ipsec tunnel established but no pinging

maybe icmp is forbidden troughout pix

psychogenic ha scritto:

or, try enabling debug mode and see what happens,

cheers, Zuhair Al Zubaidi

Thanks all. I turned on debugging by doing "debug ip icmp" and I'm just getting alot of garbage. I don't think it's catching any of the pings I am sending across. For example I tried pinging a known good network across a good vpn tunnel and the logs don't show anything at all. Is there a different command?

Also I'm thinking the issue might be with the remote PIX. I noticed at their end there are no routes on the routing table. It's a PIX501 running 6.3.5 IOS and I am assuming that a default route to the outside interface is not assumed automatically by the device. And so if my pings even do reach the remote machine the echo-reply wouldn't come back since there is no default route? Does this make any sense? :)

Thanks.

Zuhair Al-Zubaidi wrote:

Please show from your config:

NAT Statements ACL's regarding your crypto map IPSEC and ISAKMP config

I would also assume that if you set your logging level to 7 and sent traffic across the tunnel your syslog would shoot some messages at you in regards to no translation for traffic x.x.x.x to y.y.y.y Where x.x.x.x is your local subnet and y.y.y.y would be the remote subnet?

If so you need to exclude those subnets from performing NAT.

Google for NAT 0 and, also in another reply to this post I listed some items from your config to post.

HTH

Yes, I exlcuded both subnets from NAT. I don't believe its a NAT issue but I guess strangers things have happened. Here is the config for the remote PIX:

Local Site Network: 10.1.1.0/24 Remomte Site Network: 20.1.1.0/24

Remote Site PIX:

interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname pix domain-name clock timezone JST 9 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 object-group service Citrix-Service tcp port-object eq echo port-object eq citrix-ica port-object eq www port-object eq https access-list outside_access_in permit icmp any any log 0 access-list outside_access_in permit ip 10.1.1.0 255.255.248.0 20.1.1.0

255.255.255.0 access-list inside_access_in permit icmp any any log 0 access-list inside_access_in permit ip any any access-list inside_outbound_nat0_acl permit ip 20.1.1.0 255.255.255.0 10.1.1.0 255.255.248.0 access-list outside_cryptomap_20 permit ip 20.1.1.0 255.255.255.0 10.1.1.0 255.255.248.0 access-list outside_inbound_nat0_acl permit ip 10.1.1.0 255.255.248.0 20.1.1.0 255.255.255.0 pager lines 24 logging on logging timestamp logging trap informational logging host inside syslog icmp permit host syslog outside icmp permit any outside icmp permit host syslog inside icmp permit host RTX-1000 inside mtu outside 1500 mtu inside 1500 ip address outside pppoe setroute ip address inside 20.1.1.1 255.255.255.0 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm arp timeout 14400 global (outside) 1 interface nat (outside) 0 access-list outside_inbound_nat0_acl outside nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 192.168.0.150 crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 192.168.0.150 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp keepalive 10 4 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400

Chad Mah> > I have a site-to-site vpn tunnel established between a 2600 router and

Just a thought, but how about adding isakmp nat-traversal in the configs? I know this is the command for the PIX, but not sure about the router.

Cheers

psychogenic wrote:

snip

I believe that you do not need the above outside entry in your access-list as you have permitted

This feature allows your VPN traffic to bypass the access-list on the outside interface.

I am also unsure why you have this:

access-list outside_inbound_nat0_acl permit ip 10.1.1.0 255.255.248.0

20.1.1.0 255.255.255.0

I have only had a quick look at the config but assuming that you wanted to exempt this from nat on your remote router, don't you need to do the No NAT on the router.

So on the PIX you will have:

An access-list permitting traffic from the PIX (LAN) to the remote router (LAN) - Your Crypto Access-List A no nat statement for the same

+

On the router you will have:

An access-list permitting traffic from the Router (LAN) to the remote PIX (LAN) - Your Crypto Access-List A no nat statement for the same

Could be wrong but maybe someone else could confirm / deny.

HTH.

Regards

Darren

These were created from the vpn site to site wizard on both router and firewall. I'm assuming the outside_access_in rule was created to define which traffic needs to be encrypted and the other rule to have no NAT between the two networks. I have the same rules applied on a different firewall connected to the same router and it works perfectly fine. The only difference between these two tunnels is that the working one's endpoint is my outside interface of the local router and the non working is on a loopback interface i created. :(

Darren Green wrote:

It's fixed now. What I did was change the local endpoint to my outside interface and changed the routes to go there. I don't know why this doesn't work with a logical interface...

psychogenic wrote: