access-group inside2pix in interface inside

access-group dialin2pix in interface dialin

access-group ent2pix in interface ent

route outside 0.0.0.0 0.0.0.0 212.115.200.137 1

route ent 135.45.0.0 255.255.0.0 135.45.22.245 1

route inside 172.17.0.0 255.255.252.0 172.17.98.2 1

route dialin 172.17.64.0 255.255.240.0 172.17.79.2 1

route dialin 172.19.0.0 255.255.0.0 172.17.79.2 1

route dialin 192.168.170.0 255.255.255.0 172.17.79.2 1

timeout xlate 24:00:00

timeout conn 24:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 172.17.0.0 255.255.252.0 inside

http 172.17.98.0 255.255.255.0 inside

snmp-server location ****

snmp-server contact ****

snmp-server community ***

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set strength1 esp-des esp-md5-hmac

crypto dynamic-map DYNMAP 5 set transform-set strength1

crypto map outsidemap 10 ipsec-isakmp

crypto map outsidemap 10 match address wtunnel

crypto map outsidemap 10 set peer 205.152.199.36

crypto map outsidemap 10 set transform-set strength1

crypto map outsidemap 90 ipsec-isakmp dynamic DYNMAP

crypto map outsidemap interface outside

isakmp enable outside

isakmp key ************ address 52.12.19.3 netmask 255.255.255.255

isakmp key ************ address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 28800

telnet 172.17.0.0 255.255.252.0 inside

telnet 172.17.98.0 255.255.255.0 inside

telnet timeout 30

ssh timeout 5

terminal width 80

Cryptochecksum:*****************************

: end

If you still need the IPsec debug could you be a little more specific about what you would need to see, what the debug command is and the circumstances?

Thanks for your interest,

Bart

Bronze

Re: 'trigger ping' needed to get VPN going

This sounds like an issue with dynamic translations in the PIX. I notice you're not assigning addresses to the remote client from an address pool, and that you have a "nat (inside) 0" command for your 172.17.0-3 subnets. Ordinarily one would disable NAT for VPN traffic by using the "nat 0 access-list" command and specify the client pool as the destination in the access-list. One side effect of this version of the "nat" command is that it bypasses the need for static translations for incoming traffic, but the regular "nat 0" command doesn't have this feature. This is an important feature because dynamic translations are only created for outbound traffic, not inbound, which I think matches the symptoms of your problem.

So, I suspect that if you created an access-list like "access-list NO_NAT permit ip 172.17.0.0 255.255.252.0 any" and changed your existing "nat (inside) 0" command to be something like "nat (inside) 0 access-list NO_NAT" then that will fix your problem.

HTH - Good luck!

cco
New Member

Re: 'trigger ping' needed to get VPN going

Dear ddawson,

Exactly the right tip. Thank you very much. Your worthy of your CCIE status.

Grtz,

Bart

cco
New Member

Re: 'trigger ping' needed to get VPN going

To all readers of this coversation,

ddawson replied a few days ago. This reply solved my dark problem (thanks again ddawson!) but I forgot to login before rating the post. I missed the opportunity to put a red checkmark. So, please consider this converstion as solved and next time I'll login before rating the posts..

Bart

470
Views
6
Helpful
5
Replies
CreatePlease login to create content