I need Help tracking down where packets are being dropped..

I'm looking for a way to see traffic that is being dumped on a PIX VPN Connection. I have Syslog set up to log all incoming packets and Denys and that is working, though it does not seem to be logging the packets that the VPN does not care about.

I have a VPN between 2 PIXes and both sides have other subnets behind them

10.3.x.y 10.1.x.y PIX Internet PIX 10.2.x.y 10.6.x.y

10.2 can see everything

10.6 can only see 10.2 10.1 can see 10.2, 10.3 10.3 can see 10.2, 10.1

Can I set up a capture or something in the Syslog to help me figure out where my issue in my Config is?

Thanks, Scott

Reply to
Scott Townsend
Loading thread data ...

You have many cookbooks regarding VPN scenarios on Cisco.com.

You can see dropped packets with "sh log | inc ... and open connections with show conn, so try to troubleshoot your connection. Also check your routing and ACL which defines which traffic should be encryped, and which traffic should be involved in NAT (if you have one).

H.

Reply to
Havoc 25

Thank you for your Suggestions.

Though I do not see the Traffic I'm looking for.

I have a continuous ping set up from one side to the other. Doing a sh log | inc returns nothing.

So maybe I should do this more by Example.

So on my ACLs I have the Following:

access-list extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0

255.255.0.0 access-list extended permit ip 10.2.0.0 255.255.0.0 10.1.0.0 255.255.0.0 access-list extended permit ip 10.6.0.0 255.255.0.0 10.1.0.0 255.255.0.0 access-list extended permit ip 10.1.0.0 255.255.0.0 10.6.0.0 255.255.0.0 access-list extended permit ip 10.2.0.0 255.255.0.0 10.6.0.0 255.255.0.0 access-list extended permit ip 10.6.0.0 255.255.0.0 10.2.0.0 255.255.0.0

So I have 5 sets of the Above ACL where is one of the folloinw: inside_nat cryptomap_20 cryptomap_40 nat0_inbound nat0_outbound

nat (outside) 0 access-list nat0_inbound outside nat (inside) 0 access-list inside_nat

group-policy PIXB internal group-policy PIXB attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value cryptomap_40

crypto map olivet-dyn-map 20 match address cryptomap_20 crypto map olivet-dyn-map 20 set peer crypto map olivet-dyn-map 20 set transform-set ESP-3DES-SHA crypto map olivet-dyn-map 65535 ipsec-isakmp dynamic olivet crypto map olivet-dyn-map interface outside

So am I missing someghing? Is the Order of the entries in the ACLs make a difference?

Thanks

Reply to
Scott Townsend

So I've tried re-creating all the ACLs using object groups.

Now I've Managed:

10.3.x.y 10.11.x.y router 10.1.x.y PIX H Router O w/ FW -> PIX A Internet Interent PIX S 10.2.x.y router 10.6.x.y

10.1 cant see anything at PIX B

10.11 can see all Subnets at PIX B 10.3 can see 10.2

object-group network NETWORK-OLIVET-ALL network-object 10.11.0.0 255.255.0.0 object-group network NETWORK-SF-VPN network-object 10.2.0.0 255.255.0.0 network-object 10.6.0.0 255.255.0.0 object-group network NETWORK-HBG-VPN network-object 10.1.0.0 255.255.0.0 network-object 10.3.0.0 255.255.0.0

From Each Site I have ACLs in the format PIX H access-list extended permit ip object-group NETWORK-HBG-VPN object-group NETWORK-SF-VPN access-list extended permit ip object-group NETWORK-HBG-VPN object-group NETWORK-OLIVET-VPN

PIX S access-list extended permit ip object-group NETWORK-SF-VPN object-group NETWORK-HBG-VPN

access-list extended permit ip object-group NETWORK-SF-VPN object-group NETWORK-OLIVET-VPN

I think I need to be a member of the Hair Club for men. I dont have much left.

Thanks, Scott You have many cookbooks regarding VPN scenarios on Cisco.com.

Reply to
Scott Townsend

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.