PIX 501

Hi I have problem to get a 2nd vpn tunnel from my pix to work. se info: I get the tunnel "online" and I can see that it uses the right access-list and so on, but I can´t see any traffic though the tunnel. the problem is between pix 1 and pix 2

the run ver 6.3.1

PIX 1

----------------------------------------------

local ident (addr/mask/prot/port): (192.168.4.120/255.255.255.248/0/0) remote ident (addr/mask/prot/port): (192.168.17.0/255.255.255.0/0/0) current_peer: 10.10.10.10 pix2 outside IP :500 PERMIT, flags={origin_is_acl,} #pkts encaps: 334, #pkts encrypt: 334, #pkts digest 334 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 4873, #recv errors 0

local crypto endpt.:20.20.20.20 pix1 outside IP , remote crypto endpt.: 10.10.10.10 pix2 outside IP path mtu 1500, ipsec overhead 64, media mtu 1500 current outbound spi: 24933583

inbound esp sas: spi: 0x5aedf9c5(1525545413) transform: esp-aes-256 esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 6, crypto map: outside_map sa timing: remaining key lifetime (k/sec): (4608000/28420) IV size: 16 bytes replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0x24933583(613627267) transform: esp-aes-256 esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 5, crypto map: outside_map sa timing: remaining key lifetime (k/sec): (4607980/28418) IV size: 16 bytes replay detection support: Y

outbound ah sas:

outbound pcp sas:

sh cry isa sa Total : 2 Embryonic : 0 dst src state pending created 20.20.20.20 pix1 outside IP 10.10.10.10 pix2 outside IP QM_IDLE 0 1 30.30.30.30 pix3 outside IP 20.20.20.20 pix1 outside IP QM_IDLE 0 2

PIX 2

--------------------------------------------

local ident (addr/mask/prot/port): (192.168.17.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.4.120/255.255.255.248/0/0) current_peer:20.20.20.20 pix1 outside IP :500 PERMIT, flags={origin_is_acl,} #pkts encaps: 6082, #pkts encrypt: 6082, #pkts digest 6082 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 4, #recv errors 0

local crypto endpt.: 10.10.10.10 pix2 outside IP , remote crypto endpt.:20.20.20.20 pix1 outside IP path mtu 1500, ipsec overhead 64, media mtu 1500 current outbound spi: 5aedf9c5

inbound esp sas: spi: 0x24933583(613627267) transform: esp-aes-256 esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 1, crypto map: outside_map sa timing: remaining key lifetime (k/sec): (4608000/28494) IV size: 16 bytes replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0x5aedf9c5(1525545413) transform: esp-aes-256 esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2, crypto map: outside_map sa timing: remaining key lifetime (k/sec): (4607988/28490) IV size: 16 bytes replay detection support: Y

outbound ah sas:

outbound pcp sas:

sh cry isa sa Total : 3 Embryonic : 0 dst src state pending created 30.30.30.30 pix3 outside IP 10.10.10.10 pix2 outside IP QM_IDLE 0 1 20.20.20.20 pix1 outside IP 10.10.10.10 pix2 outside IP QM_IDLE 0 1 40.40.40.40 pix4 outside IP 10.10.10.10 pix2 outside IP QM_IDLE 0 1

In article , Fredrik wrote: :I have problem to get a 2nd vpn tunnel from my pix to work. :se info: :I get the tunnel "online" and I can see that it uses the right :access-list and so on, but I can´t see any traffic though the tunnel.

Have you done a clear ipsec sa since you last modified the crypto map or the ACL that controls the tunnel? PIX 6.3 doesn't put tunnels fully into effect until you do the clear, even though it will *look* like it did (e.g., by forming security associations.)

:the run ver 6.3.1

You should update that to 6.3(4)110 to avoid the known security problems. The update from 6.3(1) is free even if you have no support contract: search the Cisco web site for "PIX Security Advisories" for details.

I have a client that has a PIX 501. whenever I try to logon the PIX from the webpage I get nothing. Is there some secret to this firewall that I don't know.

Have you tried telnet?

You haven't been clear on whether you are trying from inside or outside, and you haven't given any information about whether pdm was installed on the 501, whether the http server has been enabled, whether an RSA key has been generated for the 501 (and saved), nor about which Java release you are using.