RE: Cisco Concentrator - pix515 Lan-to-Lan

["Hughes, Chris" <Chris.Hughes () thalescomminc com>]

Check the pix static routes as well.  If the remote network is a subnet
of the existing inside network you may need to put in more explicit
routes.

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Paul
Melson
Sent: Monday, February 14, 2005 4:11 PM
To: firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Cisco Concentrator - pix515 Lan-to-Lan

Two things come to mind right away.  The first is that there is some
sort of
routing problem.  Make sure that all necessary routers and hosts have a
route that points 10.50.0.0/24 to the inside interface of the
concentrator.
The second is that - and this is something most people learn the hard
way -
the interface and tunnel filters on the VPN 3000 series are *NOT*
stateful.
If you want traffic to flow, it must be explicitly defined for both
directions in all applicable filters.

Also, if neither of these solve your problem, do you see any errors in
the
VPN 3000's log?

PaulM


-----Original Message-----
Subject: [fw-wiz] Cisco Concentrator - pix515 Lan-to-Lan

Hi list,

I have a problem with configurin Lan-to-Lan on VPN concentrator 3000
series
on one side and pix 515 on the other.

Here it is:

On central side there is network 10.50.0.0/24.
There is one Lan-to-Lan that is working great with network 10.50.1.0/24
I
copied the pix conf from this site (change isakmp key, access-list,..)
The
VPN tunel can be established from either ends. The SA's are established.

If I ping from central site (behind concentrator) to my network behind
the
pix
(10.50.5.0/24) I can see echo and eho-replay packets on my pix (debug
icmp
trace), the number of packets encrypted an dekrypted on pix is
encremented
(sh crypto ipsec sa). So I gues that packets are comming from the tunel
and
going back in?!

But on the concentrator, if I go to Monitoring-Sessions, the session is
established but there are only TX packet. RX packet is 0!

What could be wrong? There are no error messages in the pix or
concentrator
log.

Thanks for your help, By

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


This email and any files transmitted with it are confidential and are intended solely for the use of the individual or 
entity to whom they are addressed. This communication represents the originator's personal views and opinions, which do 
not necessarily reflect those of Thales Communications, Inc. If you are not the original recipient or the person 
responsible for delivering the email to the intended recipient, be advised that you have received this email in error, 
and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received 
this email in error, please immediately notify Administrator2 () Thalescomminc com.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards