10-22-2003 11:50 AM - last edited on 03-25-2019 05:01 PM by ciscomoderator
I am usin a PIX 6.2(2) creating an IPSEC tunnel. I have several access-list setup to allow subnets on the tunnel however, any traffic destined for the 192.168.10.0/24 network is being decrypted on the way to the PIX but then the PIX is not encrypting the traffic outbound...Here is the config:
access-list TONORTEL permit ip 192.168.230.0 255.255.255.0 146.225.0.0 255.255.0.0
access-list TONORTEL permit ip 192.168.230.0 255.255.255.0 172.16.0.0 255.240.0.0
access-list TONORTEL permit ip 192.168.230.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list TONORTEL permit ip 192.168.230.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list TONORTEL permit ip 192.168.230.0 255.255.255.0 host 172.21.16.14
access-list TONORTEL permit ip 192.168.230.0 255.255.255.0 host 172.21.16.32
access-list TONORTEL permit ip 192.168.230.0 255.255.255.0 172.25.0.0 255.255.0.0
access-list nonat permit ip 192.168.230.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list nonat permit ip 192.168.230.0 255.255.255.0 146.225.0.0 255.255.0.0
access-list nonat permit ip 192.168.230.0 255.255.255.0 172.16.0.0 255.240.0.0
access-list nonat permit ip 192.168.230.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat permit ip 192.168.230.0 255.255.255.0 host 172.21.16.14
access-list nonat permit ip 192.168.230.0 255.255.255.0 host 172.21.16.32
access-list nonat permit ip 192.168.230.0 255.255.255.0 172.25.0.0 255.255.0.0
show ipsec sa:
local ident (addr/mask/prot/port): (192.168.230.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
current_peer: 198.182.40.11
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4068, #pkts encrypt: 4068, #pkts digest 4068
#pkts decaps: 4226, #pkts decrypt: 4226, #pkts verify 4226
****************************************************
local ident (addr/mask/prot/port): (192.168.230.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: 198.182.40.11
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 16, #pkts decrypt: 16, #pkts verify 16
10-22-2003 03:56 PM
Is 192.168.230.0 a directly connected network to the PIX? If so, then run the following debug on the PIX and see if the responses are even making it back to the PIX. After enabling the debug, run a ping from the remote site to the 192.168.230.0 network.
debug packet inside src <192.168.230.0_NW_IP_that_you_are_pinging> dst
(to turn off "no debug packet inside)
Run the ping. See if the replies are showing up to console. If they are not, then it is a local LAN issue. If they show up, then check the ACL for these networks in ACL nonat and see it the hitcount is incrementing. If yes, then check the ACL line in TONORTEL ACL for these networks and see if the hitcount is incrementing. If yes, then clear the ipsec and isakmp SAs and run a ping again.
Hope this helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: