Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

No traffic across IPSEC Tunnel

Posted on 2009-04-30
13
Medium Priority
?
602 Views
Last Modified: 2012-05-06
I'm trying to build an IPSEC tunnel between 2 PIX boxes.  Both are running 6.3(5).  
Pings from the device on PixA's inside network to the device on PixB's inside network say "Reply from #.#.#.#: TTL expired in transit."  
Pings from the device on PixB's inside network to the device on PixA's inside network say "Request timed out"

In both cases the tunnel seems to be formed.  When I issue the command show "show crypto isakmp sa" I see the tunnel is formed and is in the state QM-IDLE on both PIXes.

I've never used PPPoE on a PIX before.  PIXB's outside interface is configured for PPPoE.  I don't beleive this Pix is the problem though.  I have successfully configured a VPN tunnel between PixB and AsaC.

The addresses in the attached file have been changed to keep privacy.  Hopefully I changed them consistantly.

Thanks for your help!


PIXVPNProb.txt
0
Comment
Question by:labdunn
13 Comments
 
LVL 6

Expert Comment

by:ricks_v
ID: 24275382
try dropping this at both end of the pix.

sysopt connection permit-ipsec

This will bypass acl and nat for only vpn traffic.

This way we can narrow down if it's acl related or not.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24275907
The PIX configs looks good.

Is the SiteA PIX (10.24.135.254) the default gateway for the 10.24.135.7 host?

Is the SiteB PIX (192.168.32.1) the default gateway for the 192.168.32.150 host?
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24275973
Agree completely with ricks v on the sysopt command, as one of the main causes of traffic not passing are issues with the acl's

your acl's for passing your interesting traffic across the tunnel  look correct, and you are following good security protocol by narrowing them down to particular hosts, but for testing purposes I would try to to allow a broader access list such as:

access-list nonat permit ip 192.168.32.0 255.255.255.0 host 10.0.0.0 255.255.255.0  (this defines the interesting traffic being protected by the tunnel)

Also, please send the output of the show crypto ipsec sa, so we can see packets getting encrypted and the errors (if any)

show crypto isakmp sa will show the current state of the IKE sa's but not the traffic getting encrypted.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24276018
The "sysopt" command is already applied to both PIX's.
0
 
LVL 1

Author Comment

by:labdunn
ID: 24276255
Hi guys.  Thanks for all the ideas.  I verified the sysopt connection permit-ipsec is in both  boxes.
I expanded both of ACLs on both PIXes to the entire class C net.
I still get the same symptoms on both boxes.  when I ping a box behind PIX B from a box behind box A I get the TTL expired in transit message.  When I ping a box behind PIX A from a box behind Pix B I get  Request timed out.

Attached is the results of the show crypto ipsec sa from both Pixes.  I see send errors on both Pixes but no explaination of these errors.

Thanks once more for your help.

Bill

pixa-show-crypto-isakmkp-sa.TXT
pixB-show-crypto-isakmkp-sa.TXT
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24278305
Looks like the sides are out of sync now.  Expand site A to /24's to match.

conf t
access-list Galisteo permit ip 10.24.135.0 255.255.255.0 192.168.32.0 255.255.255.0
no access-list Galisteo permit ip host 10.24.135.7 host 192.168.32.150

Then run a continuous ping between hosts and post a new "show cry ipsec sa" from both PIX's.
0
 
LVL 1

Author Comment

by:labdunn
ID: 24278592
I changed the access-list statements for both nonat and Galisteo - Good catch!  The access list statements on PIXA now look like below.  I also noticed that the a machine behind PIXA is NOT able to initiate the tunnel.  Only machines behind PIXB are able to initiate the tunnel.

With the tunnel up and continuos pings from both sides the results of show crypto isakmp sa from both Pixes are attached.

Thanks again for your help.

From PixA
access-list nonat permit ip 10.24.135.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list Galisteo permit ip 10.24.135.0 255.255.255.0 192.168.32.0 255.255.255.0


crypto map VPN 67 ipsec-isakmp
crypto map VPN 67 match address Galisteo
crypto map VPN 67 set peer 72.216.245.22
crypto map VPN 67 set transform-set 3desmd5

pixa-show-crypto-isakmkp-sa.TXT
pixB-show-crypto-isakmkp-sa.TXT
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24278615
The "show crypto" appears to still be the same.  Can you post the now current configurations.
0
 
LVL 1

Author Comment

by:labdunn
ID: 24278717
My mistake on the earlier update.  I think I posted the files from the wrong location.  Here's the right files along with the the latest and greatest PIX configs.

Thanks again.


PixA-Config.TXT
PixB-config.TXT
PixA-show-cry-ipsec-sa.TXT
PixB-show-cry-ipsec-sa.TXT
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24278752
Okay, so the tunnel looks good.  Based on the show commands, it looks like a PC in Site B is pinging a PC in Site A, correct?  Based on the output, the PC in site A isn't responding to the ping perhaps because it doesn't have a return route.  What is the default gateway of the PC in site A?  Is it 10.24.135.254? or something else?
0
 
LVL 1

Author Comment

by:labdunn
ID: 24278802
You are right.  The gateway for the PC hehind PIX A is 10.24.135.11 not the Pix' 10.24.135.254.  There are several VLANs behind PIXA and 10.24.135.11 is the core switch that serves as the router for all of them.

0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 24278824
Okay, so on the 10.24.135.11 router, does it have a default route via 10.24.135.254? or something else?

If something else, add a route to the core switch:

ip route 192.168.32.0 255.255.255.0 10.24.135.254
0
 
LVL 1

Author Closing Comment

by:labdunn
ID: 31576691
Thanks JFrederick29.  Got my pings!
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question