RE: Cisco Concentrator - pix515 Lan-to-Lan

["Paul Melson" <psmelson () comcast net>]

Two things come to mind right away.  The first is that there is some sort of
routing problem.  Make sure that all necessary routers and hosts have a
route that points 10.50.0.0/24 to the inside interface of the concentrator.
The second is that - and this is something most people learn the hard way -
the interface and tunnel filters on the VPN 3000 series are *NOT* stateful.
If you want traffic to flow, it must be explicitly defined for both
directions in all applicable filters.

Also, if neither of these solve your problem, do you see any errors in the
VPN 3000's log?

PaulM


-----Original Message-----
Subject: [fw-wiz] Cisco Concentrator - pix515 Lan-to-Lan

Hi list,

I have a problem with configurin Lan-to-Lan on VPN concentrator 3000 series
on one side and pix 515 on the other.

Here it is:

On central side there is network 10.50.0.0/24.
There is one Lan-to-Lan that is working great with network 10.50.1.0/24 I
copied the pix conf from this site (change isakmp key, access-list,..) The
VPN tunel can be established from either ends. The SA's are established.

If I ping from central site (behind concentrator) to my network behind the
pix
(10.50.5.0/24) I can see echo and eho-replay packets on my pix (debug icmp
trace), the number of packets encrypted an dekrypted on pix is encremented
(sh crypto ipsec sa). So I gues that packets are comming from the tunel and
going back in?!

But on the concentrator, if I go to Monitoring-Sessions, the session is
established but there are only TX packet. RX packet is 0!

What could be wrong? There are no error messages in the pix or concentrator
log.

Thanks for your help, By

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards