Re: PIX-to-PIX VPN problem

james.watson · ‎10-20-2004

Hello -

Anyone had problems like this before.

Simple site-to-site VPN with two PIX 515E's. Code 6.3(3).

Tunnel can be established from either direction. (i.e shows as QM_IDLE). However no traffic will pass until the hosts on each end have tried to communicate ?

So. For example;

A pings B

Tunnel establishes.

A pings B again - no response.

B pings A - ping response ok.

A pings B - ping response ok.

Any ideas ?

Thanks.

James

Patrick Iseli · ‎10-21-2004

Check this two access-list if they are identical on both PIX?

PIX(config)# access-list NONAT permit ip Internalnet ISubnet Externalnet Esubnet

PIX(config)# nat (inside) 0 access-list NONAT

PIX(config)# access-list VPN permit ip Internalnet ISubnet Externalnet ESubnet

PIX(config)# crypto map REMOTE 10 match address VPN

sincerely

Patrick

james.watson · ‎10-22-2004

Patrick -

Thanks for the reply.

NAT is disabled with nat (inside) 0 0.0.0.0 0.0.0.0 rather than defining an ACL for encrypted traffic. Would that be the problem ?

Thanks,

James

Patrick Iseli · ‎10-23-2004

No, the VPN access-list defines which traffic is encrypted. If no VPN access-list is defined all traffic will sent, NAT 0, trough the VPN tunnel.

Is the IPSEC part ok or just ISKAMP " phase I " working ?