cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2527
Views
0
Helpful
10
Replies

Site-to-Site VPN Cisco PIX with Cisco Router

fadi4alpha
Level 1
Level 1

Dear All

We are trying to establish VPN tunnel between UAE(PIX) and Egypt(IOS) but we are facing the following problem when we ping from UAE(Internal Network) to Egypt (Internal Network)

Note: In this phase the tunnel is up for both Phase1 and Phase2

  1. The UAE Firewall encrypt the Packet and send it to Egypt IOS Router
  2. Egypt IOS router de-crypt the packet and send it to end host
  3. Egypt End host receive the packet from UAE end host
  4. Egypt End host send the reply packet to UAE end host
  5. Egypt IOS router encrypt the reply packet and after that we don't know what will happen to this packet but it did't reach to UAE firewall.

so please advice us since we are troubleshooting this issue from one week ago.

Thanks in Advance

10 Replies 10

Hi,

So, we know the PIX encrypts the traffic and the IOS receive those packets.

Also, the IOS encrypts the packets, but the PIX don't receive them.

What happens if you do the following test:

1. Clear the tunnel on both ends

2. Initiate traffic from the IOS LAN

3. You will see the tunnel established and packets being sent by the IOS and packets being received by the PIX?

4. Please post the status of the ''sh cry ips sa'' at this point on both sides.

Federico.

Dear Federico

We did that and when we initiate the tunnel from IOS router the tunnel is established.

and in "show crypto ipsec sa" output it show the following if we send 4 ICMP from IOS Router Side:

Show crypto ipsec sa - IOS router

it will show 4 packet encrypted

Show crypto ipsec sa - Firewall

It will show 0 packet decrepted

                 0 packet encrypt

Please let me know if you want any more information ?

So the IOS is sending the VPN packets, but those packets are not reaching the PIX.

What behavior do you get if you again clear the tunnel, but this time initiate the tunnel from the PIX LAN, and check the ''sh cry ips sa''

It sounds like something is blocking ESP from reaching the PIX, but please post the results of the above test.

Federico.

If I initiate the tunnel from the pix LAN (4 ICMP packet)I will see 4 packet encrypted and i will not see any thing decrepted.

but I am wondering if something is blocking ESP so how the tunnel is established.

Thanks Federico for your help and I am waiting for your reply.

The tunnel gets established using ISAKMP UDP port 500.
So the tunnel will get established even if ESP is being blocked.


The consequences of ESP being blocked is that traffic is not going to flow properly through the tunnel.

The weird thing is this:
The tunnel does get established.
But the encrypted packets from one end, does not reach the other end.


If you initiate the tunnel from any side, the other side does not show decrypted packets.

Have you checked the routing properly?

Federico.

Dear Federico

after the tunnel get established PIX LAN can send the ICMP Echo Request packet but he can't receive so I think the ESP is not blocked

we enabled the revers route for this tunnel and we can see the the route in IOS routing table for PIX LAN and pointing to the PIX IP address so I think that the routing is fine as well.

Is this a regular IPsec Site-to-Site configuration between the PIX and the IOS or some sort of EzVPN?

The interesting thing is why the ESP packets don't reach the PIX or router (when initiated from the other side).

If  you can I would suggest the following test:

Configure an IPsec VPN client connection to both the PIX and the IOS and check if it can connect and pass traffic. This will let us know that there are no restrictions on receiving ESP packets on either end.

You can also enable an ACL that permits ESP packets applied inbound on the VPN interface of the IOS.

Check if that ACL is incrementing the hitcounts when packets are being sent from the PIX.

If nothing from the above works, or if you get other results, can you please post the ''sh run'' from both ends?

Federico.

Dear Federico

PIX firewall is configured already with other L2L VPN,EZY VPN and remote access VPN and all of them are working fine.

I will configure the access-list and i will inform you about the results but I want to confirm that the packet is going from one way only (from PIX LAN to IOS LAN but not in the opposite direction)

Thanks a lot for your help

Ok, traffic is flowing from the PIX to the router.

But on a previous post you said:

''We did that and when we initiate the tunnel from IOS router the tunnel is established.

and in "show crypto ipsec sa" output it show the following if we send 4 ICMP from IOS Router Side:

Show crypto ipsec sa - IOS router

it will show 4 packet encrypted''

So, I thought that when you send traffic from the IOS side, you saw packets encrypted on the IOS side (but now you mentioned that's not the case)

No packets are encrypted when initiated traffic from the IOS LAN then?

If this is so, the problem is on the IOS device.

Could you post the configuration?

Federico.

Dear Federico

Yes, I saw packets encrypted on the IOS side but it didn't reach to PIX

Today we are off in Dubai so I will send you the config soon.

Thanks