Re: No return traffic through IPSEC tunnel

ciscosom · ‎08-19-2008

Hello ,

we have a configured a Ipsec tunnel btw Pix and checkpoint peer on other end

( 206.201.227.92) . Tunnel comes up fine (phase 1&2) . But when other end tries to FTP to our server 209.216.213.149 (for that matter any traffic), i see packets coming through tunnel and hitting our server (tcpdump) , however none of the traffic goes back from the server back into the Tunnel to the other end . To confirm the issue , i cleared Sa, and generated traffic from the FTP server to client's end , My pix doesn't even tries to negotiate ISAKMP , crypto isakmp /ipsec is blank . Do you see anything wrong with my configuration ?

Any help will be appreciated

Marwan ALshawi · ‎08-19-2008

i cant see the attchment

any way

first check if u have made the nat exmption AKA nat 0 !

if ur LAN is 192.168.1.0 /24

and remote LAN is 172.16.1.0/24

do the following

access-list 100 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

then

nat (inside) 0 access-list 100

assuming that ur inside or netowrk source where the ftp located is named inside maybe it is DMZ what ever just change the name based on ur config

good luck

please, if helpful Rate

dhananjoy chowdhury · ‎08-20-2008

Another thing to check is proper routing

- Proper route on the FTP server to send the traffic towards the FW.

- Route on the firewall towards the Outside interface for the remote LAN subnet.

ciscosom · ‎08-20-2008

Dhananjoy ,

Thanks for your response , Yes, the other end is receiving packets when initiated from our Ftp server , BUT traffic is clear text and NOT through the IPSEC Tunnel . Any idea what is going on ?

ciscosom · ‎08-20-2008

Marwanshawi ,

Thanks a ton for your response . I don't know why you are not able to view the attachment .I cab send you the config to your E-mail ID ,if you wish .

Yes Nat 0 and access-list is already in place. Since the Client has a policy of accepting only Routable Ip's, so we had to NAT our FTP Server using

static ( inside, outside) Nat Ip , Real Ip of Ftp server .I don't know even then none of the traffic is going through the Tunnel

dhananjoy chowdhury · ‎08-20-2008

Hi,

Your crypto ACL's and NAT 0 statements are all host to host, check whether the FTP server IP is included or not.

ciscosom · ‎08-20-2008

Yes i think already have acl and NAT 0 for the server

access-list outside_cryptomap_150 permit ip host 209.216.213.149 host 206.201.227.240

access-list inside_outbound_nat0_acl permit ip host 209.216.213.149 host 206.201.227.240

.149 being our FTP server

acomiskey · ‎08-20-2008

You can't nat exempt an address which is already nat'd. You don't need to nat exempt 209.216.213.149. Also, if you do nat exempt it, your crypto access list should not contain the 209 address, as it won't be 209 when it goes over the tunnel.

ciscosom · ‎08-20-2008

The issue is resolved now . Actually issue was that my Linux had Dual NIC , one was connected to PIX and another was connected different Network altogether . So basically traffic was entering through the Ipsec tunnel reaching our FTP server , but return traffic was going through the Second NIC (different network) ,two way communication was not happening even though Tunnel was up , I added route add command manually into the Linux ftp server and forced take route pix for the traffic going to the other end .

One thing is for sure , I cant thank enough you all for your inputs without which i would not have resolved this issue .