PIX doesn't recognize interesting traffic.

Discussion in 'Cisco' started by professorguy, Sep 18, 2006.

  1. professorguy

    professorguy

    Joined:
    Sep 15, 2006
    Messages:
    39
    I have a isakmp shared secret:

    isakmp key ******* address 27.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode

    I have a 1 line access list:

    access-list outside_cryptomap_20 permit ip host 192.168.111.111 host 27.2.2.2

    I have this crypto map:

    crypto map mymap 20 ipsec-isakmp
    crypto map mymap 20 match address outside_cryptomap_20
    crypto map mymap 20 set peer 207.1.1.1
    crypto map transform-set BLAHBLAH

    I then go to my local system 192.168.111.111 and try to telnet 27.2.2.2. It doesn't work. The hitcount of outside_cryptomap_20 sits at 0.

    I understand that mismatches with the map or the isakmp stuff (e.g., wrong key) will result in the debug crypto stuff dumping all kinds of bad negotiation stuff. BUT I GET NOTHING. Obviously, the PIX doesn't see my telnet as 'interesting' and doesn't even attempt to setup the VPN. But why not?

    Here are some other interesting nuggets of info:
    This PIX has many site-to-site VPNs set up on it, several which use my local 192.168.111.111 system as a source.
    This PIX has client (remote session) VPNs set up (with several dozen up at any given moment).
    This PIX is at the internet edge, it routes one hop inside to an edge router.


    Any ideas?
    professorguy, Sep 18, 2006
    #1
    1. Advertising

  2. professorguy

    swapnendu

    Joined:
    Sep 13, 2006
    Messages:
    57
    u'll also have to add an entry "permit ip host 192.168.111.111 host 27.2.2.2" in the NO NAT access-list...tht'll do the job for u....acoording to the current config, your traffic to 27.2.2.2 would be undergoing a NAT translation and hence PIX is not finding this traffic interesting......
    swapnendu, Sep 18, 2006
    #2
    1. Advertising

  3. professorguy

    professorguy

    Joined:
    Sep 15, 2006
    Messages:
    39
    Already no natted

    Sorry. Forgot to mention these 2 lines:

    access-list 101 permit ip host 192.168.111.111 host 27.2.2.2

    and

    nat (inside) 0 access-list 101

    And, of course, I have

    access-list acl_egress permit ip host 192.168.111.111 host 27.2.2.2

    which is applied on the inside in.

    However, the PIX doesn't seem to see this traffic. In fact the hitcounts on the access-lists above stay at 0 after the telnet attempt.
    professorguy, Sep 18, 2006
    #3
  4. professorguy

    swapnendu

    Joined:
    Sep 13, 2006
    Messages:
    57
    your route to 27.2.2.2 from 192.168.111.111 should be pointed to PIX...hope this is configured properly...since 27.2.2.2 is a public ip address, chk ur routing is ok and points to PIX ...

    crypto map mymap interface outside command configured ?? ...can u post us the config... debug crypto isakmp has no output ?? and wht does show crypto isakmp sa detail say ? can u reach 207.1.1.1 from the PIX ?
    swapnendu, Sep 19, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. officemicro1999@yahoo.fr
    Replies:
    1
    Views:
    529
    Walter Roberson
    Sep 11, 2005
  2. Carl Lucas

    CD light always on - PC doesn't recognize it

    Carl Lucas, Jul 9, 2003, in forum: Computer Support
    Replies:
    7
    Views:
    757
    Plato
    Jul 17, 2003
  3. Guest

    pop3 doesn't recognize my password for e-mail

    Guest, Feb 3, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    617
    Phil®
    Feb 3, 2004
  4. Bud Light

    ZoneAlarm doesn't recognize AVG?

    Bud Light, Jan 12, 2005, in forum: Computer Support
    Replies:
    8
    Views:
    4,031
    Bob B
    Jan 12, 2005
  5. Richard

    win 98 doesn't recognize all ram

    Richard, Nov 22, 2003, in forum: Computer Information
    Replies:
    5
    Views:
    480
Loading...

Share This Page