Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN works only in one direction

Hello,

I have a big problem with a Pix config.

Situation is:

Tunnel between a Cisco Pix 515 and a lancom 3850 umts. The Tunnel comes up correctly. I can ping and use all ports and services from the pix network ( 1.1.1.0/24) to the lancom network (2.2.2.0/24) but not from the lancom to the pix.

The goal is to use all ports and services from both devices.

Here is the Pix config snip for the connection. I hope anyone can help me...

access-list alist-vc10127-cmap permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

access-list alist-nat permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

crypto map cmap 127 ipsec-isakmp

crypto map cmap 127 match address alist-vc10127-cmap
crypto map cmap 127 set peer 90.0.0.0
crypto map cmap 127 set transform-set tset1
crypto map cmap 127 set pfs group2


isakmp key pskey address 90.0.0.0 netmask 255.255.255.255

access-list alist-inside-in permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
access-list alist-inside-in permit ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0

THANK you.

Greetings

10 REPLIES
Super Bronze

Re: VPN works only in one direction

Base on the PIX configuration, it should already support bidirectional traffic, ie: from PIX to Lancom and vice versa. You might want to check the configuration on Lancom end (check if there might be any access-list that might be blocking the traffic being initiated from the Lancom end).

New Member

Re: VPN works only in one direction

Hello,

thank you for the answer.

We have many other tunnels with the same config and other vpn devices. Here is is desired that it works only in one direction.

Maybe a hint, if ich type an ip adress from the vpn at a browser i became an HTTP Authentication (IDxxxx)

Greetings

Super Bronze

Re: VPN works only in one direction

What do you mean by HTTP authentication? Which ip address are you putting in the browser?

New Member

Re: VPN works only in one direction

Hi,

i tryed Internet Explorer from pc1 with ip 2.2.2.1 (lan lancom) to an computer with ip 1.1.1.1 (lan cisco). But no matter what address you take,

then i became an http login. this i becam from all other vpn tunnels that are configured on the cisco pix.But no matter what address you take, that login came always.

Greetings

Bronze

Re: VPN works only in one direction

Hi Sven,

Please do the follwing,

no isakmp key pskey address 90.0.0.0 netmask 255.255.255.255

isakmp key pskey address 90.0.0.0 netmask 255.255.255.255 no-xauth.

Let me know if that resolves the issue.

Cheers,


Nash.

New Member

Re: VPN works only in one direction

Hi,

with this parameter the vpn tunnel did not came up.

Greetings

Re: VPN works only in one direction

At your initial statement you mentioned "the pix network ( 1.1.1.0/24) to the lancom network (2.2.2.0/24)", but in this post you say the opposite. Which network belongs to which device?

Please post the full sanitized config of pix side. There may be some http intercept configuration in place.

New Member

Re: VPN works only in one direction

Hi,

sry my mistake, I corrected my post. The correct networks are shown now.

The config of the device is very small, we use it only as s2s vpn device.

I found the following in the config:

aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL
aaa authentication include udp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL

Can this be my problem?

Edit:

May the folling help me:

aaa authentication exclude tcp/0 outside 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 LOCAL
aaa authentication exclude udp/0 outside 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 LOCAL

Bronze

Re: VPN works only in one direction

Re: VPN works only in one direction

From 1xxxx to 2xxxx already works, so it must be something like

aaa authentication exclude tcp/0 outside 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0  LOCAL

If you like, first disable all http authentication, check if it works, then try filtering end excluding

568
Views
0
Helpful
10
Replies