10-26-2006 01:12 AM - edited 02-21-2020 02:41 PM
Dear all ,
I am in a trouble regarding the VPN
i am using cisco pix 501 on both sides
VPN tunnel has been established but i am not able to ping to remote inside hosts.
below is the command output of sh crypto ipsec
inbound esp sas:
spi: 0x918bdc56(2441862230)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: newmap
sa timing: remaining key lifetime (k/sec): (4608000/28375)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x69b6dd53(1773591891)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: newmap
sa timing: remaining key lifetime (k/sec): (4607999/28357)
IV size: 8 bytes
replay detection support: Y
sh crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
10.1.1.162 10.1.1.164 QM_IDLE 0 1
Attached below is also the config files for both firewalls.
Could any one please help me in resolving this issue.
10-26-2006 04:13 AM
I think you have the correct configuration.
According to config,you are able to ping from Branch inside pc to HO inside pc.But you are not able to ping from Branch inside pc to Branch outside interface ,HO outside interface and HO inside interface.
If you add command
conduit permit icmp any any
You are able to ping from Branch inside pc to HO outside interface.
10-26-2006 05:53 AM
Thanks for reply but i am not able to ping fom HO to branch office inside pcs and also not from branch office inside pcs to Ho inside office pcs.
i think conduit permit icmp any any will not effect as we allowed all the ipsec traffic using sysopt command.
now the question is if my config is correct then why i am not able to access the resources through ipsec tunnel??
please help me
10-26-2006 11:48 PM
I have done the similar experiment several times.I think you have correct configuration.Through the command
show crypto isakmp sa
show crypto ipsc sa
both result indicated ipsec tunnel are setup successfully.Try to
clear crypto isakmp sa
and retry to setup the tunnel.
If all things are still right,try to check your pc.
10-27-2006 07:29 AM
Imran,
After configuring the VPN Tunnel, did you do "clear xlate" before trying to ping the hosts.
Also, what is the source and destination of your Ping Packets.
Also, what is the default gateway of the hosts that you are trying to ping. Do the IP Addressing that you are trying to access route to the pix for the tunnel destination traffic.
Let me know when you get a chance.
Regards,
Arul
** Please rate all helpful posts **
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide