ipsec tunnel established but no pinging

Discussion in 'Cisco' started by psychogenic, Dec 27, 2006.

  1. psychogenic

    psychogenic Guest

    I have a site-to-site vpn tunnel established between a 2600 router and
    a Pix501 and both IKE and IPSEC tunnel shows up as established with no
    errors. I can ping the endpoint IPs from both sides but we can not ping
    each other's internal networks. The endpoint on my 2600 router is a
    loopback inteface I created and I added a route so that any traffic
    destined for that remote site should go through this interface. I don't
    know what the problem is and I can't tell where the ping is failing.
    Anyone shed any light on this? Is it the loopback interface that's
    having the problem? I already have a vpn tunnel terminating to my
    outside interface and want to avoid adding this other one to it as
    psychogenic, Dec 27, 2006
    1. Advertisements

  2. psychogenic

    vespiacic Guest

    maybe icmp is forbidden troughout pix

    psychogenic ha scritto:
    vespiacic, Dec 28, 2006
    1. Advertisements

  3. or, try enabling debug mode and see what happens,

    Zuhair Al Zubaidi
    Zuhair Al-Zubaidi, Dec 28, 2006
  4. psychogenic

    psychogenic Guest

    Thanks all. I turned on debugging by doing "debug ip icmp" and I'm just
    getting alot of garbage. I don't think it's catching any of the pings I
    am sending across. For example I tried pinging a known good network
    across a good vpn tunnel and the logs don't show anything at all. Is
    there a different command?

    Also I'm thinking the issue might be with the remote PIX. I noticed at
    their end there are no routes on the routing table. It's a PIX501
    running 6.3.5 IOS and I am assuming that a default route to the outside
    interface is not assumed automatically by the device. And so if my
    pings even do reach the remote machine the echo-reply wouldn't come
    back since there is no default route? Does this make any sense? :)

    psychogenic, Dec 28, 2006
  5. psychogenic

    Chad Mahoney Guest

    Please show from your config:

    NAT Statements
    ACL's regarding your crypto map
    IPSEC and ISAKMP config
    Chad Mahoney, Dec 28, 2006
  6. psychogenic

    Chad Mahoney Guest

    I would also assume that if you set your logging level to 7 and sent
    traffic across the tunnel your syslog would shoot some messages at you
    in regards to no translation for traffic x.x.x.x to y.y.y.y
    Where x.x.x.x is your local subnet and y.y.y.y would be the remote subnet?

    If so you need to exclude those subnets from performing NAT.

    Google for NAT 0 and, also in another reply to this post I listed some
    items from your config to post.

    Chad Mahoney, Dec 28, 2006
  7. psychogenic

    psychogenic Guest

    Yes, I exlcuded both subnets from NAT. I don't believe its a NAT issue
    but I guess strangers things have happened. Here is the config for the
    remote PIX:

    Local Site Network:
    Remomte Site Network:

    Remote Site PIX:

    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname pix
    clock timezone JST 9
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    object-group service Citrix-Service tcp
    port-object eq echo
    port-object eq citrix-ica
    port-object eq www
    port-object eq https
    access-list outside_access_in permit icmp any any log 0
    access-list outside_access_in permit ip
    access-list inside_access_in permit icmp any any log 0
    access-list inside_access_in permit ip any any
    access-list inside_outbound_nat0_acl permit ip
    access-list outside_cryptomap_20 permit ip
    access-list outside_inbound_nat0_acl permit ip
    pager lines 24
    logging on
    logging timestamp
    logging trap informational
    logging host inside syslog
    icmp permit host syslog outside
    icmp permit any outside
    icmp permit host syslog inside
    icmp permit host RTX-1000 inside
    mtu outside 1500
    mtu inside 1500
    ip address outside pppoe setroute
    ip address inside
    ip verify reverse-path interface outside
    ip audit info action alarm
    ip audit attack action alarm
    arp timeout 14400
    global (outside) 1 interface
    nat (outside) 0 access-list outside_inbound_nat0_acl outside
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address netmask
    no-xauth no-config-mode
    isakmp identity address
    isakmp keepalive 10 4
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    psychogenic, Dec 28, 2006
  8. psychogenic

    James Guest

    Just a thought, but how about adding isakmp nat-traversal in the
    configs? I know this is the command for the PIX, but not sure about the

    James, Dec 28, 2006
  9. psychogenic

    Darren Green Guest

    I believe that you do not need the above outside entry in your access-list
    as you have permitted
    This feature allows your VPN traffic to bypass the access-list on the
    outside interface.

    I am also unsure why you have this:

    access-list outside_inbound_nat0_acl permit ip

    I have only had a quick look at the config but assuming that you wanted to
    exempt this from nat on your remote router, don't you need to do the No NAT
    on the router.

    So on the PIX you will have:

    An access-list permitting traffic from the PIX (LAN) to the remote router
    (LAN) - Your Crypto Access-List
    A no nat statement for the same


    On the router you will have:

    An access-list permitting traffic from the Router (LAN) to the remote PIX
    (LAN) - Your Crypto Access-List
    A no nat statement for the same

    Could be wrong but maybe someone else could confirm / deny.



    Darren Green, Dec 28, 2006
  10. psychogenic

    psychogenic Guest

    These were created from the vpn site to site wizard on both router and
    firewall. I'm assuming the outside_access_in rule was created to define
    which traffic needs to be encrypted and the other rule to have no NAT
    between the two networks. I have the same rules applied on a different
    firewall connected to the same router and it works perfectly fine. The
    only difference between these two tunnels is that the working one's
    endpoint is my outside interface of the local router and the non
    working is on a loopback interface i created. :(
    psychogenic, Jan 2, 2007
  11. psychogenic

    psychogenic Guest

    It's fixed now. What I did was change the local endpoint to my outside
    interface and changed the routes to go there. I don't know why this
    doesn't work with a logical interface...
    psychogenic, Jan 8, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.