Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1286
Views
0
Helpful
0
Comments

Unable to pass VPN traffic between a PIX Firewall and a router with a CBAC configuration

TCC_2
Level 10
Level 10

‎06-22-2009 06:05 PM - edited ‎03-08-2019 06:26 PM

Core issue

This problem occurs on routers that run code prior to Cisco Release 12.3(8)T.


The routers perform a double Access Control List (ACL) check on the inbound packets; once on the encrypted packet and then again on the just-decrypted clear-text packet. Packets drop during the double-check, if interesting traffic is not defined in the Context Based Access Control (CBAC) configuration.


Resolution

As a workaround, allow the remote VPN subnet through the CBAC configuration.

Refer to Configuring a Router IPsec Tunnel Private-to-Private Network with NAT and a Static for additional help on the configuration

Note: On routers that run code 12.3(8)T or later, the Crypto Access Check on Clear-Text Packets feature removes the clear-text packet check that goes through the IPSec tunnel just prior to encryption, or just after decryption.


Refer to the How ACL Access Checking Worked Prior to This Feature section of Crypto Access Check on Clear-Text Packets for additional help on how ACL checks worked prior to this new feature.

Refer to the Prerequisites for Crypto Access Check on Clear-Text Packets section of Crypto Access Check on Clear-Text Packets for this feature if there is a plan to upgrade the router to version 12.3(8)T.

Problem Type

Troubleshoot software feature

Product Family

Firewall - PIX 500 series

Routers

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents