08-03-2008 10:27 PM
Hi,
My site to site vpn is not working..
Im not able to ping to remote network but remote people are able to ping to my network. vpn comes up when remote users initiate the session.
network set up is as given below.
my local network is Patted to 1.1.1.5
VPN traffic is between 1.1.1.5 & remote segment.
Can some one help me on this...
regards
Rajesh P
08-03-2008 11:13 PM
u missing the nat exmption
nat 0
also the access-list 12
shoud be sourced from ur LAN to the remote LAN
not from the pix ip address itself
for nat exampltion
make ACL from ur lan to the remote lan
lets say
access-list 100 permit ip 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255.0
nat 9inside0 0 access-list 100
also use the same form of this ACL instead of the ACL 12 u have
ii the above example 10.1.1.0/24 ur local lan
and 20.1.1.0/24 the remote lan
good luck
please Rate if helpful
08-03-2008 11:24 PM
Hi team,
Its Pix firewall and not router..
more over 1.1.1.5 is the PAT ip...
pls find the below....
nat (intf5) 2 access-list 95 0 0
global (outside) 2 1.1.1.5
client wants to include natted traffic to pass thru the vpn tunnel.
Hence we can not use
ACL ID permit ip local_net remote_net
Pls help...
08-03-2008 11:26 PM
Client wants to hide the below networks...
access-list 95 permit ip 192.168.27.0 255.255.255.0 2.6.4.0255.255.255.0
access-list 95 permit ip 192.168.29.0 255.255.255.0 2.6.4.0255.255.255.0
access-list 95 permit ip 192.168.28.0 255.255.255.0 2.6.4.0255.255.255.0
access-list 95 permit ip 192.168.27.0 255.255.255.0 2.7.4.0 255.255.255.0
access-list 95 permit ip 192.168.29.0 255.255.255.0 2.7.4.0 255.255.255.0
access-list 95 permit ip 192.168.28.0 255.255.255.0 2.7.4.0 255.255.255.0
access-list 95 permit ip 192.168.27.0 255.255.255.0 192.168.13.0 255.255.255.0
access-list 95 permit ip 192.168.29.0 255.255.255.0 192.168.13.0 255.255.255.0
access-list 95 permit ip 192.168.28.0 255.255.255.0 192.168.13.0 255.255.255.0
Hence they are doing the below..
access-list 12 permit ip host 1.1.1.5 2.6.4.0 255.255.255.0
access-list 12 permit ip host 1.1.1.5 2.7.4.0 255.255.255.0
access-list 12 permit ip host 1.1.1.5 192.168.13.0 255.255.255.0
Where,
nat (intf5) 2 access-list 95 0 0
global (outside) 2 1.1.1.5
Pls help..
08-03-2008 11:31 PM
the above config make the ip address 1.1.1.5 apear as the source and any traffic included in ACL 95 going from inside to outside!!!
08-04-2008 03:04 AM
yes... source as 1.1.1.5 ..
But why cant i ping to remote IPs or why the VPN does not come up.. Any idia ??
08-04-2008 03:41 AM
As its doing PAT, remote will be able to ping to only my PAT ip.. where as from my side i should be able to ping to remote network (like 2.6.4.0 etc..) which is not happening..
Remote will not able to ping to my network.. Its hided by PAT.
I want to know why my vpn phase 1 itself does not come up...
Where do you suspect the problem ?
Any good suggestions are appreciated..
regards
Rajesh P
08-04-2008 05:52 AM
08-05-2008 10:29 AM
Hi,
Thanks for the configuration attached !!
I have resolved this issue by my own..
I have re-configured the VPN with different ID and now VPN is working fine..
I will explain this to All....
There was a configuration in the firewall, used for another VPN...(crytomap id is 20)
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 set peer 7.7.7.7
crypto map outside_map 20 set transform-set ESP-3DES-MD5
Our fault VPN config is as below....
crypto map igsl 20 ipsec-isakmp
crypto map igsl 20 match address 12
crypto map igsl 20 set peer 5.5.5.5
crypto map igsl 20 set transform-set my_company
----x----
So, what i did is, i changed the config as below...
crypto map igsl 14 ipsec-isakmp
crypto map igsl 14 match address 12
crypto map igsl 14 set peer 5.5.5.5
crypto map igsl 14 set transform-set iGATE-OC
---xx--x--
We are not supposed to use nat zero here, as the client does not want this side network to expose to other side network.. Only this side can access the remote side network..vice versa should not happen..
Now everything is working fine...
The issue has been resolved by myself
Thanks to all who have participated in this session....
regards
Rajesh P
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide