Re: VPN NAT Issues on PIX 515e

kmkrause2 · ‎02-01-2007

I'm trying to configure a site to site VPN connection with PIX5153 6.3(5) on my end and Checkpoint at the other end.

host (172.30.10.x)--->PIX 515e---------Ceckpoint<---host.

The problem is when communications are initiated from the 172.30.10.x host, I can see the PIX encrypt packets leaving my PIX and decrypt packets coming back in (using PDM VPN Ipsec monitoring), but it appears that the packets aren't making it through the PIX back to the host.

I have also captured this traffic at the PIX and see only the outgoing packets

03:40:56.187154 172.30.10.x.3453 > y.y.y.y.699: S 242989206:242989206(0) w

in 16384 <mss 1460,nop,nop,sackOK>

Host 172.30.10.x is NAT'd to 65.125.108.x at the PIX. I have a local Cisco tech working on this as well as a TAC case open. No one seems to be able to determine what is going on. Is there a bug in 6.3(5) that prevents NATing over a Site-to-Site VPN configuration like this?

TIA,

Ken

Jon Marshall · ‎02-01-2007

Ken

Can you send a sanitised version of the config ?

Jon

kmkrause2 · ‎02-01-2007

It's a bit lengthy, but here it is.

Jon Marshall · ‎02-01-2007

Ken

Sorry, it a bit too sanistised. Usually people just get rid of public IP address from the config + passwords etc.

It's difficult to tell anything without some of the addressing

Jon

kmkrause2 · ‎02-01-2007

Policy won't allow me to post much more than this. I hope it's enough.

Thanks again.