1. Home
  2. Cisco Systems
  3. VPN Not able to pass traffic.

VPN Not able to pass traffic.

I am configuring a VPN site 2 site tunnel.

my internal host----->cisco3550switch------>cisco 6506 switch------>cisco 3640 router------>My Pix 515e

------>internet------->Cisco Access Concentrator at remote vendor site.

I have configured the tunnel as such

isakmp policy 5 authentication pre-share isakmp policy 5 encryption des isakmp policy 5 hash md5 isakmp policy 5 group 2 isakmp policy 5 lifetime 86400

isakmp key S3argent address 212.159.204.78 netmask 255.255.255.255

access-list to-phillips permit ip host local host ip remote host ip

255.255.252.0

access-list to-phillips permit ip host local host ip remote host ip

255.255.252.0

access-list to-phillips permit ip host local host ip remote host ip

255.255.252.0

crypto ipsec transform-set Phillips esp-3des esp-md5-hmac

crypto map partner-map 1 ipsec-isakmp crypto map partner-map 1 match address to-phillips crypto map partner-map 1 set peer 212.159.204.78 crypto map partner-map 1 set transform-set Phillips

crypto map partner-map interface outside

I have also added a route statement in the 3640 ip route 192.68.48.0 255.255.252 the local address to my pix. The 3640 knows inorder to get to the remote site to go through the pix.

From the pix I can ping the 3 machines on my lan that the remote site is tring to get to.

The tunnel comes up but no data passes through it. I can not ping them and they cannot ping me.

For testing purposes I did add the line access-list to-phillips permit icmp any any and we were unable to get it to pass traffic

Do I need to add any kind of route statement in the my pix to tell it any traffic destined to the remote site needs to go through the VPN tunnel? How do i do that if I need to.

What am I missing? Help

Steven Johnson Network Administrator Brooks Memorial Hospital

Reply to
Newbie72
Loading thread data ...
[CUT]

this route is not needed if the 3640 has a default to the PIX.

The rule above belongs to the ACL that specififies which kind of traffic must be encrypted. As you specified the IP protocol for the tunnel the icmp is already included. You need to "move" that rule (changing the syntax accordingly) to the outside interface of the PIX as remote LANs were connected directly to that interface.

Obviously icmp traffic permission must be enabled on the other side.

If you received traffic from that LAN and needed a specific route statement you would see a specific message ("No route to host") in your syslog messages.

Try to increase your level of encryption and hash as soon as you can.

Let us know if you will be sucessful.

HTH, Alex.

Reply to
AM

this route is not needed if the 3640 has a default to the PIX There is a default route to the PIX in the 3640. I will clear that up.... Thanks. Try to increase your level of encryption and hash as soon as you can. 3des and md5 is not sufficient? What level of encryption should I be using?

ACL 80 appears to be the ACL that is defining interesting traffic in my config. I have added the statements and am awaiting to reschedule a con call with the vendor to see if we can get this thing up and running before I go out on vacation next week.

I will let you know Thank You.

Reply to
Newbie72

Issue resolved. testing yesterday showed data flowing through the tunnel.

Reply to
Newbie72

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.