Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4015
Views
0
Helpful
5
Replies

rec'd packet not an ipsec packet !

fzaynoun
Level 1
Level 1

‎02-08-2009 03:53 PM - edited ‎02-21-2020 04:09 PM

I am just trying to ping the outside interface after i made a vpn connection on my PIX515E. Ping works before applying the crypto map, but after, if i enable logging, the packet dropped and this is logged by :

pixfirewall(config)# 402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= xx.xxx.xxx.58, src_addr= xxx.xxx.xxx.59, prot= icmp

Here is my config:

**********************************************

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password T/t63Bt/WwztM4UV encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name starcall.com.sa

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1433

fixup protocol sqlnet 1521

access-list VPN permit ip host 10.1.2.118 host 10.1.1.15

access-list VPN permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list laptop permit ip host 10.1.2.118 host 10.1.1.15

access-list inbound permit tcp any host 10.1.2.118 eq www

access-list acl_site permit ip 192.168.10.0 255.255.255.0 10.1.1.0 255.255.255.0

pager lines 24

logging on

logging console notifications

mtu outside 1500

mtu inside 1500

ip address outside xxx.xxx.xxx.58 255.255.255.248

ip address inside 192.168.10.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list VPN

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group inbound_ping in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.57 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

crypto ipsec transform-set myts esp-des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address acl_site

crypto map mymap 10 set transform-set myts

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address xxx.xxx.xxx.42 netmask 255.255.255.255

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:92e3874b367d5c1f699625c9697f77c4

: end

**********************************************

What is strange is that access list for crypto-map seems fine, i can't see what happening. Any help please.

Thanks

Labels:
0 Helpful
5 Replies 5

celiocarreto
Level 1
Level 1

‎02-09-2009 12:48 AM

Hi,

without the config from the other side we cannot help you.

Post the ipsec config from the other side.

Regards, Celio

0 Helpful

fzaynoun
Level 1
Level 1
In response to celiocarreto

‎02-09-2009 08:39 AM

There is no problem in VPN, in fact i didn't even tried VPN yet, the only thing i did is to connect my laptop to the outside interface and ping that interface. So you understand it is not a problem in VPN, just in ping the outside interface, i am not even trying to ping the inside from outside, just the outside interface from a PC attaced to it, and it doesn't work, strange. Any help is appreciated

0 Helpful

RAMACHANDRA R
Level 1
Level 1
In response to fzaynoun

‎02-09-2009 11:50 PM

Hi,

I Suggest you to Disable firewall in your PC/Laptop and Force Ethernet speed to Auto on both side, then you should be able to ping.

i have encounter the same problem with one of our customer PIX.

Regards

Rama

0 Helpful

fzaynoun
Level 1
Level 1
In response to RAMACHANDRA R

‎02-10-2009 07:22 AM

I'll give it a try, but it makes no sense :)

The problem seems like the firewall is getting the packet right on the outside interface; right src, dest, because it log it right, however, it looks like my firewall expect everything to be encrypted or something. My access-list is right, and a ping doesn't come under this access-list, so why it is flagged so as shown in the logging. this doesn't look complicated matter, also it is easy to repeat same as me, make a VPN map on a firewall, ping the outside interface, and here we are, ping fail !

0 Helpful

RAMACHANDRA R
Level 1
Level 1
In response to fzaynoun

‎02-11-2009 10:52 PM

Hi

The question what u have asked is to ping directly connecting your PC to Outside Interface of the PIX, ( provided your PC should be same segment IP address of Outside Interface)if your Firewall expecting traffic needs to be ipsec . then it is something to be done with ACL which you have applied on Outside interface

Please share your ACL details which you have applied to outside interface.

Regards

Rama

0 Helpful
Customers Also Viewed These Support Documents