Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Site to Site tunnel. Tunnel established, can't communicate

Posted on 2009-04-16
5
Medium Priority
?
240 Views
Last Modified: 2012-05-06
I have a L2L ipsec tunnel between my house and work

192.168.3.0/24----------internet------------------172.16.0.0/24 (work)

when I do a sh isa or show ipsec sa, the tunnel is up. However, I cannot ping anything on either side.  I have static routes entered in both sides. Below is the sh run of my home pix. This pretty much mirrors the other side
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xIsrlcAkUmuvQSHs encrypted
passwd xIsrlcAkUmuvQSHs encrypted
hostname fwall
domain-name chpk.cpk.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ipsec permit ip 192.168.3.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list ipsec permit ip 192.168.3.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list outside-to-inside permit icmp any any
pager lines 24
logging buffered informational
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.3.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside-to-inside in interface outside
route outside 0.0.0.0 0.0.0.0 71.200.32.1 1
route outside 172.16.0.0 255.255.0.0 71.200.32.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
crypto ipsec transform-set aesmap esp-aes-256 esp-md5-hmac
crypto map mymap 88 ipsec-isakmp
crypto map mymap 88 match address ipsec
crypto map mymap 88 set peer 75.140.145.225
crypto map mymap 88 set transform-set aesmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 75.140.145.225 netmask 255.255.255.255 no-xauth
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption aes-256
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 10
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:e0394f664e7d8c552e2b84ff8a3b886c
: end

Open in new window

0
Comment
Question by:dissolved
  • 3
  • 2
5 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24156997
Add this:

conf t
nat (inside) 0 access-list nonat
sysopt connection permit-ipsec
0
 

Author Comment

by:dissolved
ID: 24157827
thanks, I will try that now. What does that command do?
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 24157864
The nat0 command disables NAT for the VPN traffic (required).

The sysopt command allows the VPN traffic from the remote site without being checked by the outside access-list.

The other end of the tunnel will need the same config in place.
0
 

Author Comment

by:dissolved
ID: 24157918
You're my hero. I hope one day to know this $hit as well as you
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24157942
Thanks <8-]
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month12 days, 9 hours left to enroll

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question