Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX doesn't recognize interesting traffic.

Reply
Thread Tools

PIX doesn't recognize interesting traffic.

 
 
professorguy professorguy is offline
Member
Join Date: Sep 2006
Posts: 39
 
      09-18-2006
I have a isakmp shared secret:

isakmp key ******* address 27.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode

I have a 1 line access list:

access-list outside_cryptomap_20 permit ip host 192.168.111.111 host 27.2.2.2

I have this crypto map:

crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address outside_cryptomap_20
crypto map mymap 20 set peer 207.1.1.1
crypto map transform-set BLAHBLAH

I then go to my local system 192.168.111.111 and try to telnet 27.2.2.2. It doesn't work. The hitcount of outside_cryptomap_20 sits at 0.

I understand that mismatches with the map or the isakmp stuff (e.g., wrong key) will result in the debug crypto stuff dumping all kinds of bad negotiation stuff. BUT I GET NOTHING. Obviously, the PIX doesn't see my telnet as 'interesting' and doesn't even attempt to setup the VPN. But why not?

Here are some other interesting nuggets of info:
This PIX has many site-to-site VPNs set up on it, several which use my local 192.168.111.111 system as a source.
This PIX has client (remote session) VPNs set up (with several dozen up at any given moment).
This PIX is at the internet edge, it routes one hop inside to an edge router.


Any ideas?
 
Reply With Quote
 
 
 
 
swapnendu swapnendu is offline
Member
Join Date: Sep 2006
Posts: 57
 
      09-18-2006
u'll also have to add an entry "permit ip host 192.168.111.111 host 27.2.2.2" in the NO NAT access-list...tht'll do the job for u....acoording to the current config, your traffic to 27.2.2.2 would be undergoing a NAT translation and hence PIX is not finding this traffic interesting......
 
Reply With Quote
 
 
 
 
professorguy professorguy is offline
Member
Join Date: Sep 2006
Posts: 39
 
      09-18-2006
Sorry. Forgot to mention these 2 lines:

access-list 101 permit ip host 192.168.111.111 host 27.2.2.2

and

nat (inside) 0 access-list 101

And, of course, I have

access-list acl_egress permit ip host 192.168.111.111 host 27.2.2.2

which is applied on the inside in.

However, the PIX doesn't seem to see this traffic. In fact the hitcounts on the access-lists above stay at 0 after the telnet attempt.
 
Reply With Quote
 
swapnendu swapnendu is offline
Member
Join Date: Sep 2006
Posts: 57
 
      09-19-2006
your route to 27.2.2.2 from 192.168.111.111 should be pointed to PIX...hope this is configured properly...since 27.2.2.2 is a public ip address, chk ur routing is ok and points to PIX ...

crypto map mymap interface outside command configured ?? ...can u post us the config... debug crypto isakmp has no output ?? and wht does show crypto isakmp sa detail say ? can u reach 207.1.1.1 from the PIX ?
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[newbie]Pix 515 - How to recognize Pix version : failover or restricted or UR officemicro1999@yahoo.fr Cisco 1 09-11-2005 10:21 PM
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM
vpnclient access to remote pix via pix-pix tunnel Bill F Cisco 1 11-25-2003 06:03 AM
[pix] desperatly need help with PIX-to-PIX config Remco Bressers Cisco 1 11-21-2003 08:58 PM
PIX to PIX to PIX meshed VPN Richard Cisco 1 11-15-2003 07:41 AM



Advertisments