VPN - site to site - Cabling-Design.com Forums

Here is my debug and config... it appears as if the tunnel is being set up but I cannot access the remote LAN. Any suggestions? TIA.

: Saved : PIX Version 6.3(5) fixup protocol tftp 69 names access-list 102 permit tcp any any eq www access-list 102 permit icmp any any access-list 102 permit icmp any any echo-reply access-list 101 permit ip 10.1.1.0 255.255.255.0 192.168.1.0

255.255.252.0 access-list 101 permit icmp any any access-list NoNAT permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.252.0 ip address outside 1.1.1.1 255.255.255.248 ip address inside 10.1.1.1 255.255.255.0 global (outside) 1 1.1.4 nat (inside) 0 access-list NoNAT nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group 102 in interface outside route outside 0.0.0.0 0.0.0.0 1.1.1.123 1 sysopt connection permit-ipsec crypto ipsec transform-set abcd1 esp-des esp-md5-hmac crypto map map1 1 ipsec-isakmp crypto map map1 1 match address 101 crypto map map1 1 set peer 4.4.4.4 crypto map map1 1 set transform-set abcd1 crypto map map1 interface outside isakmp enable outside isakmp key ******** address 4.4.4.4 netmask 255.255.255.255 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 1000 : end pixfirewall(config)# ********************************** ISAKMP (0): beginning Main Mode exchange crypto_isakmp_process_block:src:4.4.4.4, dest:1.1.1.1 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: auth pre-share ISAKMP: default group 1 ISAKMP: life type in seconds ISAKMP: life duration (basic) of 1000 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:4.4.4.4, dest:1.1.1.1 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:4.4.4.4, dest:1.1.1.1 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP (0): beginning Quick Mode exchange, M-ID of

-1581513484:a1bc04f4IPSEC(key _engine): got a queue event... IPSEC(spi_response): getting spi 0xa29c75de(2728162782) for SA from 4.4.4.4 to 1.1.1.1 for prot 3 return status is IKMP_NO_ERROR ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): sending NOTIFY message 24578 protocol 1 VPN Peer: ISAKMP: Added new peer: ip:4.4.4.4/500 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:4.4.4.4/500 Ref cnt incremented to:1 Total VPN Peers:1 crypto_isakmp_process_block:src:4.4.4.4, dest:1.1.1.1 spt:500 dpt:500 ISAKMP (0): processing NOTIFY payload 14 protocol 3 spi 2728162782, message ID = 2387642870 ISAKMP (0): deleting spi 3732249762 message ID = 2713453812 return status is IKMP_NO_ERR_NO_TRANSIPSEC(key_engine): request timer fired: cou nt = 1, (identity) local= 1.1.1.1, remote= 4.4.4.4, local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 192.168.1.0/255.255.252.0/0/0 (type=4)

ISAKMP (0): beginning Quick Mode exchange, M-ID of

261357499:f93ffbbIPSEC(key_en gine): got a queue event... IPSEC(spi_response): getting spi 0xb32cc8cf(3006056655) for SA from 4.4.4.4 to 1.1.1.1 for prot 3

crypto_isakmp_process_block:src:4.4.4.4, dest:1.1.1.1 spt:500 dpt:500 ISAKMP (0): processing NOTIFY payload 14 protocol 3 spi 3006056655, message ID = 776872853 ISAKMP (0): deleting spi 3486002355 message ID = 261357499 return status is IKMP_NO_ERR_NO_TRANSIPSEC(key_engine): request timer fired: cou nt = 2, (identity) local= 1.1.1.1, remote= 4.4.4.4, local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 192.168.1.0/255.255.252.0/0/0 (type=4)

pixfirewall(config)# show crypto isakmp sa Total : 1 Embryonic : 0 dst src state pending created 4.4.4.4 1.1.1.1 QM_IDLE 0 0 pixfirewall(config)# show crypto isakmp sa ISADB: reaper checking SA 0x34e025c, conn_ipsec sa

interface: outside Crypto map tag: map1, local addr. 1.1.1.1

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/1/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/1/0) current_peer: 4.4.4.4:0 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 4.4.4.4 path mtu 1500, ipsec overhead 0, media mtu 1500 current outbound spi: 0

inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas:

local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.1.0/255.255.252.0/0/0) current_peer: 4.4.4.4:0 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 4, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 4.4.4.4 path mtu 1500, ipsec overhead 0, media mtu 1500 current outbound spi: 0

inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas:

**************************