PIX lan-to-lan IPSEC comes up...no traffic passes tunnel

Discussion in 'Cisco' started by Arjan, Nov 2, 2005.

  1. Arjan

    Arjan Guest

    I am looking for some help on this problem.

    I managed to setup a LAN-to-LAN IPSEC tunnel between PIX 515 (IOS 6.3)
    on one end and a back-to-back ISA2004 on the other end.

    I can initiate a tunnel at both ends however the following happens:

    When I initate a tunnel from the ISA site the tunnel comes up and all
    wanted traffic flows through the tunnel (RDP, HTTP, ICMP etc)
    At that same moment I can also create the same traffic from the PIX

    When I initiate a tunnel from the PIX site the tunnel comes up but NO
    traffic is passed through the tunnel.
    Creating traffic on the ISA site causes the creation of another

    My guess is ACL listst not being what they should be. Can anyone tell
    me what I am missing in the config of my PIX config?
    Traffic to LAN /16 should go through the tunnel

    This is my current config (some lines deleted):

    PIX Version 6.3(4)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security50
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    name AAADC01
    name AAAFS01
    name AAADZ01
    name zzz.zzz.zzz.17 remote_AAT
    name BBBDMZ
    name BBBFWLAN
    name BBBLAN
    access-list inside_access_in permit ip
    access-list inside_access_in permit ip
    access-list inside_access_in permit udp host AAADC01 any eq domain
    access-list inside_access_in permit ip host
    access-list inside_access_in permit tcp
    host remote_AAT eq 15948
    access-list outside_cryptomap_dyn_10 permit ip any
    access-list DMZ_access_in permit udp host AAADZ01 any eq domain
    access-list DMZ_access_in permit tcp host AAADZ01 any eq www
    access-list DMZ_access_in permit tcp host AAADZ01 any eq https
    access-list DMZ_access_in permit tcp host AAADZ01 any eq ftp
    access-list DMZ_access_in permit tcp host AAADZ01 any eq ftp-data
    access-list inside_outbound_nat0_acl permit ip BBBLAN
    access-list inside_outbound_nat0_acl permit ip BBBDMZ
    access-list inside_outbound_nat0_acl permit ip any
    access-list inside_outbound_nat0_acl permit ip BBBFWLAN
    access-list outside_cryptomap_20 permit ip
    access-list outside_cryptomap_20 permit ip
    access-list outside_cryptomap_20 permit ip
    pager lines 24
    logging on
    logging standby
    icmp permit any outside
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    ip address outside yyy.yyy.yyy.194
    ip address inside
    ip address DMZ
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool AAAVPNPOOL mask
    pdm location inside
    pdm location AAADC01 inside
    pdm location AAAFS01 inside
    pdm location outside
    pdm location inside
    pdm location AAADZ01 DMZ
    pdm location inside
    pdm location remote_AAT outside
    pdm location BBBDMZ outside
    pdm location BBBFWLAN outside
    pdm location BBBLAN outside
    pdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 10 0 0
    nat (DMZ) 10 AAADZ01 0 0
    static (inside,DMZ) netmask 0
    access-group inside_access_in in interface inside
    access-group DMZ_access_in in interface DMZ
    route outside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server RADIUS (inside) host AAADC01 AAAVPN timeout 5
    aaa-server LOCAL protocol local
    http server enable
    http inside
    http AAADC01 inside
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 10 match address
    crypto dynamic-map outside_dyn_map 10 set transform-set ESP-DES-MD5
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set pfs group2
    crypto map outside_map 20 set peer xxx.xxx.xxx.172
    crypto map outside_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 20 set security-association lifetime seconds
    3600 kilobytes 100000
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client authentication RADIUS
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ** address xxx.xxx.xxx.172 netmask no-xauth
    isakmp identity address
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    isakmp policy 40 authentication pre-share
    isakmp policy 40 encryption 3des
    isakmp policy 40 hash sha
    isakmp policy 40 group 2
    isakmp policy 40 lifetime 28800
    vpngroup AAAVPN address-pool AAAVPNPOOL
    vpngroup AAAVPN dns-server AAADC01 AAAFS01
    vpngroup AAAVPN wins-server AAADC01 AAAFS01
    vpngroup AAAVPN default-domain PIX.local
    vpngroup AAAVPN idle-time 1800
    vpngroup AAAVPN password ********
    telnet AAADC01 inside
    telnet timeout 5
    ssh inside
    ssh timeout 5
    console timeout 0
    terminal width 80

    : end

    remove no.spam. to send me an e-mail
    Arjan, Nov 2, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.