RE: [fw-wiz] Cisco Concentrator - pix515 Lan-to-Lan

From: Paul Melson (psmelson_at_comcast.net)
Date: 02/14/05

  • Next message: Mathew Want: "RE: [fw-wiz] PIX 501 inbound NAT problem" 
    To: <firewall-wizards@honor.icsalabs.com>
Date: Mon, 14 Feb 2005 16:10:44 -0500

    Two things come to mind right away. The first is that there is some sort of
    routing problem. Make sure that all necessary routers and hosts have a
    route that points 10.50.0.0/24 to the inside interface of the concentrator.
    The second is that - and this is something most people learn the hard way -
    the interface and tunnel filters on the VPN 3000 series are *NOT* stateful.
    If you want traffic to flow, it must be explicitly defined for both
    directions in all applicable filters.

    Also, if neither of these solve your problem, do you see any errors in the
    VPN 3000's log?

    PaulM

    -----Original Message-----
    Subject: [fw-wiz] Cisco Concentrator - pix515 Lan-to-Lan

    Hi list,

    I have a problem with configurin Lan-to-Lan on VPN concentrator 3000 series
    on one side and pix 515 on the other.

    Here it is:

    On central side there is network 10.50.0.0/24.
    There is one Lan-to-Lan that is working great with network 10.50.1.0/24 I
    copied the pix conf from this site (change isakmp key, access-list,..) The
    VPN tunel can be established from either ends. The SA's are established.

    If I ping from central site (behind concentrator) to my network behind the
    pix
    (10.50.5.0/24) I can see echo and eho-replay packets on my pix (debug icmp
    trace), the number of packets encrypted an dekrypted on pix is encremented
    (sh crypto ipsec sa). So I gues that packets are comming from the tunel and
    going back in?!

    But on the concentrator, if I go to Monitoring-Sessions, the session is
    established but there are only TX packet. RX packet is 0!

    What could be wrong? There are no error messages in the pix or concentrator
    log.

    Thanks for your help, By

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Mathew Want: "RE: [fw-wiz] PIX 501 inbound NAT problem"

    Relevant Pages

    • Re: VPN overkill?
      ... > We have a goal of connecting a remote office to a central office via a VPN. ... Cisco pix 506 would be fine, ... > only place the concentrator is needed is at the central office. ...
      (Security-Basics)
    • Re: VPN Tunnel question
      ... We realized that some packets are routed from the pix to the vpn, ... The next version of Windows? ...
      (comp.dcom.sys.cisco)
    • Re: Internet access for VPN client
      ... accessthrough another router in the same network. ... how to config PIX to do that? ... not allow vpn traffic to go in and out through the same interface. ... The PIX 501 would drop such packets, though, which is ...
      (comp.dcom.sys.cisco)
    • [fw-wiz] Cisco Concentrator - pix515 Lan-to-Lan
      ... I have a problem with configurin Lan-to-Lan on VPN concentrator 3000 ... I copied the pix conf from this site ... If I ping from central site (behind concentrator) to my network behind the ... I can see echo and eho-replay packets on my pix (debug icmp ...
      (Firewall-Wizards)
    • Re: LAN-to-LAN involving PIX and VPN
      ... :from Office 2, the packets go from the client, to the PIX, the PIX then ... :does PAT translation before sending them to the VPN, ... :no idea what to do with the packets which now have an external IP. ...
      (comp.dcom.sys.cisco)
    • Quantcast