I know this list is not for this type of post, but I figure since I am not understanding the problem that it may be considered a learning question. And to be honest my mind is fried and I dont think the problem is with the tunnel as it worked in the lab before it was deployed.... but I have to admit I do not know enough to say for certain.... any assistance would be appreciated. That being said, let me describe the problem. I am attempting a IPSEC tunnel over the Internet between two pix boxes running 5.1(1). Lets call the boxes clientpix and colopix, now when these boxes are out in the field they are making a SA to each ohter. From clientpix, I can both send and receive icmp requests as well as other network traffic. From the colopix I cannot ping or access any device on the clean side clientpix. My connectivity diagram looks something like this: (HostA) --- (coloPix) ---(Internet) --- (clientPix) --- (HostB) I have connectivity between HostA and colopix. I also have connectivity between hostb and clientpix. I also have connectivity from the dirty side of colopix to the dirty side of clientpix. I have connectivity from the dirty side of clientpix to the dirty side of colopix. I have conenctivity from the clean side of clientpix to the clean side of colopix I DO NOT have connectivity from the clean side of clientpix to the clean side of colopix I can ping/telnet/whatever from hostB to hostA I CANNOT ping/telnet/whatever from hostA to hostB First my speculation then the configs... It almost seems like there is a firewall/ACL that is only allowing conenctions established from one side. I tested this configuration in a lab environment with 2 hosts and 2 pix boxen seperated by one router just doing default routing and everything worked fine. Here are the configs from each Pix box. // This is the config from coloPix // This is the PIX that cannot initiate a session --------------------------------------------- : Saved : PIX Version 5.1(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 access-list 90 permit ip 10.101.3.0 255.255.255.0 10.1.1.0 255.255.255.0 enable password xxxxxxxxxxxxx encrypted passwd xxxxxxxxxxxxx encrypted hostname colo5 domain-name xxxxxx.xxx fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 names pager lines 24 no logging timestamp no logging standby no logging console no logging monitor no logging buffered no logging trap no logging history logging facility 20 logging queue 512 interface ethernet0 100full interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 208.185.141.153 255.255.255.128 ip address inside 10.101.3.1 255.255.255.0 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 nat (inside) 0 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 208.185.141.129 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius snmp-server host inside 10.1.1.10 snmp-server location colo5 snmp-server contact [EMAIL PROTECTED] snmp-server community xxxxx snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set strong esp-des esp-sha-hmac crypto map toScenixCorp 20 ipsec-isakmp crypto map toScenixCorp 20 match address 90 crypto map toScenixCorp 20 set peer 4.20.168.2 crypto map toScenixCorp 20 set transform-set strong crypto map toScenixCorp interface outside isakmp enable outside isakmp key xxxxxxx address 4.20.168.2 netmask 255.255.255.255 isakmp identity address isakmp policy 9 authentication pre-share isakmp policy 9 encryption des isakmp policy 9 hash sha isakmp policy 9 group 1 isakmp policy 9 lifetime 86400 telnet 10.1.1.2 255.255.255.255 inside telnet timeout 5 terminal width 80 Cryptochecksum:c2c368c7029cbf81a6d6e28a73d4cf74 // This is the config from Clientpix // This PIX can initiate a connection from the clean side and get // response ------------------------------------------------------------ : Saved : PIX Version 5.1(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 access-list 90 permit ip 10.1.1.0 255.255.255.0 10.101.3.0 255.255.255.0 enable password xxxxxxxxxx encrypted passwd xxxxxxxxxx encrypted hostname xxxxxxxxx domain-name xxxxxxx.xxx fixup protocol ftp 21 fixup protocol http 80 fixup protocol smtp 25 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol sqlnet 1521 names pager lines 24 no logging timestamp no logging standby no logging console no logging monitor no logging buffered no logging trap no logging history logging facility 20 logging queue 512 interface ethernet0 auto interface ethernet1 auto mtu outside 1500 mtu inside 1500 ip address outside 4.20.168.2 255.255.255.0 ip address inside 10.1.1.4 255.255.255.0 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 nat (inside) 0 0.0.0.0 0.0.0.0 0 0 route outside 0.0.0.0 0.0.0.0 4.20.168.2 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius snmp-server location colo5_cage4 snmp-server contact [EMAIL PROTECTED] snmp-server community xxxxx snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set strong esp-des esp-sha-hmac crypto map toColo5 20 ipsec-isakmp crypto map toColo5 20 match address 90 crypto map toColo5 20 set peer 208.185.141.153 crypto map toColo5 20 set transform-set strong crypto map toColo5 interface outside isakmp enable outside isakmp key xxxxxxxxx address 208.185.141.153 netmask 255.255.255.255 isakmp identity address isakmp policy 9 authentication pre-share isakmp policy 9 encryption des isakmp policy 9 hash sha isakmp policy 9 group 1 isakmp policy 9 lifetime 86400 telnet timeout 5 terminal width 80 Cryptochecksum:1318f32ac3f8c9d9fc9e6e0c6b9c1f45 -- Kevin ___________________________________ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
