VPN between a PIX and a VPN 3000

I'm trying to set up a VPN between PIX and a VPN 3000. All configurations are complete, but the tunnel has not been established. On the PIX, to 'see the crypto engine' and ' show isakmp his ' orders, I do not see the tunnel. Of "show ipsec his ' command, I can see the mistakes"#send"continues to increase when I try to connect to the remote network. Here is the copy - paste command:

Tag crypto map: myvpnmap, local addr. 10.70.24.2

local ident (addr, mask, prot, port): (10.70.24.128/255.255.255.128/0/0)

Remote ident (addr, mask, prot, port): (10.96.0.0/255.224.0.0/0/0)

current_peer: 10.70.16.5:0

LICENCE, flags is {origin_is_acl},

#pkts program: encrypt 0, #pkts: 0, #pkts 0 digest

#pkts decaps: 0, #pkts decrypt: 0, #pkts check 0

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, #pkts compr. has failed: 0, #pkts decompress failed:

#send 12, #recv errors 0

local crypto endpt. : 10.70.24.2, remote Start crypto. : 10.70.16.5

Path mtu 1500, fresh ipsec generals 0, media, mtu 1500

current outbound SPI: 0

SAS of the esp on arrival:

the arrival ah sas:

SAS of the CFP on arrival:

outgoing esp sas:

outgoing ah sas:

outgoing CFP sas:

Obviously, the PIX identifies protected traffic but failed to establish the tunnel. I was wondering what could be the reason for these kind of mistakes? That means them growing '#send errors?

Thank you very much!

Sending error mean simply the PIX is grateful to encrypt this traffic, but there is no built tunnel and so it must drop the package.

you will need to look at why the tunnel is not under construction however, "sending error" are just a byproduct of some other configuration issue. On the PIX, it looks like you would have something like:

Crypto ip 10.70.24.128 access list allow 255.255.255.128 10.96.0.0 255.224.0.0

On the 3000 under the L2L section and the Local and remote network, you need the exact opposite of the latter, then it would be:

/ Local network mask = 10.96.0.0/0.31.255.255

/ Remote network mask = 10.70.24.128/0.0.0.127

If you have something else the tunnel will fail to come. Otherwise, we see that the Cryptography debugs the PIX and the trunk of the 3000 when the tunnel is built.

Tags: Cisco Security

Similar Questions

  • break the link between the pix and sound

    Ugh I still don't know how to break the link between the pix and the sound in the timeline then of

    the sound and image are together. I know it of easy but have not yet found the way.

    Thank you everyone.

    Right-click on the clip and click 'Remove link' If you just want do temporarily, ALT click on the clip.

  • Problem with IPSEC tunnel between Cisco PIX and Cisco ASA

    Hi all!

    Have a strange problem with one of our tunnel ipsec for one of our customers, we can open the tunnel of the customers of the site, but not from our site, don't understand what's wrong, if it would be a configuration problem should can we not all up the tunnel.

    On our side as initiator:

    Jan 14 13:53:26 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (initiator), 2.2.2.2/500 remotely, authentication = pre-action, encryption = 3DES-CBC, hash = SHA, group = 2, life = 86400 s)

    Jan 14 13:53:26 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% PIX-7-702201: ISAKMP Phase 1 delete received (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:26 172.27.1.254% PIX-6-602203: ISAKMP disconnected session (local 1.1.1.1 (initiator), remote 2.2.2.2)

    Jan 14 13:53:56 172.27.1.254% PIX-7-702303: sa_request, CBC (MSG key in English) = 1.1.1.1, dest = 2.2.2.2, src_proxy = 172.27.1.10/255.255.255.255/0/0 (type = 1), dest_proxy = 192.168.100.18/255.255.255.255/0/0 (type = 1), Protocol is ESP transform = lifedur hmac-sha-esp, esp-3des 28800 = s and 4608000 Ko, spi = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 4004

    The site of the customer like an answering machine:

    14 jan 11:58:23 172.27.1.254% PIX-7-702208: ISAKMP Phase 1 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    14 jan 11:58:23 172.27.1.254% PIX-7-702210: Exchange of ISAKMP Phase 1 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    14 jan 11:58:23 172.27.1.254% 6-PIX-602202: ISAKMP connected session (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    14 jan 11:58:23 172.27.1.254% PIX-6-602201: Phase 1 ISAKMP Security Association created (local 1.1.1.1/500 (answering machine), distance 2.2.2.2/500, authentication = pre-action, encryption = 3DES-CBC, hash = MD5, group = 1, life = 86400 s)

    14 jan 11:58:23 172.27.1.254% PIX-7-702209: ISAKMP Phase 2 Exchange started (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    14 jan 11:58:23 172.27.1.254% PIX-6-602301: its created, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645) sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 116

    14 jan 11:58:23 172.27.1.254% PIX-7-702211: Exchange of ISAKMP Phase 2 is complete (local 1.1.1.1 (answering machine), 2.2.2.2 remote)

    Jan 14 12:28:54 172.27.1.254% PIX-6-602302: SA deletion, (his) sa_dest = 2.2.2.2, sa_prot = 50, sa_spi = 0x9de820bd (2649235645), sa_trans = esp-3desesp-sha-hmac, sa_conn_id = 116

    Kind regards

    Johan

    From my experience when a tunnel is launched on one side, but it is not on the other hand, that the problem is with an inconsistency of the isakmp and ipsec policies, mainly as ipsec policies change sets and corresponding address with ASA platform when a tunnel is not a statically defined encryption card he sometimes use the dynamic tag to allocate this vpn connection. To check if this is the case go ahead and make a "crypto ipsec to show his" when the tunnel is active on both sides, see on the SAA if the corresponding tunnel is the static encryption card set or if it presents the dynamic encryption card.

    I advise you to go to the settings on both sides and ensure that they are both in the opposite direction.

  • PIX and ASA static, dynamic and RA VPN does not

    Hello

    I am facing a very interesting problem between a PIX 515 and an ASA 5510.

    The PIX is in HQ and has several dynamic VPN connections (around 130) and IPsec vpn remote works very well. I had to add a PIX to ASA L2L VPN static and it does not work as it is supposed to be. The ASA 5510, at the remote end, connects and rest for a small period of time, however, all other VPN connections stop working.

    The most interesting thing is that ASA is associated with the dynamic map and not the static map that I created (check by sh crypto ipsec his counterpart x.x.x.x). However, if I make any changes in the ACL 'ACL-Remote' it affects the tunnel between the PIX and ASA.

    Someone saw something like that?

    Here is more detailed information:

    HQ - IOS 8.0 (3) - PIX 515

    ASA 5510 - IOS 7.2 (3) - remote provider

    Several Huawei and Cisco routers dynamically connected via ADSL

    Several users remote access IPsec

    A VPN site-to site static between PIX and ASA - does not.

    Here is the config on the PIX:

    Crypto ipsec transform-set ESP-3DES-ESP-SHA-HMAC-IPSec esp-3des esp-sha-hmac

    Dyn - VPN game 100 Dynamics-card crypto transform-set ESP-3DES-ESP-SHA-HMAC-IPSec

    Crypto dynamic-map Dyn - VPN 100 the value reverse-road

    VPN - card 30 crypto card matches the ACL address / remote

    card crypto VPN-card 30 peers set 20 x. XX. XX. XX

    card crypto VPN-card 30 the transform-set ESP-3DES-ESP-SHA-HMAC-IPSec value

    VPN crypto card - 100 - isakmp dynamic Dyn - VPN ipsec

    interface card crypto VPN-card outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    md5 hash

    Group 2

    life 86400

    crypto ISAKMP policy 65535

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    access list ACL-remote ext ip 10.0.0.0 allow 255.255.255.0 192.168.1.0 255.255.255.0

    Thank you.

    Marcelo Pinheiro

    The problem is that the ASA has a crypto acl defined between host and network, while the remote end has to the network.

    Make sure that the acl is reversed.

  • Problems with VPN between Cisco PIX 6.3.3 and VPN 3000 Concentrator

    Hi guys,.

    I hope this is the right place and that someone has encountered this before I don't have much hair left to offset - I'm trying to set up a tunnel between our Pix 6.3.3 performer and a customer using a VPN3000.

    The customer wants us to be able to do checkups on a device without allowing anything to of our range of addresses network side private, just one public IP address.  We currently run a VPN to our recovery site to allow off-site replication, but the ACL on the other end of this VPN * does * allow the configuration that we had for our private network side, so traffic was not useful at that.  Here is a screenshot of what I tried:

    ethernet0 nameif outside security0
    nameif ethernet1 inside the security100
    nameif ethernet2 dmz1 security50

    name 172.16.1.48 Cust_DVR1

    permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 255.255.255.255 Cust_DVR1

    permit 192.168.1.0 ip access list outside_cryptomap_30 255.255.255.0 255.255.255.255 Cust_DVR1

    IP outside X.Y.Z.227 255.255.255.224
    IP address inside 192.168.1.1 255.255.255.0

    location of PDM Cust_DVR1 255.255.255.255 outside

    Global 1 X.Y.Z.230 (outside)
    Global (dmz1) 1 interface
    NAT (inside) 0-list of access inside_outbound_nat0_acl
    NAT (inside) 1 192.168.1.0 255.255.255.0 0 0

    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

    outside_map 30 ipsec-isakmp crypto map

    outside_map 30 peer A.B.C.D crypto card game<--- (public="" ip="" of="" customer="">

    card crypto outside_map 30 match address centura_map_30

    card crypto outside_map 30 the transform-set ESP-3DES-MD5 value

    outside_map interface card crypto outside

    ISAKMP key * A.B.C.D netmask 255.255.255.255 No.-xauth No. config-mode

    part of pre authentication ISAKMP policy 30

    ISAKMP policy 30 3des encryption

    ISAKMP policy 30 md5 hash

    30 2 ISAKMP policy group

    ISAKMP duration strategy of life 30 86400

    My hope is that anything on the 192.168.1.0/24 would be able to get out of the external interface as our only our public IP addresses (i.e. X.Y.Z.230), but the traffic they see on the other end is coming from the 192.168.1.0 network.  I tried to remove the line inside_outbound_nat0_acl think she would use then the world but still do not have a bit of luck and the only difference I see on Kiwi Syslogd is that the src_proxy changes to 0.0.0.0 where is shows the IP address of my private side (for the purposes of the config above let's call it 192.168.1.135).

    THANKS MUCH FOR ANY HELP!

    -Mario

    Hello

    For example, you can NAT your internal via the tunnel network traffic when you go to this customer.

    In this way, they will see your unique internal network as an IP address.

    Let's say, rather than them seeing your internal 192.168.1.0/24, eelle will see your traffic like X.Y.Z.227

    Is this what you need?

    Federico.

  • LAN-to-LAN tunnel between VPN 3000 and Cisco 1721

    Hello

    I have a current LAN-to-LAN tunnel configuration between VPN 3000 (3.6) and Cisco 1721 (12.2 (11) T).

    When I use the encryption = authentication and Des-56 = ESP\MD5\HMAC-128 for the IPSec Security Association, everything works fine.

    However, I would like to Turn off encryption for some time getting the speed improvements, so I changed

    Encryption = null esp (in 1721) and to "null" in VPN-3000.

    Now the tunnel is setup but I can spend only ICMP traffic. When I pass the traffic UDP\TCP the message below appears the Cisco 1721

    % C1700_EM-1-ERROR: error in packet-rx: pad size error, id 75, hen offset 0

    Has anyone seen this behavior?

    All those put in place an IPSec Tunnel with only the ESP authentication and NO encryption between VPN-3000 and Cisco 1721?

    Thanx------Naman

    Naman,

    Disable you the vpn Accelerator? "no accel crypto engine. Sure that you can't do with a null module vpn.

    Kurtis Durrett

  • L2l IPSec VPN 3000 and PIX 501

    Hello

    I have a remote site that has a broadband internet connection and uses a PIX 501.  We wanted to connect them with our main office using our VPN 3000 via VPN site-to-site.

    I followed the following documentation:

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml#tshoot

    However the L2L session does not appear on the hub when I check the active sessions.

    The network diagram, as well as the PIX config and the screenshots of the VPN configuration for the IPSec-L2L tunnel is attached.

    Any help or advice are appreciated.

    I just noticed that the PIX firewall, the phase 1 paramateres are not configured. You must configure the same PASE 1 and phase 2 settings on both ends of the tunnel.

    For example, on CVPN 3000, you have configured settings Phase 1 as 3DES, pre-shared key etc... We have the same configuration on the PIX firewall too.

    Here is an example of sample config

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

    I hope this helps!

  • Site to Site VPN between PIX and Linksys RV042

    I am trying to create a tunnel between a 506th PIX and a Linksys RV042 vpn .  I configured the Phase 1 and Phase 2 as well as the transformation defined and interested traffic and connected to the external interface, but it will not create the tunnel.  Configurations are as follows:

    506th PIX running IOS 6.3

    part of pre authentication ISAKMP policy 40
    ISAKMP policy 40 cryptographic 3des
    ISAKMP policy 40 sha hash
    40 2 ISAKMP policy group
    ISAKMP duration strategy of life 40 86400
    ISAKMP key * address 96.10.xxx.xxx netmask 255.255.255.255
    access-list 101 permit ip 192.168.21.0 255.255.255.0 192.168.1.0 255.255.255.0crypto map Columbia_to_Office 10 ipsec-isakmp
    crypto Columbia_to_Office 10 card matches the address 101
    card crypto Columbia_to_Office 10 set peer 96.10.xxx.xxx
    10 Columbia_to_Office transform-set ESP-3DES-SHA crypto card game
    Columbia_to_Office interface card crypto outside

    Linksys RV042

    Configuration of local groups
    IP only
         IP address: 96.10.xxx.xxx
    Type of local Security group: subnet
    IP address: 192.168.1.0
    Subnet mask: 255.255.255.0

    Configuration of the remote control groups
    IP only
    IP address: 66.192.xxx.xxx
    Security remote control unit Type: subnet
    IP address: 192.168.21.0
    Subnet mask: 255.255.255.0

    IPSec configuration
    Input mode: IKE with preshared key
    Group Diffie-Hellman phase 1: group2
    Phase 1 encryption: 3DES
    Authentication of the phase 1: SHA1
    Life of ITS phase 1: 86400
       
    Phase2 encryption: 3DES
    Phase2 authentication: SHA1
    Phase2 life expectancy: 3600 seconds
    Pre-shared key *.

    I'm a novice on the VPN. Thanks in advance for your expertise.

    Yes, version PIX 6.3 does not support HS running nat or sh run crypto.

    Please please post the complete config if you don't mind.

    Please also try to send traffic between subnets 2 and get the output of:

    See the isa scream his

    See the ipsec scream his

  • VPN site to Site between 6.3 (3) PIX and PIX 7.0 (1)

    Hi all

    I am configuring a VPN site-to site between my office and a new site. This is my first time doing a real VPN site to site, in the past we have always just used MS PPTP VPN.

    My office firewall is a 6.3 (3) 506th PIX running, and unfortunately this can not be upgraded to 7.0.

    My new site has a pair of PIX 525 in a failover configuration, running version 7.0 (1).

    The only documentation that I could find on this subject is a http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml, which corresponds to an even earlier version of the software firewall (although orders seemed to be valid on the 6.3 software).

    I ran through the VPN Wizard in the ASDM on the new firewall of sites, and the output produced in the firewall rules is not really what I expected. Commands like 'ISAKMP key' have been depreciated and replaced by "tunnel-group.

    What I'm really after a pointer in the right direction for certain documents which covers this type of scenario, I can't be the only one trying the link between the different versions of PIX.

    Hi M8,

    In quick words, more of the config is always the same (sets of transform, ISAKMP policy, Crypto Maps and Crypto ACL).

    The only thing that changes is the:

    ISAKMP key * address x.x.x.x

    and it is replaced by the tunnel-group command:

    tunnel-group x.x.x.x type ipsec-l2l

    tunnel-group ipsec-attributes x.x.x.x

    pre-shared-key *.

    you put the IP peer under the name of tunnel and as you can see, you will write the key in ipsec-attributes sub-mode.

    I see straight forward and I think that you will find it easy once you get used to the question of the tunnel-group.

    Hope that helps.

    Salem.

  • Cisco ACS 5.4 and VPN 3000

    Hello

    I'm trying to use CIsco ACS 5.4 for RADIUS authentication for VPN by using VPN concentrator 3000 users.

    I added the VPN 3000 on ACS and added GBA on VPN group with a shared secret authentication server. When I do a test on the authentication server using the local account that I created on ACS it happens as no response was received from the server so that I can see the RAIDUS AAuth in green.

    Any help would be much appreciated.

    Concerning

    AR

    Hey,.

    What is the report on GBA?

    "RAIDUS AAuth in green"

    If so, a pcap help between the two.

    Concerning

    Ed

  • 506th PIX and VPN client - multiple connections connections

    I have a PIX of the 506th (6.2) w/3DES license and 3.6.3 VPN client software. I'm only using group user name and password to authenticate. The first user login works fine. When the second user connects, the first is finished and the second works very well. The product turned on States I should be able to have 25 simultaneous connections or site to site or customer.

    Any help will be greatly appreciated, Kyle

    Are these two users on the same site, behind a device that makes PAT? If so, then this device is causing the problem, not the PIX. The device is unable to correctly translate the IPsec packets. Unfortunately nothing you can do about it on the PIX, although the next version of the software (6.3 to your calendar of March) will have NAT - T support (which the client currently supports). Once that support NAT - T both ends, they'll be able to say that there's a PAT instrument between the two and they will automatically encapsulate everything in the UDP packets, which your PAT instrument will be able to translate correctly.

  • VPN site-to-site between two PIX 501 with Client VPN access

    Site A and site B are connected with VPN Site to Site between two PIX 501.

    Also, site A is configured for remote access VPN client. If a remote client connects to Site A, it can only get access to the LAN of Site A, it cannot access anything whatsoever behind PIX on Site B.

    How is that possible for a VPN client connected to Site A to Site B?

    Thank you very much.

    Alex

    Bad and worse news:

    Bad: Not running the 7.0 series PIX cannot route traffic on the same interface, the traffic is recived. Version 7.0 solves this ipsec traffic.

    Even worse: PIX 501 can not be upgraded to 7.0...

    A couple of things to think about would be the upgrade to hardware that can run the new IOS or allowing a VPN R.A. on site B.

    HTH Please assess whether this is the case.

    Thank you

  • VPN 3000 and wildcard peer IKE

    The order PIX (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312) reference:

    ISAKMP key address

    To configure a preshared authentication key and associate the key with a host name or the IPSec peer address, use the address isakmp key command. Use the address no. isakmp key command to remove a preshared authentication key and its associated IPSec peer address.

    A 0.0.0.0 netmask. may be entered as a wildcard indicating that any peer IPSec with a preshared key valid given is a valid counterpart.

    Question: Is it possible to do the same thing on the VPN 3000? I have a bunch of PIX firewall, they use DSL w / DHCP. I need them to operate in the Mode of Extension of network, but unlike PIX, I can't seem to get the VPN 3000 to accept the '0.0.0.0' as you can do it with PIX. Anyone has any idea if this is possible or another way to achieve the goal? Any ideas would be greatly appreciated.

    Yep, it's possible, even if it's not too obvious how you do :-) The following configuration example shows how do:

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_example09186a00801dd672.shtml

    The key option is the "Default pre-shared key" under the core group.

  • Router vpn site to site PIX and vpn client

    I have two on one interface on the pix vpn connections that terminate VPN. client vpn and VPN site-to-site have passed phase one and two and decrypt and encrypt the packets. However as in another post I can not ping through the l2l vpn. I checked this isn't a nat problem a nd two NAT 0 on the pix and the NAT on the router access lists work correctly.

    ISAKMP crypto RTR #show its
    IPv4 Crypto ISAKMP Security Association
    status of DST CBC State conn-id slot
    66.x.x.x 89.x.x.x QM_IDLE 2001 0 ACTIVE

    IPv6 Crypto ISAKMP Security Association

    local ident (addr, mask, prot, port): (192.168.2.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (192.168.10.0/255.255.255.0/0/0)
    current_peer 66.x.x.x port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: 23583, #pkts encrypt: 23583 #pkts digest: 23583
    #pkts decaps: 18236, #pkts decrypt: 18236, #pkts check: 18236
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    #send 40, #recv errors 0

    local crypto endpt. : 89.x.x.x, remote Start crypto. : 66.x.x.x
    Path mtu 1380, ip mtu 1380, ip mtu BID Dialer0
    current outbound SPI: 0xC4BAC5E (206285918)

    SAS of the esp on arrival:
    SPI: 0xD7848FB (225986811)
    transform: aes - esp esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 3, flow_id: Motorola SEC 1.0:3, card crypto: PIX_MAP
    calendar of his: service life remaining (k/s) key: (4573083/78319)
    Size IV: 16 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0xC4BAC5E (206285918)
    transform: aes - esp esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 4, flow_id: Motorola SEC 1.0:4, card crypto: PIX_MAP
    calendar of his: service life remaining (k/s) key: (4572001/78319)
    Size IV: 16 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    Expand the IP NAT access list
    10 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 (21396 matches)
    20 permit ip 192.168.2.0 0.0.0.255 everything (362 matches)
    Expand the IP VPN_ACCESS access list
    10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 (39724 matches)

    I looked on the internet and that it points to a routing error when packets are being encrypted and decrypted, but you can't do a ping on the binding. However when I test the connection I did not enter any of the static routes that networks are connected directly on each side of the pix and the router. any help would be a preciated as I think there's maybe something is blocking the ping to reach the internal network at the end of pix with a configured access list.

    is ping failure of the only thing between the site to site VPN? and assuming that all other traffic works fine since it decrypts and encrypts the packets.

    If it's just ping, then activate pls what follows on the PIX:

    If it is version 6.3 and below: fixup protocol icmp

    If it is version 7.0 and higher: select "inspect icmp" under your political map of the world.

    Config complete hand and on the other could help determine if it's a configuration problem or another problem.

  • Setting up a VPN between a WRVS4400N and ASA device

    I'm a newbie when it comes to Cisco devices and I have a problem setting a VPN between a local and a seat some distance away.

    Here, our local office, we have a device Cisco WRVS4400N Small Business.

    At Headquarters, they have a feature of Cisco ASA.

    We must set up a point to point VPN and I have no idea how to proceed with these devices.

    To compound things, resources, I'm at the other end in an unknown entity that also does not seem to have a lot of experience with this.

    Is there any type of step by step guide for such a configuration?

    If not, can someone please help with this?

    Hello William,.

    I would call 1866-606-1866 Support Center for assistance on the side the tunnel then the entire side of the ASA WRVS has to do is match the settings. If the side ASA needs support with which we can transfer more TAC.

    Cisco Small Business Support Center

    Randy Manthey

    CCNA, CCNA - security

Maybe you are looking for

  • receive emails in my own e mail junk

    Hello I get e-mails in my own e-mail junk, but actually the r junk and spam... When I like to block its said, U cannot BLOCK U SELF... WHT to do? OT: Help me please

  • Installer of Modules of Windows has stopped working and was closed

    HelloI have a laptop Toshiba Satellite (running Vista Home Premium) that I bought about two months ago.  When he tries to run updates, he routinely gets through a few and then up pops the message "Windows Modules Installer has stopped working and was

  • White haze on tiles

    How can I stop my from thumbnail view in Windows Explorer with a white haze on them?  I use Windows XP Pro

  • How can I make images display in "Windows Help and Support"?

    I am problems in the display of images in "Windows Help and Support". Images are not displayed properly and help is also not formatted well as it should. Previously everything was fine, but I don't know what went wrong and resulted in such errors in

  • photos of mail

    Equipped with Vista. I want to add pictures to the text of the emails, but Vista will only send photos as attachments. How can I add pictures of text?