Re: PIX to PIX IPSec - traffic not passed through

troyorr · ‎07-12-2005

I've been struggling with getting a site to site VPN established using PIX 501s and IPSec. The tunnel seems to be established - I can ping one PIX from the other's console, but I can't ping from a local host to the remote PIX (or beyond). One PIX is attached to a cable modem and is required to use DHCP client on the outside interface to acquire a reserved IP (configuration attached). The other is attached to a Netopia DSL modem / router which has had NAT disabled and uses a static IP. Both sites have no problems accessing the Internet. The results of "show crypto isakmp sa" showed the destination and source addresses reversed from what I expected, but I'm not sure that's actually a problem. What am I overlooking?

jmia · ‎07-12-2005

Troy,

Your IPSec phase 1 & 2 looks good, in situations like this it would be good to see the debug output for crypto ipsec and crypto isakmp.

Troubleshooting Commands:

Note: The clear commands must be performed in configuration mode.

clear crypto ipsec sa – Resets the IPSec associations after failed attempts to negotiate a VPN tunnel.

clear crypto isakmp sa – Resets the ISAKMP security associations after failed attempts to negotiate a VPN tunnel.

Now in config mode:

debug crypto ipsec – Shows if a client is negotiating the IPSec portion of the VPN connection.

debug crypto isakmp – Shows if the peers are negotiating the ISAKMP portion of the VPN connection.

ping from a internal host to a internal peer host and see what shows up.

You can either post the results here or if you like post to me at: jmia@ohgroup.co.uk and I'l take a look.

Please make sure to take out any sensitive info and also if you have a busy network then I'd suggest you perform the debugs out of hours.

Jay.

troyorr · ‎07-13-2005

Attached are the debug results - still looks OK to me. I'm wondering if I need to add an "icmp permit" statement to my config, but I don't want to open up icmp traffic to the world.

jmia · ‎07-13-2005

Troy,

I agree, debug looks good, no issues. Mmmm, can you post up both pix config please (take out sensitive info). You shouldn't need icmp enabeling to test the vpn, as you mentioned previously that you can ping from pix to pix.

Let me know.

Jay

troyorr · ‎07-13-2005

Jay,

First off, thank you for your quick responses.

Attached are the two configs. The debug and diagnostic files were generated on PIX1.

jmia · ‎07-13-2005

Troy, forgot to add, have a read of the following document and see if this helps.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

Jay

troyorr · ‎07-13-2005

Jay,

Thanks for the reference, but it doesn't seem applicable. Though the one PIX uses DHCP to acquire it's reserved IP, it's always the same IP and can be configured on the other PIX as though it were static. When I do a "show int" the address and mask is reported as it would if it were staticly assigned - so I ASSUME (always a potential for failure) that the fact it's acquired via DHCP isn't a factor.

Also, traffic over the VPN needs to be bidirectional so NAT/PAT needs to be excluded from the equation. E.g.: hosts on segment 1 need to see printer on segment 2 and visa versa.

And by-the-by, this is a test configuration for ultimately connecting some 20 satellite offices to the central office. But lets not go there just yet.