cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
556
Views
0
Helpful
2
Replies
global-gossip
Beginner

Can not reach destination of one IPSec tunnel via another IPSec tunnel

Hi all,

I have a PIX-515E version 8.0(2).

I have two remote sites connected to this PIX via IPSec tunnels.

Each remote site can reach the local networks behind the PIX but I can not reach remoteSiteA from remoteSiteB.

So,

10.30.8.254 SiteA <----- IPSec -----> PIX1 <----------------> SiteX 10.0.8.1

10.138.34.21 SiteB <----- IPSec -----> PIX1 <----------------> SiteX 10.0.8.1

SiteA can ping SiteX

SiteB can ping SiteX

SiteA can't ping SiteB

SiteB can't ping SiteA

If i do show crypto isakmp ipsec sa I can see appropriate subnets:

Crypto map tag: CRYPTO-MAP, seq num: 4, local addr: 203.166.1.1

      access-list ACLVPN-TO_SITEA permit ip 10.138.34.16 255.255.255.240 host 10.30.8.254

      local ident (addr/mask/prot/port): (10.138.34.16/255.255.255.240/0/0)

      remote ident (addr/mask/prot/port): (10.30.8.254/255.255.255.255/0/0)

      current_peer: 104.86.2.4

Crypto map tag: CRYPTO-MAP, seq num: 5, local addr: 203.166.1.1

      access-list ACLVPN-TO_SITEB permit ip host 10.30.8.254 10.138.34.16 255.255.255.240

      local ident (addr/mask/prot/port): (10.30.8.254/255.255.255.255/0/0)

      remote ident (addr/mask/prot/port): (10.138.34.16/255.255.255.240/0/0)

      current_peer: 216.178.200.200

Some log messages that seem to point to the problem...

Apr 18 2013 13:27:35: %PIX-4-402116: IPSEC: Received an ESP packet (SPI= 0xD51BB13A, sequence number= 0x21A) from 104.86.2.4 (user= 104.86.2.4) to 203.166.1.1.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 10.138.34.21, its source as 10.30.8.254, and its protocol as 6.  The SA specifies its local proxy as 10.0.8.0/255.255.255.0/0/0 and its remote_proxy as 10.30.8.254/255.255.255.255/0/0

My question is really do I need to do anything funky to allow the traffic to pass between the two tunnels?

1 ACCEPTED SOLUTION

Accepted Solutions
Jouni Forss
Mentor

Hi,

This might be a lot easier if we saw the actual configurations.

But here are some things to confirm in the configurations (some of it you have mentioned above but I will still mention again)

  • Make sure that on each firewall you define the appropriate L2L VPN ACLs
  • Make sure that you have configured NAT0 on the central PIX "outside" interface for the Site A and Site B
  • Make sure that the Central PIX has "same-security-traffic permit intra-interface" configured. This will allow the Site A traffic to enter the Central PIX "outside" interface and head back out that same interface towards Site B. And vice versa.

To show some actual configurations that might be needed provided everything else is ok. (I presume all used devices are Cisco)

Central PIX

same-security-traffic permit intra-interface

Site A connection

access-list SITE-A-CRYPTOMAP permit ip 10.0.8.0 255.255.255.0 host 10.30.8.254

access-list SITE-A-CRYPTOMAP permit ip 10.138.34.16 255.255.255.240 host 10.30.8.254

Site B connection

access-list SITE-B-CRYPTOMAP permit ip 10.0.8.0 255.255.255.0 10.138.34.16 255.255.255.240

access-list SITE-B-CRYPTOMAP permit ip host 10.30.8.254 10.138.34.16 255.255.255.240

NAT0

access-list INSIDE-NAT0 permit ip 10.0.8.0 255.255.255.0 host 10.30.8.254

access-list INSIDE-NAT0 permit ip 10.0.8.0 255.255.255.0 10.138.34.16 255.255.255.240

nat (inside) 0 access-list INSIDE-NAT0

access-list OUTSIDE-NAT0 permit ip host 10.30.8.254 10.138.34.16 255.255.255.240

access-list OUTSIDE-NAT0 permit ip 10.138.34.16 255.255.255.240 host 10.30.8.254

nat (outside) 0 access-list OUTSIDE-NAT0

Site A

access-list CENTRAL-SITE-CRYPTOMAP permit ip host 10.30.8.254 10.0.8.0 255.255.255.0

access-list CENTRAL-SITE-CRYPTOMAP permit ip host 10.30.8.254 10.138.34.16 255.255.255.240

access-list INSIDE-NAT0 permit ip host 10.30.8.254 10.0.8.0 255.255.255.0

access-list INSIDE-NAT0 permit ip host 10.30.8.254 10.138.34.16 255.255.255.240

nat (inside) 0 access-list INSIDE-NAT0

Site B

    access-list CENTRAL-SITE-CRYPTOMAP permit ip 10.138.34.16 255.255.255.240 10.0.8.0 255.255.255.0

    access-list CENTRAL-SITE-CRYPTOMAP permit ip 10.138.34.16 255.255.255.240 host 10.30.8.254

    access-list INSIDE-NAT0 permit ip host 10.138.34.16 255.255.255.240 10.0.8.0 255.255.255.0

    access-list INSIDE-NAT0 permit ip host 10.138.34.16 255.255.255.240 host 10.30.8.254

    nat (inside) 0 access-list INSIDE-NAT0

    Hope this helps

    - Jouni

    View solution in original post

    2 REPLIES 2
    Jouni Forss
    Mentor

    Hi,

    This might be a lot easier if we saw the actual configurations.

    But here are some things to confirm in the configurations (some of it you have mentioned above but I will still mention again)

    • Make sure that on each firewall you define the appropriate L2L VPN ACLs
    • Make sure that you have configured NAT0 on the central PIX "outside" interface for the Site A and Site B
    • Make sure that the Central PIX has "same-security-traffic permit intra-interface" configured. This will allow the Site A traffic to enter the Central PIX "outside" interface and head back out that same interface towards Site B. And vice versa.

    To show some actual configurations that might be needed provided everything else is ok. (I presume all used devices are Cisco)

    Central PIX

    same-security-traffic permit intra-interface

    Site A connection

    access-list SITE-A-CRYPTOMAP permit ip 10.0.8.0 255.255.255.0 host 10.30.8.254

    access-list SITE-A-CRYPTOMAP permit ip 10.138.34.16 255.255.255.240 host 10.30.8.254

    Site B connection

    access-list SITE-B-CRYPTOMAP permit ip 10.0.8.0 255.255.255.0 10.138.34.16 255.255.255.240

    access-list SITE-B-CRYPTOMAP permit ip host 10.30.8.254 10.138.34.16 255.255.255.240

    NAT0

    access-list INSIDE-NAT0 permit ip 10.0.8.0 255.255.255.0 host 10.30.8.254

    access-list INSIDE-NAT0 permit ip 10.0.8.0 255.255.255.0 10.138.34.16 255.255.255.240

    nat (inside) 0 access-list INSIDE-NAT0

    access-list OUTSIDE-NAT0 permit ip host 10.30.8.254 10.138.34.16 255.255.255.240

    access-list OUTSIDE-NAT0 permit ip 10.138.34.16 255.255.255.240 host 10.30.8.254

    nat (outside) 0 access-list OUTSIDE-NAT0

    Site A

    access-list CENTRAL-SITE-CRYPTOMAP permit ip host 10.30.8.254 10.0.8.0 255.255.255.0

    access-list CENTRAL-SITE-CRYPTOMAP permit ip host 10.30.8.254 10.138.34.16 255.255.255.240

    access-list INSIDE-NAT0 permit ip host 10.30.8.254 10.0.8.0 255.255.255.0

    access-list INSIDE-NAT0 permit ip host 10.30.8.254 10.138.34.16 255.255.255.240

    nat (inside) 0 access-list INSIDE-NAT0

    Site B

      access-list CENTRAL-SITE-CRYPTOMAP permit ip 10.138.34.16 255.255.255.240 10.0.8.0 255.255.255.0

      access-list CENTRAL-SITE-CRYPTOMAP permit ip 10.138.34.16 255.255.255.240 host 10.30.8.254

      access-list INSIDE-NAT0 permit ip host 10.138.34.16 255.255.255.240 10.0.8.0 255.255.255.0

      access-list INSIDE-NAT0 permit ip host 10.138.34.16 255.255.255.240 host 10.30.8.254

      nat (inside) 0 access-list INSIDE-NAT0

      Hope this helps

      - Jouni

      Perfect.

      same-security-traffic permit intra-interface

      was the command required.

      Thanks

      Create
      Recognize Your Peers
      Content for Community-Ad