Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
302
Views
0
Helpful
1
Replies

Traffic is being decrypted but not Encrypted

cadams
Level 1
Level 1

‎10-22-2003 11:50 AM - last edited on ‎03-25-2019 05:01 PM by Community Manager

I am usin a PIX 6.2(2) creating an IPSEC tunnel. I have several access-list setup to allow subnets on the tunnel however, any traffic destined for the 192.168.10.0/24 network is being decrypted on the way to the PIX but then the PIX is not encrypting the traffic outbound...Here is the config:

access-list TONORTEL permit ip 192.168.230.0 255.255.255.0 146.225.0.0 255.255.0.0

access-list TONORTEL permit ip 192.168.230.0 255.255.255.0 172.16.0.0 255.240.0.0

access-list TONORTEL permit ip 192.168.230.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list TONORTEL permit ip 192.168.230.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list TONORTEL permit ip 192.168.230.0 255.255.255.0 host 172.21.16.14

access-list TONORTEL permit ip 192.168.230.0 255.255.255.0 host 172.21.16.32

access-list TONORTEL permit ip 192.168.230.0 255.255.255.0 172.25.0.0 255.255.0.0

access-list nonat permit ip 192.168.230.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list nonat permit ip 192.168.230.0 255.255.255.0 146.225.0.0 255.255.0.0

access-list nonat permit ip 192.168.230.0 255.255.255.0 172.16.0.0 255.240.0.0

access-list nonat permit ip 192.168.230.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list nonat permit ip 192.168.230.0 255.255.255.0 host 172.21.16.14

access-list nonat permit ip 192.168.230.0 255.255.255.0 host 172.21.16.32

access-list nonat permit ip 192.168.230.0 255.255.255.0 172.25.0.0 255.255.0.0

show ipsec sa:

local ident (addr/mask/prot/port): (192.168.230.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

current_peer: 198.182.40.11

PERMIT, flags={origin_is_acl,}

#pkts encaps: 4068, #pkts encrypt: 4068, #pkts digest 4068

#pkts decaps: 4226, #pkts decrypt: 4226, #pkts verify 4226

****************************************************

local ident (addr/mask/prot/port): (192.168.230.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

current_peer: 198.182.40.11

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 16, #pkts decrypt: 16, #pkts verify 16

Labels:
0 Helpful
1 Reply 1

pkapoor
Level 3
Level 3

‎10-22-2003 03:56 PM

Is 192.168.230.0 a directly connected network to the PIX? If so, then run the following debug on the PIX and see if the responses are even making it back to the PIX. After enabling the debug, run a ping from the remote site to the 192.168.230.0 network.

debug packet inside src <192.168.230.0_NW_IP_that_you_are_pinging> dst proto icmp

(to turn off "no debug packet inside)

Run the ping. See if the replies are showing up to console. If they are not, then it is a local LAN issue. If they show up, then check the ACL for these networks in ACL nonat and see it the hitcount is incrementing. If yes, then check the ACL line in TONORTEL ACL for these networks and see if the hitcount is incrementing. If yes, then clear the ipsec and isakmp SAs and run a ping again.

Hope this helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents