What happens if you remove the static route? route outside 10.180.0.0 255.255.0.0 180.200.200.141
I don't think I've had to put static routes on the vpn device for routes at the other end of the tunnel. The acl (L2L in this case) should take care of that. Rogelio Gamino [EMAIL PROTECTED] (o) 202-741-5853 (c) 202-716-9965 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Everton Diniz Sent: Tuesday, July 15, 2008 9:19 AM To: cisco-nsp Subject: [c-nsp] Traffic on IPSec Tunnel btw Pix and Router Hi all, I configure a tunnel btw pix and router. The traffic goes to PIX but do not have return. I see only encaps on the router and decaps on the PIX. Is missing anything? Tks Router Output and Config TEHTCVPNRT01#sh cry ip sa interface: GigabitEthernet0/1 Crypto map tag: ra-L2L-vpn, local addr 180.200.200.141 protected vrf: (none) local ident (addr/mask/prot/port): (10.180.0.0/255.255.0.0/0/0) remote ident (addr/mask/prot/port): (10.139.1.0/255.255.255.0/0/0) current_peer 200.150.180.62 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 81, #pkts encrypt: 81, #pkts digest: 81 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 4, #recv errors 0 local crypto endpt.: 180.200.200.141, remote crypto endpt.: 200.150.180.62 path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 current outbound spi: 0xEA23924(245512484) inbound esp sas: spi: 0x2E3660C5(775315653) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 3004, flow_id: NETGX:4, crypto map: ra-L2L-vpn sa timing: remaining key lifetime (k/sec): (4429641/3573) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xEA23924(245512484) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 3003, flow_id: NETGX:3, crypto map: ra-L2L-vpn sa timing: remaining key lifetime (k/sec): (4429640/3573) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: crypto isakmp policy 11 encr 3des hash md5 authentication pre-share group 2 lifetime 3600 crypto isakmp key 6 L2L address 200.150.180.62 no-xauth crypto isakmp aggressive-mode disable crypto ipsec transform-set aessha-pixrtr esp-3des esp-md5-hmac crypto map ra-L2L-vpn 2 ipsec-isakmp set peer 200.150.180.62 set transform-set aessha-pixrtr match address 120 reverse-route interface GigabitEthernet0/1 ip address 180.200.200.141 255.255.255.192 crypto map ra-L2L-vpn access-list 120 permit ip 10.180.0.0 0.0.255.255 10.139.1.0 0.0.0.255 ++++++++++++++++++++++++++++++++++ PIX output and Config: local ident (addr/mask/prot/port): (10.139.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.180.0.0/255.255.0.0/0/0) current_peer: 180.200.200.141:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 81, #pkts decrypt: 81, #pkts verify 81 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 200.150.180.62 , remote crypto endpt.: 180.200.200.141 path mtu 1500, ipsec overhead 56, media mtu 1500 current outbound spi: 2e3660c5 inbound esp sas: spi: 0xea23924(245512484) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 4, crypto map: L2L-ons sa timing: remaining key lifetime (k/sec): (4607999/3478) IV size: 8 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x2e3660c5(775315653) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 3, crypto map: L2L-ons sa timing: remaining key lifetime (k/sec): (4608000/3478) IV size: 8 bytes replay detection support: Y outbound ah sas: outbound pcp sas: ip address outside 200.150.180.62 255.255.255.224 ip address inside 10.139.1.111 255.255.255.0 access-list L2L permit ip 10.139.1.0 255.255.255.0 10.180.0.0 255.255.0.0 access-list L2Lnonat permit ip 10.139.1.0 255.255.255.0 10.180.0.0 255.255.0.0 nat (inside) 0 access-list L2Lnonat route outside 10.180.0.0 255.255.0.0 180.200.200.141 1 sysopt connection permit-ipsec crypto ipsec transform-set aessha-pixrtr esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 3600 crypto map L2L 1 ipsec-isakmp crypto map L2L 1 match address L2L crypto map L2L 1 set peer 180.200.200.141 crypto map L2L 1 set transform-set aessha-pixrtr crypto map L2L interface outside isakmp enable outside isakmp key L2L address 180.200.200.141 netmask 255.255.255.255 no-xauth isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash md5 isakmp policy 1 group 2 isakmp policy 1 lifetime 3600 _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
