Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1114
Views
0
Helpful
7
Replies

Traffic only going 1 way?

Go to solution
documart2606
Level 1
Level 1

‎08-01-2011 11:37 AM

I have a site to site vpn between a Cisco 1941 Router and a Watchguard XTM22 Router.

The tunnel is up, and from the side with the Watchguard Router, I have full access to the

LAN on the Cisco 1941 side.

However, I cannot access any of the devices on the LAN on the Watchguard side.

If you had to guess, which router would you say is causing the problem? I really don't know where

to start looking.

Your help is greatly appreciated.

Keith

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
raga.fusionet
Level 4
Level 4
In response to documart2606

‎08-02-2011 07:37 PM

Keith,

Packets encrypted and decrypted usually means that the traffic is making thru the tunnel, so I dont think you have an ACL issue. In any case you forgot to mention where you are applying each ACL .  I assume one of them is for the crypto map and the other one is for NAT but I cant tell about the other two.

Now, when you say that  you are having no luck getting onto the LAN on the watchguard side, what exactly are you trying to do? Maping a drive? Pinging a host?

Also, from the Cisco LAN can you  ping the inside interface of the WatchGuard? Can you ping any other host on that LAN?

Thanks,

Luis

View solution in original post

0 Helpful
7 Replies 7

Go to solution
raga.fusionet
Level 4
Level 4

‎08-01-2011 01:12 PM

Keith,

If the tunnel is up then you are most likely facing a routing issue. What is the default gateway for Watchguard site? and for the Cisco site?

Also, you might wanna check if the Cisco Router is encrypting packets when you initiate traffic from that side to the Watchguard side. In order to do this you can clear the SA counters with a "clear crypto sa counters" (you can also clear not only the counters but the whole tunnel with a "clear crypto ipsec sa") and then issue a "show crypto ipsec sa". If you see packets being encrypted but not decrypted then the problem is on the other side (likely a routing problem). If you dont see packets being encrypted then the problem is on the Cisco side.

I hope this helps. Let us know how it goes.

Regards

Luis Raga

0 Helpful

Go to solution
raga.fusionet
Level 4
Level 4
In response to raga.fusionet

‎08-01-2011 01:14 PM

The command to clear the whole tunnel would be "clear crypto sa". sorry

0 Helpful

Go to solution
documart2606
Level 1
Level 1
In response to raga.fusionet

‎08-01-2011 03:19 PM

Luis,

Thank you for attempting to help me with this issue.

I cleared the whole tunnel, then sent traffic and it encrypted and decrypted the exact same

number of packets.

Could there be something wrong with the access lists?

I have mapped server drives located on the cisco side onto workstations on the watchguard side

with no problem. However, I am having no luck getting onto the LAN on the watchguard side.

Here is what I think pertains to that tunnel from the cisco running config.

access-list 104 deny   ip 10.10.10.0 0.0.0.255 10.10.12.0 0.0.0.255

access-list 104 remark IPSec Rule

access-list 117 remark CCP_ACL Category=0

access-list 117 permit ip 10.10.12.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 119 remark CCP_ACL Category=4

access-list 119 remark IPSec Rule

access-list 119 permit ip 10.10.10.0 0.0.0.255 10.10.12.0 0.0.0.255

access-list 120 remark CCP_ACL Category=0

access-list 120 permit ip 10.10.12.0 0.0.0.255 10.10.10.0 0.0.0.255

0 Helpful

Go to solution
raga.fusionet
Level 4
Level 4
In response to documart2606

‎08-02-2011 07:37 PM

Keith,

Packets encrypted and decrypted usually means that the traffic is making thru the tunnel, so I dont think you have an ACL issue. In any case you forgot to mention where you are applying each ACL .  I assume one of them is for the crypto map and the other one is for NAT but I cant tell about the other two.

Now, when you say that  you are having no luck getting onto the LAN on the watchguard side, what exactly are you trying to do? Maping a drive? Pinging a host?

Also, from the Cisco LAN can you  ping the inside interface of the WatchGuard? Can you ping any other host on that LAN?

Thanks,

Luis

0 Helpful

Go to solution
documart2606
Level 1
Level 1
In response to raga.fusionet

‎08-03-2011 06:42 AM

Luis,

I think you are right that there isn't a problem with tunnel or the ACLs.

I was trying to map a drive so that we can back up our point-of-sale software

off-site.

I can ping the inside interface of the watchguard from the Cisco LAN.

0 Helpful

Go to solution
documart2606
Level 1
Level 1
In response to documart2606

‎08-03-2011 06:44 AM

I realized that I cannot ping the host I am tying to reach from the watchguard.

I shut down the windows firewall, but that hasn't helped either. I have to go

back over to that office today and see if there is anything else installed on

that workstation. It appears to be a problem with the Windows Vista machine

over there, as I was able to ping a Macintosh Laptop on the wireless LAN.

Thanks for the assistance!

0 Helpful

Go to solution
raga.fusionet
Level 4
Level 4
In response to documart2606

‎08-03-2011 07:13 AM

It looks like you said the magic words "Windows Vista" 

I'm glad I was able to help.

Have fun!

0 Helpful
Customers Also Viewed These Support Documents