Hi,
we want to establish a remote access connection from a Microsoft Windows 2000 client to a PIX515. We have an access router in front of the pix. This router is doing static nat. When the remote client connects to the PIX directly, it establishes the ipsec connection and we are able to transmit icmp packets and pptp.
When we connect to pix going through the cisco 2600 it establishes the security association but we can´t neither transmit icmp nor pptp packets to the remote client. The pix decrypts packets but it doesn´t encrypt any.
When i do a show crypto sa I get the following:
local ident (addr/mask/prot/port): (195.53.117.57/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (212.87.222.149/255.255.255.255/0/0)
current_peer: 212.87.222.149:500
dynamic allocated peer ip: 0.0.0.0
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 64, #pkts decrypt: 64, #pkts verify 64
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.120.2, remote crypto endpt.: 212.87.222.149
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 78249b94
inbound esp sas:
spi: 0x9f4713ab(2672235435)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607993/28642)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x78249b94(2015665044)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4608000/28642)
IV size: 8 bytes
replay detection support: Y
Why I don´t get any answer when i establish the ipsec connection through the router doing nat though the ipsec sa is created?
Any ideas?
Thanks in advance,
Regards,
Nuria