sumandan
asked on
Cisco PIX-to-PIX VPN Seems to work fine, but it doesnt
HI,
I created a site-to-site vpn tunnel between two cisco pix 515E. When I initiate a ping from one side to the other, the tunnel comes up and I see "echo-request" and "echo-reply" on both pixes. I also see the encaps and decaps increasing. BUT, on the hosts on each side of the ping, i see only "request timed out". I have seen a similar problem on this forum but with a vpn client...and it got resolved by adding "isakmp nat-traversal 20". I already have this command on both ends, but still have this problem. Can anyone help?
I created a site-to-site vpn tunnel between two cisco pix 515E. When I initiate a ping from one side to the other, the tunnel comes up and I see "echo-request" and "echo-reply" on both pixes. I also see the encaps and decaps increasing. BUT, on the hosts on each side of the ping, i see only "request timed out". I have seen a similar problem on this forum but with a vpn client...and it got resolved by adding "isakmp nat-traversal 20". I already have this command on both ends, but still have this problem. Can anyone help?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here are the sa's at both ends.
FW-1
local ident (addr/mask/prot/port): (172.16.103.0/255.255.255. 0/0/0)
remote ident (addr/mask/prot/port): (172.16.128.0/255.255.255. 0/0/0)
current_peer: C1-FW:500
dynamic allocated peer ip: 0.0.0.0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 19645, #pkts encrypt: 19645, #pkts digest 19645
#pkts decaps: 18901, #pkts decrypt: 18901, #pkts verify 18901
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: BCVHS-PIXFW01, remote crypto endpt.: C1-FW
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: c86f4cb0
inbound esp sas:
spi: 0xbebbcf97(3199979415)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 19, crypto map: c1
sa timing: remaining key lifetime (k/sec): (4607980/25448)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xc86f4cb0(3362737328)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 20, crypto map: c1
sa timing: remaining key lifetime (k/sec): (4607999/25439)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
FW-2
local ident (addr/mask/prot/port): (172.16.128.0/255.255.255. 0/0/0)
remote ident (addr/mask/prot/port): (172.16.103.0/255.255.255. 0/0/0)
current_peer: BC-FW:500
dynamic allocated peer ip: 0.0.0.0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 18911, #pkts encrypt: 18911, #pkts digest 18911
#pkts decaps: 18222, #pkts decrypt: 18222, #pkts verify 18222
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed:
#send errors 4, #recv errors 0
local crypto endpt.: 203.197.156.162, remote crypto endpt.: BC-FW
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: bebbcf97
inbound esp sas:
spi: 0xc86f4cb0(3362737328)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: c1
sa timing: remaining key lifetime (k/sec): (4607999/25239)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xbebbcf97(3199979415)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: c1
sa timing: remaining key lifetime (k/sec): (4607987/25230)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
Im pinging between actual hosts on both sides.
I checked to make sure "sysopt connection permit-ipsec" is there in the config. I also double checked to confirm there is no firewall enabled on both hosts. I see the "echo-request" and "echo-reply" on both the firewalls when I do a "debug icmp trace" on them.
FW-1
local ident (addr/mask/prot/port): (172.16.103.0/255.255.255.
remote ident (addr/mask/prot/port): (172.16.128.0/255.255.255.
current_peer: C1-FW:500
dynamic allocated peer ip: 0.0.0.0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 19645, #pkts encrypt: 19645, #pkts digest 19645
#pkts decaps: 18901, #pkts decrypt: 18901, #pkts verify 18901
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: BCVHS-PIXFW01, remote crypto endpt.: C1-FW
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: c86f4cb0
inbound esp sas:
spi: 0xbebbcf97(3199979415)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 19, crypto map: c1
sa timing: remaining key lifetime (k/sec): (4607980/25448)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xc86f4cb0(3362737328)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 20, crypto map: c1
sa timing: remaining key lifetime (k/sec): (4607999/25439)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
FW-2
local ident (addr/mask/prot/port): (172.16.128.0/255.255.255.
remote ident (addr/mask/prot/port): (172.16.103.0/255.255.255.
current_peer: BC-FW:500
dynamic allocated peer ip: 0.0.0.0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 18911, #pkts encrypt: 18911, #pkts digest 18911
#pkts decaps: 18222, #pkts decrypt: 18222, #pkts verify 18222
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed:
#send errors 4, #recv errors 0
local crypto endpt.: 203.197.156.162, remote crypto endpt.: BC-FW
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: bebbcf97
inbound esp sas:
spi: 0xc86f4cb0(3362737328)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: c1
sa timing: remaining key lifetime (k/sec): (4607999/25239)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xbebbcf97(3199979415)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: c1
sa timing: remaining key lifetime (k/sec): (4607987/25230)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
Im pinging between actual hosts on both sides.
I checked to make sure "sysopt connection permit-ipsec" is there in the config. I also double checked to confirm there is no firewall enabled on both hosts. I see the "echo-request" and "echo-reply" on both the firewalls when I do a "debug icmp trace" on them.
ASKER
ooops..sorry, I just checked the configs again and found that, one side did not have sysopt connection permit-ipsec......it had permit-pptp for another (used for pptp) but not for ipsec.
Thanks so much guys ....and especially Cyclops3590.
Thanks so much guys ....and especially Cyclops3590.
ASKER
ooops..sorry, I just checked the configs again and found that, one side did not have sysopt connection permit-ipsec......it had permit-pptp for another (used for pptp) but not for ipsec.
Thanks so much guys ....and especially Cyclops3590.
Thanks so much guys ....and especially Cyclops3590.
not to be rude, but was there another piece of this solution? Just trying to understand why a grade of 'B' was given when it appears what I gave was exactly what you needed. Thx
hi Suman,
i beleive Cyclops is true. the grading of question shows how clear and to the point the answer was.
Charanjeet
i beleive Cyclops is true. the grading of question shows how clear and to the point the answer was.
Charanjeet
Are you pinging an actual host on one side from a host on the other side? Does the host that you are pinging perhaps have a firewall on it? Even something that you don't think about like Cisco VPN client?