I have a big problem with a Pix config.
Tunnel between a Cisco Pix 515 and a lancom 3850 umts. The Tunnel comes up correctly. I can ping and use all ports and services from the pix network ( 22.214.171.124/24) to the lancom network (126.96.36.199/24) but not from the lancom to the pix.
The goal is to use all ports and services from both devices.
Here is the Pix config snip for the connection. I hope anyone can help me...
access-list alist-vc10127-cmap permit ip 188.8.131.52 255.255.255.0 184.108.40.206 255.255.255.0
access-list alist-nat permit ip 220.127.116.11 255.255.255.0 18.104.22.168 255.255.255.0
crypto map cmap 127 ipsec-isakmp
crypto map cmap 127 match address alist-vc10127-cmap
crypto map cmap 127 set peer 22.214.171.124
crypto map cmap 127 set transform-set tset1
crypto map cmap 127 set pfs group2
isakmp key pskey address 126.96.36.199 netmask 255.255.255.255
access-list alist-inside-in permit ip 188.8.131.52 255.255.255.0 184.108.40.206 255.255.255.0
access-list alist-inside-in permit ip 220.127.116.11 255.255.255.0 18.104.22.168 255.255.255.0
Base on the PIX configuration, it should already support bidirectional traffic, ie: from PIX to Lancom and vice versa. You might want to check the configuration on Lancom end (check if there might be any access-list that might be blocking the traffic being initiated from the Lancom end).
thank you for the answer.
We have many other tunnels with the same config and other vpn devices. Here is is desired that it works only in one direction.
Maybe a hint, if ich type an ip adress from the vpn at a browser i became an HTTP Authentication (IDxxxx)
i tryed Internet Explorer from pc1 with ip 22.214.171.124 (lan lancom) to an computer with ip 126.96.36.199 (lan cisco). But no matter what address you take,
then i became an http login. this i becam from all other vpn tunnels that are configured on the cisco pix.But no matter what address you take, that login came always.
Please do the follwing,
no isakmp key pskey address 188.8.131.52 netmask 255.255.255.255
isakmp key pskey address 184.108.40.206 netmask 255.255.255.255 no-xauth.
Let me know if that resolves the issue.
At your initial statement you mentioned "the pix network ( 220.127.116.11/24) to the lancom network (18.104.22.168/24)", but in this post you say the opposite. Which network belongs to which device?
Please post the full sanitized config of pix side. There may be some http intercept configuration in place.
sry my mistake, I corrected my post. The correct networks are shown now.
The config of the device is very small, we use it only as s2s vpn device.
I found the following in the config:
aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL
aaa authentication include udp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL
Can this be my problem?
May the folling help me:
aaa authentication exclude tcp/0 outside 22.214.171.124 255.255.255.0 126.96.36.199 255.255.255.0 LOCAL
aaa authentication exclude udp/0 outside 188.8.131.52 255.255.255.0 184.108.40.206 255.255.255.0 LOCAL
From 1xxxx to 2xxxx already works, so it must be something like
aaa authentication exclude tcp/0 outside 220.127.116.11 255.255.255.0 18.104.22.168 255.255.255.0 LOCAL
If you like, first disable all http authentication, check if it works, then try filtering end excluding