Site to Site tunnel. Tunnel established, can't communicate

Posted on 2009-04-16
Last Modified: 2012-05-06
I have a L2L ipsec tunnel between my house and work (work)

when I do a sh isa or show ipsec sa, the tunnel is up. However, I cannot ping anything on either side.  I have static routes entered in both sides. Below is the sh run of my home pix. This pretty much mirrors the other side
PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xIsrlcAkUmuvQSHs encrypted

passwd xIsrlcAkUmuvQSHs encrypted

hostname fwall


fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list ipsec permit ip

access-list ipsec permit ip

access-list nonat permit ip

access-list nonat permit ip

access-list outside-to-inside permit icmp any any

pager lines 24

logging buffered informational

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0 0

nat (inside) 1 0 0

access-group outside-to-inside in interface outside

route outside 1

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps

floodguard enable

crypto ipsec transform-set aesmap esp-aes-256 esp-md5-hmac

crypto map mymap 88 ipsec-isakmp

crypto map mymap 88 match address ipsec

crypto map mymap 88 set peer

crypto map mymap 88 set transform-set aesmap

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address netmask no-xauth

isakmp policy 50 authentication pre-share

isakmp policy 50 encryption aes-256

isakmp policy 50 hash sha

isakmp policy 50 group 2

isakmp policy 50 lifetime 86400

telnet timeout 5

ssh outside

ssh inside

ssh timeout 10

management-access inside

console timeout 0

terminal width 80


: end

Open in new window

Question by:dissolved
    LVL 43

    Expert Comment

    Add this:

    conf t
    nat (inside) 0 access-list nonat
    sysopt connection permit-ipsec

    Author Comment

    thanks, I will try that now. What does that command do?
    LVL 43

    Accepted Solution

    The nat0 command disables NAT for the VPN traffic (required).

    The sysopt command allows the VPN traffic from the remote site without being checked by the outside access-list.

    The other end of the tunnel will need the same config in place.

    Author Comment

    You're my hero. I hope one day to know this $hit as well as you
    LVL 43

    Expert Comment

    Thanks <8-]

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
    I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    This video discusses moving either the default database or any database to a new volume.

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now