• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 258
  • Last Modified:

Cisco PIX-to-PIX VPN Seems to work fine, but it doesnt

HI,
I created a site-to-site vpn tunnel between two cisco pix 515E. When I initiate a ping from one side to the other, the tunnel comes up and I see "echo-request" and "echo-reply" on both pixes. I also see the encaps and decaps increasing. BUT, on the hosts on each side of the ping,  i see only "request timed out". I have seen a similar problem on this forum but with a vpn client...and it got resolved by adding "isakmp nat-traversal 20". I already have this command on both ends, but still have this problem. Can anyone help?
0
sumandan
Asked:
sumandan
1 Solution
 
lrmooreCommented:
Can you post result of "show cry ip sa" from both ends?
Are you pinging an actual host on one side from a host on the other side? Does the host that you are pinging perhaps have a firewall on it? Even something that you don't think about like Cisco VPN client?
0
 
Cyclops3590Commented:
my first thought was that you needed this at one of your sites as the return packet is probably being blocked after its decap'ed
sysopt connection permit-ipsec


however where are you seeing teh "echo-request" and "echo-reply".  are you doing a capture on each inside port?  because if you are seeing the request and reply on each pix, then it must be a firewall on the client
0
 
sumandanAuthor Commented:
Here are the sa's at both ends.

FW-1

   local  ident (addr/mask/prot/port): (172.16.103.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.128.0/255.255.255.0/0/0)
   current_peer: C1-FW:500
   dynamic allocated peer ip: 0.0.0.0

     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 19645, #pkts encrypt: 19645, #pkts digest 19645
    #pkts decaps: 18901, #pkts decrypt: 18901, #pkts verify 18901
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: BCVHS-PIXFW01, remote crypto endpt.: C1-FW
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: c86f4cb0

     inbound esp sas:
      spi: 0xbebbcf97(3199979415)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 19, crypto map: c1
        sa timing: remaining key lifetime (k/sec): (4607980/25448)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0xc86f4cb0(3362737328)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 20, crypto map: c1
        sa timing: remaining key lifetime (k/sec): (4607999/25439)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:



FW-2





  local  ident (addr/mask/prot/port): (172.16.128.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (172.16.103.0/255.255.255.0/0/0)
  current_peer: BC-FW:500
  dynamic allocated peer ip: 0.0.0.0

    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 18911, #pkts encrypt: 18911, #pkts digest 18911
   #pkts decaps: 18222, #pkts decrypt: 18222, #pkts verify 18222
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed:
   #send errors 4, #recv errors 0

    local crypto endpt.: 203.197.156.162, remote crypto endpt.: BC-FW
    path mtu 1500, ipsec overhead 56, media mtu 1500
    current outbound spi: bebbcf97

    inbound esp sas:
     spi: 0xc86f4cb0(3362737328)
       transform: esp-3des esp-md5-hmac ,
       in use settings ={Tunnel, }
       slot: 0, conn id: 4, crypto map: c1
       sa timing: remaining key lifetime (k/sec): (4607999/25239)
       IV size: 8 bytes
       replay detection support: Y


    inbound ah sas:


    inbound pcp sas:


    outbound esp sas:
     spi: 0xbebbcf97(3199979415)
       transform: esp-3des esp-md5-hmac ,
       in use settings ={Tunnel, }
       slot: 0, conn id: 3, crypto map: c1
       sa timing: remaining key lifetime (k/sec): (4607987/25230)
       IV size: 8 bytes
       replay detection support: Y


    outbound ah sas:


    outbound pcp sas:

Im pinging between actual hosts on both sides.
I checked to make sure "sysopt connection permit-ipsec" is there in the config. I also double checked to confirm there is no firewall enabled on both hosts. I see the "echo-request" and "echo-reply" on both the firewalls when I do a "debug icmp trace" on them.

0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
sumandanAuthor Commented:
ooops..sorry, I just checked the configs again and found that, one side did not have sysopt connection permit-ipsec......it had permit-pptp for another (used for pptp) but not for ipsec.

Thanks so much guys ....and especially Cyclops3590.
0
 
sumandanAuthor Commented:
ooops..sorry, I just checked the configs again and found that, one side did not have sysopt connection permit-ipsec......it had permit-pptp for another (used for pptp) but not for ipsec.

Thanks so much guys ....and especially Cyclops3590.
0
 
Cyclops3590Commented:
not to be rude, but was there another piece of this solution?  Just trying to understand why a grade of 'B' was given when it appears what I gave was exactly what you needed.  Thx
0
 
charan_jeetsinghCommented:
hi Suman,

i beleive Cyclops is true. the grading of question shows how clear and to the point the answer was.

Charanjeet
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now