cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
542
Views
0
Helpful
3
Replies

Pix501 to VPN3030 troubles

avmabe
Level 3
Level 3

Hello,

I have successfully created a L2L IPSEC tunnel between a PIX501 and a VPN3030. The problem I have is I can only send traffic from the 501 --> 3030, the 3030 does not transmit any packets back across the tunnel. I have played around with many static route configurations with no luck.

I have a continous ping going from 192.168.1.4 going to 10.101.101.1 and the ip acl on the PIX is incrementing and the recieved counters are incrementing on the 3030, but no replies!!!

192.168.1.0/24

|

|

|

PIX

|

|

|

69.14.28.x(pix outside addr)

|

|

|

Interweb

|

|

|

12.109.17.x (3030 public)

|

|

|

3030

|

|

|

10.101.101.0/24(Private)

Routes on the 3030 are as follows:

0.0.0.0/0.0.0.0 12.109.17.x (default)

10.101.101.0/255.255.0.0 10.101.101.1 static

That's it. I'm stumpted.

1 Accepted Solution

Accepted Solutions

grant.maynard
Level 4
Level 4

VPN3030 shows packets received but none transmitted (Administration - Admisiter Sessions - LAN-to-LAN)?

No filters on VPN3030 (on L2L connection or interface)?

What are you trying to ping on 10.101.101.0/24?

How about sticking a PC there with Ethereal and using that to see if the packets are getting there and whether it's replying.

View solution in original post

3 Replies 3

grant.maynard
Level 4
Level 4

VPN3030 shows packets received but none transmitted (Administration - Admisiter Sessions - LAN-to-LAN)?

No filters on VPN3030 (on L2L connection or interface)?

What are you trying to ping on 10.101.101.0/24?

How about sticking a PC there with Ethereal and using that to see if the packets are getting there and whether it's replying.

No filters.

Here's what I did find... My packets were going from the pix through the tunnel into the 3030 and out the private interface as 192.168.1.4(remotepc).

Needless to say, the local lan didn't know what to do with 192.168.1.x packets on the 10.101.101.x network.

Not sure what everyone else does, but we really want to have a split tunnel where only (LAN and Cisco 7960 phone traffic) goes across the tunnel. Any ideas?

some people will tunnel everything from a remote site to a central, some will tunnel only certain subnets (as you have). It's up to you.