Go Premium for a chance to win a PS4. Enter to Win


Cisco VPN Traffic stats show data coming in, but no data being sent

Posted on 2006-06-14
Medium Priority
Last Modified: 2013-11-16
Wanted to ask you a quick question, I have been doing some work for a client on a Pix506 FW, and I have been working on installing and getting the VPN portion up and running. I have been able to connect the VPN client (4.6) to the FW, however in the stats, you can see that data is being received, however nothing is being sent. I have included the config below, any help would be appreciated.

PIX Version 6.3(5)                  
interface ethernet0 auto                        
interface ethernet1 auto                        
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security 100                        
enable password 2KFQnbNIdI.2KYOU encrypted                                          
passwd 2KFQnbNIdI.2KYOU encrypted                                
hostname ExhibitPix                  
domain-name domain.net                              
clock timezone EST -5                    
clock summer-time EDT recurring                              
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol ils 389                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
no fixup protocol smtp 25                        
fixup protocol s              
fixup protocol tftp 69                      
access-list outside_access_in remark Rule For SMTP                                                  
access-list outside_access_in permit tcp any host eq smtp                                                                        
access-list outside_access_in remark Rule For POP3                                                  
access-list outside_access_in permit tcp any host eq pop3                                                                        
access-list outside_access_in remark Rules For Handling ICMP Traffic                                                                    
access-list outside_access_in permit icmp any any echo-reply                                                            
access-list outside_access_in remark Traffic For FTP                                                    
access-list outside_access_in permit tcp any host 72.242.                                                      
access-list outside_access_in remark Rules For WWW                                                  
access-list outside_access_in permit tcp any host eq www                                                                      
access-list 101 permit ip                                                                            
access-list 101 remark Rule For IP Address For VPN Client                                                        
access-list 102 permit ip                                                                            
access-list 102 remark Additional Rule For VPN Pool                                                  
no pager        
logging on          
logging timestamp                
logging trap informational                          
logging history warnings                        
logging host inside                              
mtu outside 1500                
mtu inside 1500              
ip address outside 72.242.110.xxx                                                
ip address inside                                          
ip verify reverse-path interface outside                                        
ip audit info action alarm                          
ip audit attack action alarm                            
ip local pool ippool                                            
pdm location inside                                            
pdm location inside                                              
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 0 access-list 101                              
nat (inside) 1 0.0.0.                          
static (inside,outside) tcp 72.242.110.xxx smtp smtp netmask 255.255                                                                                
.255.255 0 0            
static (inside,outside) tcp 72.242.110.xxx pop3 pop3 netmask 255.255                                                                                
.255.255 0 0            
static (inside,outside) tcp 72.242.110.xxx www www netmask 255.255.2                                                                                
55.255 0 0          
access-group outside_access_in in interface outside                                                  
conduit permit icmp any any                          
route outside 72.242.110.xxx 1                                              
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout sip-disconnect 0:02:00 sip-invite 0:03:00                                                
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ deadtime 10                              
aaa-server RADIUS protocol radius                                
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10                            
aaa-server LOCAL protocol local                              
http server enable                  
http inside                                      
http inside                          
snmp-server location Tampa, Florida                                  
snmp-server contact Mecca Media                              
snmp-server community                            
snmp-server enable traps                        
floodguard enable                
sysopt connection permit-ipsec                              
crypto ipsec transform-set myset esp-des esp-md5-hmac                                                    
crypto dynamic-map IRE 10 set transform-set CLIENT                                                  
crypto dynamic-map dynmap 10 set transform-set myset                                                    
crypto map mymap 10 ipsec-isakmp dynamic dynmap                                              
crypto map mymap client configuration address initiate                          
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup exhibitnet address-pool ippool
vpngroup exhibitnet dns-server
vpngroup exhibitnet wins-server
vpngroup exhibitnet default-domain exhibitservices.net
vpngroup exhibitnet idle-time 1800
vpngroup exhibitnet password ********
vpngroup default-domain idle-time 1800
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
Question by:blakmoon91
  • 2
  • 2
  • 2
LVL 32

Assisted Solution

rsivanandan earned 600 total points
ID: 16903776
Add these;

access-list split permit ip

vpngroup exhitbitnet split-tunnel split


Author Comment

ID: 16903958
Thanks so much for the quick reply, I just had a follow up question. I am testing the VPN and now under route details I see a route being translated instead of, so I think that is good, I also noticed though on my computer that when I establish a connection and do a ipconfig /all on my computer that I do have a IP address of 2.1 and the it does see the DNS and WINS servers correctly, however there is no default gateway listed. Also, I am not receiving any packets. Is this because we have specified the default-domain as exhibitservices, and my computer is on a differnet domain? Is there a way to disable this so that I can test this out? Your thoughts? Thanks again!!!
LVL 32

Expert Comment

ID: 16904495
hmm. I'm not quite sure about that, how about you removing it and try if it works ?

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.


Accepted Solution

stressedout2004 earned 600 total points
ID: 16904875
>>>>Is this because we have specified the default-domain as exhibitservices, and my computer is on a differnet domain? Is there a way to disable this so that I can test this out? Your thoughts? Thanks again!!!

No, the default domain has nothing to do with it. Just add the following on the PIX:

isakmp nat-t

Then try the connection again.

If it still doesn't work, turn on the following debug on the PIX:

debug icmp trace
term mon

Then try to ping any host behind the PIX from the PC connected to the VPN. Check if the PIX is getting any packets.


Author Comment

ID: 16906856
Guys, thanks so much for the help, both of you. I though splitting the points would be fair. Stressed, if you could explain just formy own knowledge what the nat-t switch does in conjunction with the isakmp I would appreciate it.

Expert Comment

ID: 16907055
It has something to do with allowing encrypted traffic to pass through UDP 4500 instead of protocol ESP to get around the PAT restriction. When a VPN Client user's public IP is a PAT IP (port address translation) meaning a shared public IP, and the traffic is passing over the tunnel using ESP, the traffic gets dropped because the PAT device has no way of mapping ESP because it is portless. So the common symptom is that you can connect with the VPN Client but cannot pass any traffic. To get around that, UDP NAT transparency was introduced to allow traffic from VPN that is PATted to use UDP 4500 instead of ESP when passing traffic over the tunnel. Since UDP has port, the PAT device will have no problem mapping the traffic.

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question