Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 501

Reply
Thread Tools

PIX 501

 
 
Fredrik
Guest
Posts: n/a
 
      05-24-2005
Hi
I have problem to get a 2nd vpn tunnel from my pix to work.
se info:
I get the tunnel "online" and I can see that it uses the right
access-list and so on, but I canīt see any traffic though the tunnel.
the problem is between pix 1 and pix 2

the run ver 6.3.1


PIX 1
----------------------------------------------

local ident (addr/mask/prot/port):
(192.168.4.120/255.255.255.248/0/0)
remote ident (addr/mask/prot/port):
(192.168.17.0/255.255.255.0/0/0)
current_peer: 10.10.10.10 pix2 outside IP :500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 334, #pkts encrypt: 334, #pkts digest 334
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 4873, #recv errors 0

local crypto endpt.:20.20.20.20 pix1 outside IP , remote crypto
endpt.: 10.10.10.10 pix2 outside IP
path mtu 1500, ipsec overhead 64, media mtu 1500
current outbound spi: 24933583

inbound esp sas:
spi: 0x5aedf9c5(1525545413)
transform: esp-aes-256 esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 6, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4608000/28420)
IV size: 16 bytes
replay detection support: Y


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0x24933583(613627267)
transform: esp-aes-256 esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4607980/2841
IV size: 16 bytes
replay detection support: Y


outbound ah sas:


outbound pcp sas:



sh cry isa sa
Total : 2
Embryonic : 0
dst src state pending created
20.20.20.20 pix1 outside IP 10.10.10.10 pix2 outside IP
QM_IDLE 0 1
30.30.30.30 pix3 outside IP 20.20.20.20 pix1 outside IP
QM_IDLE 0 2




PIX 2
--------------------------------------------

local ident (addr/mask/prot/port): (192.168.17.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port):
(192.168.4.120/255.255.255.248/0/0)
current_peer:20.20.20.20 pix1 outside IP :500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 6082, #pkts encrypt: 6082, #pkts digest 6082
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 4, #recv errors 0

local crypto endpt.: 10.10.10.10 pix2 outside IP , remote crypto
endpt.:20.20.20.20 pix1 outside IP
path mtu 1500, ipsec overhead 64, media mtu 1500
current outbound spi: 5aedf9c5

inbound esp sas:
spi: 0x24933583(613627267)
transform: esp-aes-256 esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4608000/28494)
IV size: 16 bytes
replay detection support: Y


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0x5aedf9c5(1525545413)
transform: esp-aes-256 esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4607988/28490)
IV size: 16 bytes
replay detection support: Y


outbound ah sas:


outbound pcp sas:






sh cry isa sa
Total : 3
Embryonic : 0
dst src state pending created
30.30.30.30 pix3 outside IP 10.10.10.10 pix2 outside IP
QM_IDLE 0 1
20.20.20.20 pix1 outside IP 10.10.10.10 pix2 outside IP
QM_IDLE 0 1
40.40.40.40 pix4 outside IP 10.10.10.10 pix2 outside IP
QM_IDLE 0 1
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      05-24-2005
In article <(E-Mail Removed) >,
Fredrik <(E-Mail Removed)> wrote:
:I have problem to get a 2nd vpn tunnel from my pix to work.
:se info:
:I get the tunnel "online" and I can see that it uses the right
:access-list and so on, but I canīt see any traffic though the tunnel.

Have you done a clear ipsec sa since you last modified the
crypto map or the ACL that controls the tunnel? PIX 6.3 doesn't
put tunnels fully into effect until you do the clear, even though
it will *look* like it did (e.g., by forming security associations.)

:the run ver 6.3.1

You should update that to 6.3(4)110 to avoid the known security
problems. The update from 6.3(1) is free even if you have no support
contract: search the Cisco web site for "PIX Security Advisories"
for details.
--
Are we *there* yet??
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cisco pix 501 vs 501-50 cdoc Cisco 6 05-20-2006 03:53 AM
PIX 501 <-> PIX 501 - Problem contating private networks on the inside Andre Cisco 7 02-20-2005 07:02 PM
PIX 501 newbie aaa servers for pix Greg Gibson Cisco 3 05-09-2004 06:33 PM
pix 515 to pix 501 Cisco 2 02-05-2004 01:55 AM
Cisco VPN through a PIX 501 to another PIX? Andrew J Instone-Cowie Cisco 5 01-22-2004 05:44 PM



Advertisments