VPN Not able to pass traffic.

VPN Not able to pass traffic.
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
VPN Not able to pass traffic. Newbie72 01-06-2006
Posted by Newbie72 on January 6, 2006, 11:45 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I am configuring a VPN site 2 site tunnel.

my internal host----->cisco3550switch------>cisco 6506
switch------>cisco 3640 router------>My Pix 515e
------>internet------->Cisco Access Concentrator at remote vendor site.

I have configured the tunnel as such

isakmp policy 5 authentication pre-share
isakmp policy 5 encryption des
isakmp policy 5 hash md5
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400


isakmp key S3argent address 212.159.204.78 netmask 255.255.255.255

access-list to-phillips permit ip host local host ip remote host ip
255.255.252.0

access-list to-phillips permit ip host local host ip remote host ip
255.255.252.0

access-list to-phillips permit ip host local host ip remote host ip
255.255.252.0

crypto ipsec transform-set Phillips esp-3des esp-md5-hmac

crypto map partner-map 1 ipsec-isakmp
crypto map partner-map 1 match address to-phillips
crypto map partner-map 1 set peer 212.159.204.78
crypto map partner-map 1 set transform-set Phillips

crypto map partner-map interface outside

I have also added a route statement in the 3640
ip route 192.68.48.0 255.255.252 the local address to my pix.
The 3640 knows inorder to get to the remote site to go through the pix.

>From the pix I can ping the 3 machines on my lan that the remote site
is tring to get to.

The tunnel comes up but no data passes through it.
I can not ping them and they cannot ping me.

For testing purposes I did add the line
access-list to-phillips permit icmp any any and we were unable to get
it to pass traffic

Do I need to add any kind of route statement in the my pix to tell it
any traffic destined to the remote site needs to go through the VPN
tunnel? How do i do that if I need to.

What am I missing? Help

Steven Johnson
Network Administrator
Brooks Memorial Hospital


Posted by AM on January 9, 2006, 2:44 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Newbie72 wrote:

[CUT]

> I have also added a route statement in the 3640
> ip route 192.68.48.0 255.255.252 the local address to my pix.

this route is not needed if the 3640 has a default to the PIX.

> The 3640 knows inorder to get to the remote site to go through the pix.
>
>>From the pix I can ping the 3 machines on my lan that the remote site
> is tring to get to.
>
> The tunnel comes up but no data passes through it.
> I can not ping them and they cannot ping me.
>
> For testing purposes I did add the line
> access-list to-phillips permit icmp any any and we were unable to get
> it to pass traffic

The rule above belongs to the ACL that specififies which kind of traffic must be
encrypted. As you specified the IP
protocol for the tunnel the icmp is already included. You need to "move" that
rule (changing the syntax accordingly) to
the outside interface of the PIX as remote LANs were connected directly to that
interface.

Obviously icmp traffic permission must be enabled on the other side.

> Do I need to add any kind of route statement in the my pix to tell it
> any traffic destined to the remote site needs to go through the VPN
> tunnel? How do i do that if I need to.

If you received traffic from that LAN and needed a specific route statement you
would see a specific message ("No route
to host") in your syslog messages.

> What am I missing? Help

Try to increase your level of encryption and hash as soon as you can.

Let us know if you will be sucessful.

HTH, Alex.

Posted by Newbie72 on January 9, 2006, 2:40 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
this route is not needed if the 3640 has a default to the PIX
There is a default route to the PIX in the 3640. I
will clear that up.... Thanks.
Try to increase your level of encryption and hash as soon as you can.
3des and md5 is not sufficient?
What level of encryption should I be using?

ACL 80 appears to be the ACL that is defining interesting traffic in my
config. I have added the statements and am awaiting to reschedule a con
call with the vendor to see if we can get this thing up and running
before I go out on vacation next week.

I will let you know Thank You.


Posted by Newbie72 on January 10, 2006, 9:37 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Issue resolved. testing yesterday showed data flowing through the
tunnel.


Similar ThreadsPosted
837 won't pass traffic from eth0 to internet July 3, 2005, 8:34 pm
IPSec Tunnels set up, but can't pass traffic August 9, 2007, 5:20 pm
Cisco 501 (6.3(5)) with VPN Client Does Not Pass Traffic September 27, 2008, 7:14 pm
EZVPN Server - clients connect but cannot pass traffic.. August 31, 2005, 7:39 pm
help IP pass through May 30, 2008, 2:23 pm
Re: help IP pass through May 30, 2008, 2:58 pm
Re: help IP pass through May 30, 2008, 3:35 pm
Re: help IP pass through May 30, 2008, 4:38 pm
Cisco PIX pass through VPN November 16, 2005, 6:54 pm
Cisco PIX pass through VPN November 16, 2005, 6:55 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map