PIX VPN problem!

Similar Questions

• ping for the pix vpn problem

  Hello

  I got a pix 501 (6.3 - 4) on a local network and try to use Cisco VPN Client (4.0.2-D) on a remote pc.

  I can open a vpn session.

  I can't ping from the remote pc to the LAN

  I can ping from any station on the LAN to the remote pc

  After that I did a ping of a station on the LAN to the remote pc, I ping the remote computer to the local network.

  I am so newb, trying for 2 days changing ACLs, no way.

  I must say that I am in dynamic ip wan on the local network and the remote pc.

  Any idea about this problem?

  Any help is welcome.

  Here is the configuration of my pix:

  6.3 (4) version PIX

  interface ethernet0 10baset

  interface ethernet1 100full

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  activate the password * encrypted

  passwd * encrypted

  pixfirewall hostname

  domain ciscopix.com

  clock timezone THATS 1

  clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  correction... /...

  fixup protocol tftp 69

  names of

  name 192.168.42.0 Dmi

  inside_access_in ip access list allow a whole

  inside_outbound_nat0_acl ip access list allow any 192.168.229.0 255.255.255.0

  outside_cryptomap_dyn_20 ip access list Dmi 255.255.255.0 allow 192.168.229.32 255.255.255.224

  access-list outside_cryptomap_dyn_20 allow icmp a whole

  pager lines 24

  opening of session

  logging trap information

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside the 209.x.x.x.255.255.224

  IP address inside 192.168.42.40 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool dmivpndhcp 192.168.229.1 - 192.168.229.254

  location of PDM 192.168.229.1 255.255.255.255 outside

  209.165.x.x.x.255.255 PDM location inside

  209.x.x.x.255.255.255 PDM location outdoors

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) 0-list of access inside_outbound_nat0_acl

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  Route outside 0.0.0.0 0.0.0.0 209.165.200.225 1

  Timeout xlate 0:05:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + 3 max-failed-attempts

  AAA-server GANYMEDE + deadtime 10

  RADIUS Protocol RADIUS AAA server

  AAA-server RADIUS 3 max-failed-attempts

  AAA-RADIUS deadtime 10 Server

  AAA-server local LOCAL Protocol

  Enable http server

  Dmi 255.255.255.0 inside http

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  TFTP server inside the 192.168.42.100.

  enable floodguard

  Permitted connection ipsec sysopt

  AUTH-prompt quick pass

  AUTH-guest accept good

  AUTH-prompt bad rejection

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA

  Dynamic crypto map dynmap 20 match address outside_cryptomap_dyn_20

  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

  outside_map interface card crypto outside

  ISAKMP allows outside

  ISAKMP identity address

  part of pre authentication ISAKMP policy 20

  ISAKMP policy 20 3des encryption

  ISAKMP policy 20 chopping sha

  20 2 ISAKMP policy group

  ISAKMP duration strategy of life 20 86400

  vpngroup address dmivpndhcp pool dmivpn

  vpngroup dns 192.168.42.20 Server dmivpn

  vpngroup dmivpn wins server - 192.168.42.20

  vpngroup dmivpn by default-field defi.local

  vpngroup idle 1800 dmivpn-time

  vpngroup password dmivpn *.

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  VPDN username vpnuser password *.

  VPDN allow outside

  VPDN allow inside

  dhcpd address 192.168.42.41 - 192.168.42.72 inside

  dhcpd lease 3600

  dhcpd ping_timeout 750

  Terminal width 80

  Cryptochecksum: *.

  Noelle,

  Add the command: (in config mode): isakmp nat-traversal

  Let me know if it helps.

  Jay

• Site to Site PIX VPN problems

  Hi, I currently have a site to site vpn upward and running and it works fine. I try to put the other two online and just cannot make them work. I used the same configuration of one operation but I cannot get the next tunnel. I saw several errors when debugging isakmp and ipsec and they are at the end of my configs. Anyone have any ideas? Thank you

  Main site - a vpn clients connecting too it and pt to pt vpn to 3 endpoints

  Cisco PIX Firewall Version 6.3 (3)

  * Main Site Config *.

  client_vpn 10.10.0.0 ip access list allow 255.255.0.0 192.168.0.0 255.255.255.0

  VPN_to_Site2 10.10.0.0 ip access list allow 255.255.0.0 192.168.0.0 255.255.255.0

  NAT (inside) 0-list of access client_vpn

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set esp-3des esp-md5-hmac fws_encry_set

  outside_map 60 ipsec-isakmp crypto map

  address for correspondence card crypto outside_map 60 VPN_to_Site2

  crypto outside_map 60 peer 64.X.X.19 card game

  card crypto outside_map 60 transform-set fws_encry_set

  outside_map interface card crypto outside

  ISAKMP allows outside

  ISAKMP key * address 64.X.X.19 netmask 255.255.255.255 No.-xauth-no-config-mode

  ISAKMP identity address

  ISAKMP nat-traversal 20

  part of pre authentication ISAKMP policy 10

  ISAKMP policy 10 3des encryption

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  Site 2 config

  * only because the pt to pt does not work I have it set up to allow vpn clients to cross to connect to the main site.

  Cisco PIX Firewall Version 6.3 (5) *.

  permit access ip 192.168.0.0 list VPN_to_Main 255.255.255.0 10.10.0.0 255.255.0.0

  NAT (inside) 0-list of access VPN_to_Main

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set esp-3des esp-md5-hmac fws_encry_set

  outside_map 10 ipsec-isakmp crypto map

  outside_map card crypto 10 corresponds to the address VPN_to_Main

  crypto outside_map 10 peer 207.X.X.13 card game

  card crypto outside_map 10 transform-set fws_encry_set

  outside_map interface card crypto outside

  ISAKMP allows outside

  ISAKMP key * address 207.X.X.13 netmask 255.255.255.255 No.-xauth-no-config-mode

  ISAKMP identity address

  ISAKMP nat-traversal 20

  part of pre authentication ISAKMP policy 10

  ISAKMP policy 10 3des encryption

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  Errors

  PIX (config) # IPSEC (sa_initiate): ACL = deny; No its created

  authenticator is HMAC-MD5IPSEC (validate_proposal): invalid local address

  I have a link that works very well. I have copied the config from there, changed the ip info and it does not work. The only differences in the configs are no sysopt route dnat and it's on Version 6.2 (2)

  IPSec (sa_initiate): ACL = deny; No its created

  I think that you have configured a VPN tunnel without removing the cryptographic card of the external interface. The message above is the error we get in such situation.

  I suggest the following solution:

  -remove the external interface (the two pix) cryptographic card

  -Cree claire isa his and trendy clear ipsec his (the two pix)

  -Reapply the card encryption on external interfaces.

  If this doesn't solve the problem, restart the equipment.

  Kind regards

  Ajit

• Simple PIX PIX VPN issues

  I'm trying to implement a simple PIX PIX VPN using the simple PIX - PIX VPN documentation for the sample config page. I have a lot of VPN tunnels with other very happy other PIX devices so it's quite annoying. Anyway, on the source PIX config is as follows:-

  access-list 101 permit ip 172.18.138.0 255.255.255.0 172.18.133.0 255.255.255.0

  access-list 101 permit ip 172.18.133.0 255.255.255.0 172.18.138.0 255.255.255.0

  NAT (phoenix_private) 0-access list 101

  Permitted connection ipsec sysopt

  No sysopt route dnat

  Crypto ipsec transform-set esp - esp-md5-hmac chevelle

  ntlink 1 ipsec-isakmp crypto map

  1 ipsec-isakmp crypto map TransAm

  correspondence address 1 card crypto transam 101

  card crypto transam 1 set peer 172.18.126.233

  card crypto transam 1 transform-set chevelle

  interface inside crypto map transam

  ISAKMP allows inside

  ISAKMP key * address 172.18.126.233 netmask 255.255.255.255

  ISAKMP identity address

  part of pre authentication ISAKMP policy 1

  of ISAKMP policy 1 encryption

  ISAKMP policy 1 md5 hash

  1 1 ISAKMP policy group

  ISAKMP policy 1 lifetime 1000

  and if I generate the traffic logs show this: -.

  9 August 18:40:15 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)

  9 August 18:40:17 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)

  9 August 18:40:18 10.60.6.247% PIX-3-305005: no group of translation not found for udp src phoenix_private:172.18.138.111/3832 dst inside:172.18.133.51/53

  9 August 18:40:18 10.60.6.247% PIX-3-305005: no translation not found for icmp src phoenix_private:172.18.138.111 dst domestic group: 172.18.133.51 (type 8, code 0)

  9 August 18:40:19 10.60.6.247% PIX-3-305005: no group of translation not found for udp src phoenix_private:172.18.138.111/3832 dst inside:172.18.133.51/53

  No isakmp and ipsec debugging message appears, but you who wait that the PIX does not even link the traffic with the access list or a NAT.

  I do something obviously stupid, can someone tell me what it is, thank you.

  Jon.

  Hello

  1. you create a second access as list:

  outside_cryptomap ip 172.18.138.0 access list allow 255.255.255.0 172.18.133.0 255.255.255.0

  and

  2. instead of

  correspondence address 1 card crypto transam 101

  You must configure

  card crypto transam 1 match address outside_cryptomap

  the problem is that you configure an ACL for nat and crypto - that does not work

  concerning

  Alex

• With PAT on Cisco PIX VPN client

  Dear all,

  I have a PIX 515 to the main site with the IPSec security is enabled. Homepage user using 3.x VPN client connects to the PIX for VPN access. When user Home use real IP, I can ping to the local network of the main site. However, when the Home user using a router with PAT, the VPN can be established.

  Is there a setting I should put on PIX, VPN client or router?

  Thank you.

  Doug

  And if you still have problems, upgrade your pix, 6.3 and usage:

  ISAKMP nat-traversal

  But the first thing would be to check the IPSEC passthrough as Ade suggested. If the device is a linksys check the version of the firmware as well.

  Kind regards

• Cisco VPN problems after installing the 506e

  My apologies if this makes no sense, because it is my 1st install of a PIX.

  I distance support external sites and had a Cisco VPN 4.6.00.49 connection through our Linksys router for access, company which worked a treat. We asked to have VPN access to our society, so I replaced the Linksys with a 506th PIX. I ran the Wizards(Yes I heard the gasps from 90% of you then) GUI access Internet out worked, came from e-mail in Exchange server and external users could vpn in our internal network. Great, I thought!

  BUT NOW

  I have a problem with coming out through the 506th pix VPN.

  My client connects to the external site. Authenticates the Logni & assigns a valid IP address. Unfortunately I couldn't make a ping, rdp or anything with the remote network.

  Thanks in advance

  Paul

  Paul

  Sorry, I wasn't clear on my post - that the order was necessary on the remote device. In any case I'm glad to hear his work.

• On Pix VPN tunnel to the same subnet

  I have a customer who want to set up a the PIX VPN tunnel located on each site. For some reason, each side has the same subnet number, for example. 10.10.10.x/32. I'm sure we must run NAT, but is it possible.

  This can help

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00800949f1.shtml

• VPN clients cannot access remote sites - PIX, routing problem?

  I have a problem with routing to remote from our company websites when users connect via their VPN client remotely (i.e. for home workers)

  Our headquarters contains a PIX 515E firewall. A number of remote sites to connect (via ADSL) to head office using IPSEC tunnels, ending the PIX.

  Behind the PIX is a router 7206 with connections to the seat of LANs and connections to a number of ISDN connected remote sites. The default route on 7206 points to the PIX from traffic firewall which sits to ADSL connected remote sites through the PIX. Internal traffic for LAN and ISDN connected sites is done via the 7206.

  Very good and works very well.

  When a user connects remotely using their VPN client (connection is interrupted on the PIX) so that they get an IP address from the pool configured on the PIX and they can access resources located on local networks to the office with no problems.

  However, the problem arises when a remote user wants access to a server located in one of the remote sites ADSL connected - it is impossible to access all these sites.

  On the remote site routers, I configured the access lists to allow access from the pool of IP addresses used by the PIX. But it made no difference. I think that the problem may be the routes configured on the PIX itself, but I don't know what is necessary to solve this problem.

  Does anyone have suggestions on what needs to be done to allow access to remote sites for users connected remotely via VPN?

  (Note: I suggested a workaround, users can use a server on LAN headquarters as a "jump point" to connect to remote servers from there)

  with pix v6, no traffic is allowed to redirect to the same interface.

  for example, a remote user initiates an rdp session for one of the barns adsl. PIX decrypts the packet coming from the external interface and looks at the destination. because the destination is one of adsl sites, pix will have to return traffic to the external interface. Unfortunately, pix v6.x has a limitation that would force the pix to drop the packet.

  with the v7, this restriction has been removed with the "same-security-traffic control intra-interface permits".

  http://www.Cisco.com/en/us/partner/products/HW/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

• pix 501 vpn problem

  Can connect, I see not all network resources.

  The Vpn Client, worm: 5.0.01, is running on an xp machine.

  It connects to the network is behind a 6.3 (5) pix501-worm.

  When the connection is established the remote client gets an address assigned to the pool 192.168.2.10 vpn - 192.168.2.25:

  The vpn client log shows:

  Line: 45 18:07:27.898 12/08/09 Sev = Info/4 CM / 0 x 63100034

  The virtual card has been activated:

  IP=192.168.2.10/255.255.255.0

  DNS = 0.0.0.0 0.0.0.0

  WINS = 0.0.0.0 0.0.0.0

  Area =

  Split = DNS names

  It is followed by these lines:

  46 18:07:27.968 12/08/09 Sev = WARNING/2 CVPND/0xE3400013

  AddRoute cannot add a route: code 87

  Destination 192.168.1.255

  Subnet mask 255.255.255.255

  Gateway 192.168.2.1

  Interface 192.168.2.10

  47 18:07:27.968 12/08/09 Sev = WARNING/2 CM/0xA3100024

  Failed to add the route. Network: c0a801ff, subnet mask: ffffffff, Interface: c0a8020a Gateway: c0a80201.

  48 18:07:28.178 12/08/09 Sev = Info/4 CM / 0 x 63100038

  Were saved successfully road to file changes.

  49 18:07:28.198 12/08/09 Sev = Info/6 CM / 0 x 63100036

  The routing table has been updated for the virtual card

  50 18:07:29.760 12/08/09 Sev = Info/4 CM/0x6310001A

  A secure connection established

  * ...

  I can ping the remote client, on an inside ip behind the same pix

  When I get the 'route add failure' above, but I cannot ping the computer name.

  I activated traversal of NAT using the PDM, but when I connect with this option, I get the error that the "remote endpoint is NOT behind a NAT device this end is behind a NAT device" and ping fails.

  Behind the pix are a few computers with no central server, so I'm failed a WINS server for remote clients.

  I created the vpn with the wizard.

  The configuration file is attached.

  Any suggestion would be appreciated.

  Kind regards

  Hugh

  Hugh, sure you can classify based on the whole conversation, but you don't have to do but be certainly provide assessments.

  To sum up the shrinking global problems, the main objective was to ensure configuration VPN RA on the PIX501 has been corrected.

  1. we have enabled NAT - T on the firewall - even if it wasn't the question, but need it either it should you RA other places - travseral NAT VPN sensitizes the firewall on the other ends NAT devices - here is some good information on NAT - T for reference in the future

  http://www.Microsoft.com/technet/community/columns/cableguy/cg0802.mspx

  2. we fixed the VPN-POOL/28 network as well as the access list and acl to be coherent crypto sheep.

  Here is a link for future reference with many PIX configuration scenarios

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/prod_configuration_examples_list.html

  Finally, your only question remaining, we can say is purely isolated with the customer software vpn and MAC machine.

  You could maybe try a different version of the client in the MAC, or also look at the release notes for the open caveats to avoid cisco cleint managing versions and MAC versions if there are problems.

  http://www.Cisco.com/en/us/products/sw/secursw/ps2308/prod_release_notes_list.html

  Concerning

• Cisco Pix 515 VPN problems

  Hi all

  Here's my problem, I have 2 PIX 515 firewall...

  I'm trying to implement a VPN site-to site between 2 of our websites...

  Two of these firewalls currently run another site to site VPN so I know who works...

  I can't do the second site to the site to launch the VPN... when looking on the syslogs I get refused packages...

  Protected networks are:

  172.16.48.0/24 and 172.16.4.0/22

  If I try to ping from the Cisco (172.16.48.4) to 172.16.4.5, I get the following syslog:

  2 sep 02 2008 08:59:47 106001 172.16.48.4 172.16.4.5 incoming TCP connection doesn't deny from 172.16.48.4/1231 to 172.16.4.5/135 SYN flags on the interface inside

  It seems that the tunnel is trying to initiate, but something is blocking the internal traffic to penetrate through the VPN.

  Don't know what that might be, the other VPN are working properly.

  Any help would be great...

  I enclose a copy of one of the configs...

  Let me know if you need another...

  no road inside 172.16.4.0 255.255.252.0 172.16.48.1 1

  Remove this path should you get. Please rate if it does. Similarly, if you have a road similar to the other end, it should be deleted as well.

• VPN to PIX access problem.

  I set up PPTP VPN on PIX 515 access with unrestricted license for Windows-based computers. I can connect but I'm unable to access all the resources on the network. I suspect this has something to access the list, but I don't know where to start. Here's the relevant part of the PIX config:

  access-list all-traffic ip to allow a whole

  access-list 100 permit icmp any any echo response

  access-list 100 permit icmp any one time exceed

  access-list 100 permit everything all unreachable icmp

  .

  IP address outside x.x.x.130 255.255.255.252

  IP address inside 192.168.254.1 255.255.255.0

  IP address x.x.x.97 255.255.255.224 DMZ1

  address IP DMZ2 192.168.251.1 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool vpnpool 192.168.254.201 - 192.168.254.254

  .

  Global (outside) 1 x.x.x.65 - x.x.x.93 netmask 255.255.255.224

  Global (outside) 1 x.x.x.94 netmask 255.255.255.224

  NAT (inside) 1 access-list all-traffic 0 0

  (DMZ1) 1 access-list all-traffic NAT 0 0

  Access-group 100 in external interface

  Route outside 0.0.0.0 0.0.0.0 x.x.x.129 1

  .

  Sysopt connection permit-pptp

  Telnet 192.168.254.0 255.255.255.0 inside

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  VPDN Group 1 accept dialin pptp

  PAP VPDN Group 1 ppp authentication

  VPDN Group 1 chap for ppp authentication

  VPDN Group 1 ppp authentication mschap

  VPDN group ppp 1 encryption mppe auto

  VPDN Group 1 client configuration address local vpnpool

  VPDN Group 1 pptp echo 60

  VPDN Group 1 client authentication local

  VPDN username * password *.

  VPDN allow outside

  dhcpd address 192.168.254.100 - 192.168.254.200 inside

  dhcpd dns x.x.x.131 x.x.x.200

  dhcpd rental 86400

  dhcpd ping_timeout 750

  dhcpd allow inside

  Looks like you forgot to add a "nat 0" defines that there are no PAT beween your local inside network and the PPTP DHCP pool.

  PPTP pool must be different from the inside pool otherwise it is not routable correctly.

  no ip local pool vpnpool 192.168.254.201 - 192.168.254.254

  # Choose a new network PPTP pool that is not in use

  example of dansMon # is 192.168.1.0/24

  IP local pool vpnpool 192.168.1.1 - 192.168.1.254

  access-list 101 permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0

  (Inside) NAT 0-list of access 101

  See this site for more information:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a0080143a5d.shtml

  http://www.Cisco.com/pcgi-bin/support/browse/psp_view.pl?p=hardware:PIX & s = Software_Configuration

  see PPTP

  sincerely

  Patrick

• VPN connection between two pix firewall problems

  Hi, trying to create a VPN between the firewall two pix a 501 and a 506e.

  currently on the 506th pdm shows 1 IKE tunnel in the stats, but it displays then return to zero. The two hosts of pix can access the web and ping each other gateways.

  I posted the 506th config but the 501 config is the same.

  outside IP for pix 506th = a.a.a.a

  outside IP for pix 501 = b.b.b.b

  Internet service provider ip of the gateway to 506th = x.x.x.x

  Thank you

  Alex

  Hi Alex

  See the configuration on the other side (PIX501) it will be difficult to solve, you'll need to be sure when it is a phase failure 1 or phase 2.

  Please note between the two PIX IPSec negotiation fails if both of the phases SAs IKE do not match on the peers.

  Cordially MJ

• VPN problem persists

  Hi, I implemented a project some time back which went something like this: a Headquarters site where a PIX515E is installed with a public static IP on its external interface. Three remote sites, each with connecting to the internet through 837 routers ADSL with a dynamic public IP address. I configured the firewall and routers for EzVPN (router is configured in client mode) and the VPN tunnel rises and it works fine. Of course, when there is no interesting traffic through the tunnel and the idle timer on the PIX expires, the tunnel down. It is also very good. The problem is once the tunnel breaks down, it is again automatically when interesting traffic passes through the router (which is assumed). I use the console and ran the debugging on one of the routers and noticed that once the tunnel descends and the router tries to bring it up again, it gives the message:

  "Key pair for this"XXX. " XX. XX. Mask XX/XX"already exists." Then, when I give the command "clear crypto isakmp his ', the tunnel rises immediately. I already posted this question before (link:http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd6e4b2). Maybe she has something to do with the Dead Peer Detection on the PIX and the router system. In any case, I have configured the following command on the router and PIX:

  ISAKMP crypto keepalive 2 10

  but still it does not solve the problem. The router's IOS version 12.3 (2) XC2 and the PIX OS version 6.3 a (3). Also im attaching the PIX and router config for this post. What else can be done to solve the problem?

  I replied to your last message.

  As I said, you must at least 12.3.7 so that it works correctly.

  "You must at least 12.3 (7) T for Dead Peer Detection work and send KeepAlive interval you want.

  ISAKMP crypto keepalive [interval] [dry til counted dead] periodical

  for example,.

  "isakmp crypto 15 5 keepalive periodicals.

  the key word is "periodic" is not available until 12.3.7 or later.

  ISAKMP crypto keepalive 2 10

  without periodic does nothing, you need periodic KeepAlive.

  ISAKMP crypto keepalive 2 10 periodicals

  will maintain the tunnel and head of network device know if/when it falls. It should be applied to the router and the PIX in your situation.

  I worked through this issue before with IOS EzVPN (12.3 (11) T) to PIX (6.3 (3)) and IOS EzVPN hub VPN3000 (4.1) of the basic VPN

  also... http://www.Cisco.com/en/us/products/SW/iosswrel/ps5207/products_feature_guide09186a00801ee19a.html

• IP Sec VPN problem

  All, Hy

  I have a problem with IPSec VPN established between a PIX 515e and a Nortel contivity 1010. I do the configuration of the tunnel on both sides and it works correctly, but I can't do the communication between the two LANs.

  In the PIX log, I show this:

  2010-03-18 08:57:52 Local7.info 172.17.1.250 : 18 Mar 08:57:52 WEST: % PIX-6-602302: SA deletion, (his) sa_dest = 62.48.238.3, sa_prot = 50, sa_spi = 0x3fcc692a (1070360874) sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 4

  2010-03-18 08:57:52 Local7.info 172.17.1.250 : 18 Mar 08:57:52 WEST: % PIX-6-602302: SA deletion, (his) sa_dest = 213.223.214.52, sa_prot = 50, sa_spi = 0x1f7f65 (2064229), esp-3des esp-sha-hmac = sa_trans, sa_conn_id = 3

  This line is delivered every 2 minutes... Is it possible that it may be causing my problem? and what is that message?

  I show you my pix configuration:

  For me, this configuration is fine, but it's not work very well!

  Can you help me please?

  Kind regards

  In fact, it corresponds to the following:

  local ident (addr, mask, prot, port): (AENOR_ALL/255.255.0.0/0/0)

  Remote ident (addr, mask, prot, port): (192.168.9.0/255.255.255.0/0/0)

  current_peer: 213.223.214.52:500

  LICENCE, flags is {origin_is_acl},

  #pkts program: 0, #pkts encrypt: 0, #pkts 0 digest

  #pkts decaps: 60, #pkts decrypt: 60, #pkts check 60

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, #pkts compr. has failed: 0, #pkts decompress failed: 0

  Errors #send 0, #recv 0 errors

  So the packets are received and décapsulés, however, no response to be encapsulated.

  Please set 'error fixup protocol icmp' for the icmp inspection.

  Please check on the 172.17.1.7 the host itself to see if the default gateway is configured to be 172.17.1.250, and the host has no other specific channels configured. If it is a windows host, you can check "route print" at the DOS prompt.

  Please also check if it allows the incoming RDP session? Are you able to RDP from in-house?

  Are you able to Telnet on port 3389, from the DOS command prompt (telnet 172.17.1.7 3389)? What have you found?

• ASA at PIX VPN - routing

  Hi all, I built a site 2 site between an ASA 5510 and a PIX IPsec tunnel.  The tunnel is up, and most of the time the traffic flow between source and destination LANs as planned. The problem is that we need the ASA to send syslog messages in the VPN tunnel to a syslog on PIX site server.  If I get a router on the ASA website, I ping the site of PIX syslog server.   The following statement is in the ASA:

  Route out of pix.net.addr sub.net.mask next.hop

  But in the journal of the ASA, I see messages "Routing failed" for the traffic of the SAA on the syslog server.

  April 8, 2010 08:32:01 ASA5510: % ASA-6-110003: routing could not locate the next hop for icmp NP identity Ifc:10.xx.x.xx/0 to inside:172.xx.x.xx/0

  Any thoughts?

  Thank you

  Robert

  Hello

  Public IP address of the ASA must be in interesting for this tunnel traffic (since it's the INVESTIGATION period where newspapers are going to be sent from).

  Also, the IP address of the syslog server must be in the interesting traffic.

  In other words, you should be able to PING from the ASA to syslog (through the tunnel) server.

  Federico.