Nothing happens, i put the static route for test. I could not make it work. The pix was change for a router and i put a Tunnel interface and works ok.
tks for all!!! On Thu, Sep 25, 2008 at 12:44 PM, Gamino, Rogelio (OCTO-Contractor) <[EMAIL PROTECTED]> wrote: > What happens if you remove the static route? > > route outside 10.180.0.0 255.255.0.0 180.200.200.141 > > I don't think I've had to put static routes on the vpn device for routes > at the other end of the tunnel. The acl (L2L in this case) should take > care of that. > > > Rogelio Gamino > [EMAIL PROTECTED] > (o) 202-741-5853 > (c) 202-716-9965 > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Everton Diniz > Sent: Tuesday, July 15, 2008 9:19 AM > To: cisco-nsp > Subject: [c-nsp] Traffic on IPSec Tunnel btw Pix and Router > > Hi all, > > I configure a tunnel btw pix and router. The traffic goes to PIX but > do not have return. I see only encaps on the router and decaps on the > PIX. > Is missing anything? > > Tks > > Router Output and Config > TEHTCVPNRT01#sh cry ip sa > > interface: GigabitEthernet0/1 > Crypto map tag: ra-L2L-vpn, local addr 180.200.200.141 > > protected vrf: (none) > local ident (addr/mask/prot/port): (10.180.0.0/255.255.0.0/0/0) > remote ident (addr/mask/prot/port): (10.139.1.0/255.255.255.0/0/0) > current_peer 200.150.180.62 port 500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 81, #pkts encrypt: 81, #pkts digest: 81 > #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 4, #recv errors 0 > > local crypto endpt.: 180.200.200.141, remote crypto endpt.: > 200.150.180.62 path mtu 1500, ip mtu 1500, ip mtu idb > GigabitEthernet0/1 > current outbound spi: 0xEA23924(245512484) > > inbound esp sas: > spi: 0x2E3660C5(775315653) > transform: esp-3des esp-md5-hmac , > in use settings ={Tunnel, } > conn id: 3004, flow_id: NETGX:4, crypto map: ra-L2L-vpn > sa timing: remaining key lifetime (k/sec): (4429641/3573) > IV size: 8 bytes > replay detection support: Y > Status: ACTIVE > > inbound ah sas: > > inbound pcp sas: > > outbound esp sas: > spi: 0xEA23924(245512484) > transform: esp-3des esp-md5-hmac , > in use settings ={Tunnel, } > conn id: 3003, flow_id: NETGX:3, crypto map: ra-L2L-vpn > sa timing: remaining key lifetime (k/sec): (4429640/3573) > IV size: 8 bytes > replay detection support: Y > Status: ACTIVE > > outbound ah sas: > > outbound pcp sas: > > > > crypto isakmp policy 11 > encr 3des > hash md5 > authentication pre-share > group 2 > lifetime 3600 > crypto isakmp key 6 L2L address 200.150.180.62 no-xauth > crypto isakmp aggressive-mode disable > crypto ipsec transform-set aessha-pixrtr esp-3des esp-md5-hmac > > crypto map ra-L2L-vpn 2 ipsec-isakmp > set peer 200.150.180.62 > set transform-set aessha-pixrtr > match address 120 > reverse-route > > interface GigabitEthernet0/1 > ip address 180.200.200.141 255.255.255.192 > crypto map ra-L2L-vpn > > access-list 120 permit ip 10.180.0.0 0.0.255.255 10.139.1.0 0.0.0.255 > > > > ++++++++++++++++++++++++++++++++++ > > > > PIX output and Config: > local ident (addr/mask/prot/port): (10.139.1.0/255.255.255.0/0/0) > remote ident (addr/mask/prot/port): (10.180.0.0/255.255.0.0/0/0) > current_peer: 180.200.200.141:500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 > #pkts decaps: 81, #pkts decrypt: 81, #pkts verify 81 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress > failed: 0 > #send errors 0, #recv errors 0 > > local crypto endpt.: 200.150.180.62 , remote crypto endpt.: > 180.200.200.141 > path mtu 1500, ipsec overhead 56, media mtu 1500 > current outbound spi: 2e3660c5 > > inbound esp sas: > spi: 0xea23924(245512484) > transform: esp-3des esp-md5-hmac , > in use settings ={Tunnel, } > slot: 0, conn id: 4, crypto map: L2L-ons > sa timing: remaining key lifetime (k/sec): (4607999/3478) > IV size: 8 bytes > replay detection support: Y > > > inbound ah sas: > > > inbound pcp sas: > > > outbound esp sas: > spi: 0x2e3660c5(775315653) > transform: esp-3des esp-md5-hmac , > in use settings ={Tunnel, } > slot: 0, conn id: 3, crypto map: L2L-ons > sa timing: remaining key lifetime (k/sec): (4608000/3478) > IV size: 8 bytes > replay detection support: Y > > > outbound ah sas: > > > outbound pcp sas: > > > ip address outside 200.150.180.62 255.255.255.224 > ip address inside 10.139.1.111 255.255.255.0 > access-list L2L permit ip 10.139.1.0 255.255.255.0 10.180.0.0 > 255.255.0.0 > access-list L2Lnonat permit ip 10.139.1.0 255.255.255.0 10.180.0.0 > 255.255.0.0 > nat (inside) 0 access-list L2Lnonat > route outside 10.180.0.0 255.255.0.0 180.200.200.141 1 > sysopt connection permit-ipsec > crypto ipsec transform-set aessha-pixrtr esp-3des esp-md5-hmac > crypto ipsec security-association lifetime seconds 3600 > crypto map L2L 1 ipsec-isakmp > crypto map L2L 1 match address L2L > crypto map L2L 1 set peer 180.200.200.141 > crypto map L2L 1 set transform-set aessha-pixrtr > crypto map L2L interface outside > isakmp enable outside > isakmp key L2L address 180.200.200.141 netmask 255.255.255.255 no-xauth > isakmp identity address > isakmp policy 1 authentication pre-share > isakmp policy 1 encryption 3des > isakmp policy 1 hash md5 > isakmp policy 1 group 2 > isakmp policy 1 lifetime 3600 > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
