10-08-2007 12:30 AM
Hi all,
Can someone help me please
An inside server (192.168.92.6) need to access to a remote network 192.168.31.0.
A VPN site to site is established between Pix outside (192.168.111.6) and Multitech Firewall (192.168.111.200).
Now my inside server should connect to the remote network with this IP 172.20.20.6. So I have to Nat my inside server IP (192.168.92.6) to 172.20.20.6.
The remote network should connect to inside network by the 172.20.20.6.
My problem is I can establish a connexion to my inside network from the remote network but I cannot establish connexion (tcp) from my inside network to the remote network.
The weird thing is I can ping from both network each other.
This is my config below
access-list Outside_1_cryptomap extended permit ip 172.20.20.0 255.255.255.0 192.168.31.0 255.255.255.0
access-list Inside_nat_static extended permit ip host I92.168.92.6 192.168.31.0 255.255.255.0
static (Inside,Outside) Ip_172.20.20.6 access-list Inside_nat_static dns
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer 192.168.111.200
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
service-policy global_policy global
tunnel-group 192.168.111.200 type ipsec-l2l
tunnel-group 192.168.111.200 ipsec-attributes
pre-shared-key *
Thanks for answers
10-08-2007 03:39 AM
Hi fallkaired,
I would say that if you change your NAT to:
static (inside,outside) 172.20.20.6 192.168.92.6 netmask 255.255.255.255
things should work.
Good luck!
Peter
10-08-2007 05:57 AM
thanks for your answer but it still not working. I have the same problem
10-11-2007 01:01 AM
ok, first thing to check here is your crypto ACL on the remote site. Is it an exact mirror of the ACL on the local site?
Do you have ACLs on the remote site possibly blocking your TCP traffic?
Then, what kind of messages do you get when trying to connect to the outside?
At least you should see a packet coming in from 192.168.92.6 and you should see messages like "building xlate entry for... " pointing to the fact translation occurs.
After that you should see the tunnel being built (terminal monitor), you should get isakmp sa's and after that ipsec sa's.
When that is all going as expected, you should be able to see your packets getting encrypted e.g. being transferred through the tunnel (show crypto ipsec sa).
If your connection get this far, the remote site should be reviewed.
Peter
10-11-2007 04:06 AM
Its working fine now. Your 're rigth the TCP traffic was not permit on the remote site.
thank for your help
10-11-2007 05:49 AM
cool :)
You're welcome
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide