PIX 501

Discussion in 'Cisco' started by Fredrik, May 24, 2005.

  1. Fredrik

    Fredrik Guest

    Hi
    I have problem to get a 2nd vpn tunnel from my pix to work.
    se info:
    I get the tunnel "online" and I can see that it uses the right
    access-list and so on, but I can´t see any traffic though the tunnel.
    the problem is between pix 1 and pix 2

    the run ver 6.3.1


    PIX 1
    ----------------------------------------------

    local ident (addr/mask/prot/port):
    (192.168.4.120/255.255.255.248/0/0)
    remote ident (addr/mask/prot/port):
    (192.168.17.0/255.255.255.0/0/0)
    current_peer: 10.10.10.10 pix2 outside IP :500
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 334, #pkts encrypt: 334, #pkts digest 334
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
    failed: 0
    #send errors 4873, #recv errors 0

    local crypto endpt.:20.20.20.20 pix1 outside IP , remote crypto
    endpt.: 10.10.10.10 pix2 outside IP
    path mtu 1500, ipsec overhead 64, media mtu 1500
    current outbound spi: 24933583

    inbound esp sas:
    spi: 0x5aedf9c5(1525545413)
    transform: esp-aes-256 esp-sha-hmac ,
    in use settings ={Tunnel, }
    slot: 0, conn id: 6, crypto map: outside_map
    sa timing: remaining key lifetime (k/sec): (4608000/28420)
    IV size: 16 bytes
    replay detection support: Y


    inbound ah sas:


    inbound pcp sas:


    outbound esp sas:
    spi: 0x24933583(613627267)
    transform: esp-aes-256 esp-sha-hmac ,
    in use settings ={Tunnel, }
    slot: 0, conn id: 5, crypto map: outside_map
    sa timing: remaining key lifetime (k/sec): (4607980/28418)
    IV size: 16 bytes
    replay detection support: Y


    outbound ah sas:


    outbound pcp sas:



    sh cry isa sa
    Total : 2
    Embryonic : 0
    dst src state pending created
    20.20.20.20 pix1 outside IP 10.10.10.10 pix2 outside IP
    QM_IDLE 0 1
    30.30.30.30 pix3 outside IP 20.20.20.20 pix1 outside IP
    QM_IDLE 0 2




    PIX 2
    --------------------------------------------

    local ident (addr/mask/prot/port): (192.168.17.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port):
    (192.168.4.120/255.255.255.248/0/0)
    current_peer:20.20.20.20 pix1 outside IP :500
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 6082, #pkts encrypt: 6082, #pkts digest 6082
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
    failed: 0
    #send errors 4, #recv errors 0

    local crypto endpt.: 10.10.10.10 pix2 outside IP , remote crypto
    endpt.:20.20.20.20 pix1 outside IP
    path mtu 1500, ipsec overhead 64, media mtu 1500
    current outbound spi: 5aedf9c5

    inbound esp sas:
    spi: 0x24933583(613627267)
    transform: esp-aes-256 esp-sha-hmac ,
    in use settings ={Tunnel, }
    slot: 0, conn id: 1, crypto map: outside_map
    sa timing: remaining key lifetime (k/sec): (4608000/28494)
    IV size: 16 bytes
    replay detection support: Y


    inbound ah sas:


    inbound pcp sas:


    outbound esp sas:
    spi: 0x5aedf9c5(1525545413)
    transform: esp-aes-256 esp-sha-hmac ,
    in use settings ={Tunnel, }
    slot: 0, conn id: 2, crypto map: outside_map
    sa timing: remaining key lifetime (k/sec): (4607988/28490)
    IV size: 16 bytes
    replay detection support: Y


    outbound ah sas:


    outbound pcp sas:






    sh cry isa sa
    Total : 3
    Embryonic : 0
    dst src state pending created
    30.30.30.30 pix3 outside IP 10.10.10.10 pix2 outside IP
    QM_IDLE 0 1
    20.20.20.20 pix1 outside IP 10.10.10.10 pix2 outside IP
    QM_IDLE 0 1
    40.40.40.40 pix4 outside IP 10.10.10.10 pix2 outside IP
    QM_IDLE 0 1
    Fredrik, May 24, 2005
    #1
    1. Advertising

  2. In article <>,
    Fredrik <> wrote:
    :I have problem to get a 2nd vpn tunnel from my pix to work.
    :se info:
    :I get the tunnel "online" and I can see that it uses the right
    :access-list and so on, but I can´t see any traffic though the tunnel.

    Have you done a clear ipsec sa since you last modified the
    crypto map or the ACL that controls the tunnel? PIX 6.3 doesn't
    put tunnels fully into effect until you do the clear, even though
    it will *look* like it did (e.g., by forming security associations.)

    :the run ver 6.3.1

    You should update that to 6.3(4)110 to avoid the known security
    problems. The update from 6.3(1) is free even if you have no support
    contract: search the Cisco web site for "PIX Security Advisories"
    for details.
    --
    Are we *there* yet??
    Walter Roberson, May 24, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrew J Instone-Cowie

    Cisco VPN through a PIX 501 to another PIX?

    Andrew J Instone-Cowie, Jan 20, 2004, in forum: Cisco
    Replies:
    5
    Views:
    4,115
    Andrew J Instone-Cowie
    Jan 22, 2004
  2. Guest

    pix 515 to pix 501

    Guest, Feb 4, 2004, in forum: Cisco
    Replies:
    2
    Views:
    607
    Guest
    Feb 5, 2004
  3. Greg Gibson

    PIX 501 newbie aaa servers for pix

    Greg Gibson, May 6, 2004, in forum: Cisco
    Replies:
    3
    Views:
    541
    Adrian Grigorof
    May 9, 2004
  4. Andre
    Replies:
    7
    Views:
    685
    Andre
    Feb 20, 2005
  5. cdoc

    Cisco pix 501 vs 501-50

    cdoc, May 19, 2006, in forum: Cisco
    Replies:
    6
    Views:
    621
    Walter Roberson
    May 20, 2006
Loading...

Share This Page