cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1039
Views
0
Helpful
10
Replies

VPN works only in one direction

riedwetter
Level 1
Level 1

Hello,

I have a big problem with a Pix config.

Situation is:

Tunnel between a Cisco Pix 515 and a lancom 3850 umts. The Tunnel comes up correctly. I can ping and use all ports and services from the pix network ( 1.1.1.0/24) to the lancom network (2.2.2.0/24) but not from the lancom to the pix.

The goal is to use all ports and services from both devices.

Here is the Pix config snip for the connection. I hope anyone can help me...

access-list alist-vc10127-cmap permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

access-list alist-nat permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

crypto map cmap 127 ipsec-isakmp

crypto map cmap 127 match address alist-vc10127-cmap
crypto map cmap 127 set peer 90.0.0.0
crypto map cmap 127 set transform-set tset1
crypto map cmap 127 set pfs group2


isakmp key pskey address 90.0.0.0 netmask 255.255.255.255

access-list alist-inside-in permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
access-list alist-inside-in permit ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0

THANK you.

Greetings

10 Replies 10

Jennifer Halim
Cisco Employee
Cisco Employee

Base on the PIX configuration, it should already support bidirectional traffic, ie: from PIX to Lancom and vice versa. You might want to check the configuration on Lancom end (check if there might be any access-list that might be blocking the traffic being initiated from the Lancom end).

Hello,

thank you for the answer.

We have many other tunnels with the same config and other vpn devices. Here is is desired that it works only in one direction.

Maybe a hint, if ich type an ip adress from the vpn at a browser i became an HTTP Authentication (IDxxxx)

Greetings

What do you mean by HTTP authentication? Which ip address are you putting in the browser?

Hi,

i tryed Internet Explorer from pc1 with ip 2.2.2.1 (lan lancom) to an computer with ip 1.1.1.1 (lan cisco). But no matter what address you take,

then i became an http login. this i becam from all other vpn tunnels that are configured on the cisco pix.But no matter what address you take, that login came always.

Greetings

apothula
Level 1
Level 1

Hi Sven,

Please do the follwing,

no isakmp key pskey address 90.0.0.0 netmask 255.255.255.255

isakmp key pskey address 90.0.0.0 netmask 255.255.255.255 no-xauth.

Let me know if that resolves the issue.

Cheers,


Nash.

Hi,

with this parameter the vpn tunnel did not came up.

Greetings

husycisco
Level 7
Level 7

At your initial statement you mentioned "the pix network ( 1.1.1.0/24) to the lancom network (2.2.2.0/24)", but in this post you say the opposite. Which network belongs to which device?

Please post the full sanitized config of pix side. There may be some http intercept configuration in place.

Hi,

sry my mistake, I corrected my post. The correct networks are shown now.

The config of the device is very small, we use it only as s2s vpn device.

I found the following in the config:

aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL
aaa authentication include udp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL

Can this be my problem?

Edit:

May the folling help me:

aaa authentication exclude tcp/0 outside 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 LOCAL
aaa authentication exclude udp/0 outside 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 LOCAL

From 1xxxx to 2xxxx already works, so it must be something like

aaa authentication exclude tcp/0 outside 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0  LOCAL

If you like, first disable all http authentication, check if it works, then try filtering end excluding

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: