From: Peter Svidler (doubleccie@yahoo.com)
Date: Fri Jun 29 2007 - 06:43:46 ART
Hi ;
Not sure if im correct , but you may be having a routing problem
you may consider to use crypto map reverse-route on both sides so the PIX knows about the destination networks over the tunnel
you may need to change the crypto isakmp key to the tunnel-group as well
HTH
Joshua <joshualixin@gmail.com> wrote:
Guys, i am building a site to site IPSec VPN. One site is running PIX 515E
and remote side is running ASA5505. I can see the VPN tunnel is up. But i
cannot ping from internal 10.10.110.0 subnet to 10.19.76.0 subnet. "Debug
icmp trace" turning on both box, when i ping from 10.10.110.11 to
10.19.76.10, i see icmp echo-request on both box, but do not see echo-reply.
Below is related configuration. Please help!!!
=========
PIX 515E:
=========
Cisco PIX Firewall Version 6.3(4)
access-list COQ permit ip 10.110.0.0 255.255.128.0 10.19.76.0 255.255.255.0
!
crypto map mymap 220 match address COQ
crypto map mymap 220 set peer 20.12.28.247
crypto map mymap 220 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
!
isakmp key ******** address 20.12.28.247 netmask 255.255.255.255
!
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 1
isakmp policy 5 lifetime 86400
pixfirewall# sh cry isa sa
Total : 8
Embryonic : 0
dst src state pending created
...
20.12.28.247 204.2.18.8 QM_IDLE 0 1
...
==========
ASA 5505 :
==========
System image file is "disk0:/asa722-k8.bin"
: Saved
:
ASA Version 7.2(2)
!
...
!
interface Vlan1
nameif inside
security-level 100
ip address 10.19.76.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
....
access-list cryptomap extended permit ip 10.19.76.0 255.255.255.0 10.110.0.0
255.255.128.0
access-list nat0 extended permit ip 10.19.76.0 255.255.255.0 10.110.0.0
255.255.128.0
...
global (outside) 1 interface
nat (inside) 0 access-list nat0
nat (inside) 1 0.0.0.0 0.0.0.0
...
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 match address cryptomap
crypto map outside_map 20 set peer 204.2.18.8
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp nat-traversal 3600
tunnel-group 204.2.18.8 type ipsec-l2l
tunnel-group 204.2.18.8 ipsec-attributes
pre-shared-key *
...
coq5505# sh cry isa sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 204.2.18.8
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:52 ART