Cisco VPN Traffic stats show data coming in, but no data being sent

Posted on 2006-06-14
Last Modified: 2013-11-16
Wanted to ask you a quick question, I have been doing some work for a client on a Pix506 FW, and I have been working on installing and getting the VPN portion up and running. I have been able to connect the VPN client (4.6) to the FW, however in the stats, you can see that data is being received, however nothing is being sent. I have included the config below, any help would be appreciated.

PIX Version 6.3(5)                  
interface ethernet0 auto                        
interface ethernet1 auto                        
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security 100                        
enable password 2KFQnbNIdI.2KYOU encrypted                                          
passwd 2KFQnbNIdI.2KYOU encrypted                                
hostname ExhibitPix                  
clock timezone EST -5                    
clock summer-time EDT recurring                              
fixup protocol dns maximum-length 512                                    
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol ils 389                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
no fixup protocol smtp 25                        
fixup protocol s              
fixup protocol tftp 69                      
access-list outside_access_in remark Rule For SMTP                                                  
access-list outside_access_in permit tcp any host eq smtp                                                                        
access-list outside_access_in remark Rule For POP3                                                  
access-list outside_access_in permit tcp any host eq pop3                                                                        
access-list outside_access_in remark Rules For Handling ICMP Traffic                                                                    
access-list outside_access_in permit icmp any any echo-reply                                                            
access-list outside_access_in remark Traffic For FTP                                                    
access-list outside_access_in permit tcp any host 72.242.                                                      
access-list outside_access_in remark Rules For WWW                                                  
access-list outside_access_in permit tcp any host eq www                                                                      
access-list 101 permit ip                                                                            
access-list 101 remark Rule For IP Address For VPN Client                                                        
access-list 102 permit ip                                                                            
access-list 102 remark Additional Rule For VPN Pool                                                  
no pager        
logging on          
logging timestamp                
logging trap informational                          
logging history warnings                        
logging host inside                              
mtu outside 1500                
mtu inside 1500              
ip address outside                                                
ip address inside                                          
ip verify reverse-path interface outside                                        
ip audit info action alarm                          
ip audit attack action alarm                            
ip local pool ippool                                            
pdm location inside                                            
pdm location inside                                              
pdm logging informational 100                            
pdm history enable                  
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 0 access-list 101                              
nat (inside) 1 0.0.0.                          
static (inside,outside) tcp smtp smtp netmask 255.255                                                                                
.255.255 0 0            
static (inside,outside) tcp pop3 pop3 netmask 255.255                                                                                
.255.255 0 0            
static (inside,outside) tcp www www netmask 255.255.2                                                                                
55.255 0 0          
access-group outside_access_in in interface outside                                                  
conduit permit icmp any any                          
route outside 1                                              
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00                                                                            
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00                                                              
timeout sip-disconnect 0:02:00 sip-invite 0:03:00                                                
timeout uauth 0:05:00 absolute                              
aaa-server TACACS+ protocol tacacs+                                  
aaa-server TACACS+ max-failed-attempts 3                                        
aaa-server TACACS+ deadtime 10                              
aaa-server RADIUS protocol radius                                
aaa-server RADIUS max-failed-attempts 3                                      
aaa-server RADIUS deadtime 10                            
aaa-server LOCAL protocol local                              
http server enable                  
http inside                                      
http inside                          
snmp-server location Tampa, Florida                                  
snmp-server contact Mecca Media                              
snmp-server community                            
snmp-server enable traps                        
floodguard enable                
sysopt connection permit-ipsec                              
crypto ipsec transform-set myset esp-des esp-md5-hmac                                                    
crypto dynamic-map IRE 10 set transform-set CLIENT                                                  
crypto dynamic-map dynmap 10 set transform-set myset                                                    
crypto map mymap 10 ipsec-isakmp dynamic dynmap                                              
crypto map mymap client configuration address initiate                          
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup exhibitnet address-pool ippool
vpngroup exhibitnet dns-server
vpngroup exhibitnet wins-server
vpngroup exhibitnet default-domain
vpngroup exhibitnet idle-time 1800
vpngroup exhibitnet password ********
vpngroup default-domain idle-time 1800
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
Question by:blakmoon91
  • 2
  • 2
  • 2
LVL 32

Assisted Solution

rsivanandan earned 150 total points
ID: 16903776
Add these;

access-list split permit ip

vpngroup exhitbitnet split-tunnel split


Author Comment

ID: 16903958
Thanks so much for the quick reply, I just had a follow up question. I am testing the VPN and now under route details I see a route being translated instead of, so I think that is good, I also noticed though on my computer that when I establish a connection and do a ipconfig /all on my computer that I do have a IP address of 2.1 and the it does see the DNS and WINS servers correctly, however there is no default gateway listed. Also, I am not receiving any packets. Is this because we have specified the default-domain as exhibitservices, and my computer is on a differnet domain? Is there a way to disable this so that I can test this out? Your thoughts? Thanks again!!!
LVL 32

Expert Comment

ID: 16904495
hmm. I'm not quite sure about that, how about you removing it and try if it works ?

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.


Accepted Solution

stressedout2004 earned 150 total points
ID: 16904875
>>>>Is this because we have specified the default-domain as exhibitservices, and my computer is on a differnet domain? Is there a way to disable this so that I can test this out? Your thoughts? Thanks again!!!

No, the default domain has nothing to do with it. Just add the following on the PIX:

isakmp nat-t

Then try the connection again.

If it still doesn't work, turn on the following debug on the PIX:

debug icmp trace
term mon

Then try to ping any host behind the PIX from the PC connected to the VPN. Check if the PIX is getting any packets.


Author Comment

ID: 16906856
Guys, thanks so much for the help, both of you. I though splitting the points would be fair. Stressed, if you could explain just formy own knowledge what the nat-t switch does in conjunction with the isakmp I would appreciate it.

Expert Comment

ID: 16907055
It has something to do with allowing encrypted traffic to pass through UDP 4500 instead of protocol ESP to get around the PAT restriction. When a VPN Client user's public IP is a PAT IP (port address translation) meaning a shared public IP, and the traffic is passing over the tunnel using ESP, the traffic gets dropped because the PAT device has no way of mapping ESP because it is portless. So the common symptom is that you can connect with the VPN Client but cannot pass any traffic. To get around that, UDP NAT transparency was introduced to allow traffic from VPN that is PATted to use UDP 4500 instead of ESP when passing traffic over the tunnel. Since UDP has port, the PAT device will have no problem mapping the traffic.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
In an interesting question ( here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

827 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question