wilson2468
Technical User
I have exhausted all of my ideas as to why this does not work, any ideas would help:
The rest of the firewall configuration is up and working fine with several other ipsec tunnels and no problems.
I have a PIX 525 on my end,
I have end to end connectivity to the remote site peer. The remote site peer can ping my PIX outside interface, but IPSEC is not the issue.
I am trying to have a host on my end (10.11.150.1), connect to to a host on the remote end (10.79.15.3) inside an IPSEC tunnel.
The the goal is to have the firewall configured to NAT the inside host address on my end (10.11.150.1) to 10.91.6.2.
I think I have a NAT translation issue in the firewall. All routing from my
10.11.150.1 address to the firewall is ok. The host on my end is a couple of hops away from the PIX on my end.
My end host is supposed to try a connection attempt about every hour.
I can see the attempt to make the connection in the firewall logs, but it times out and never attempts to translate the address or build the tunnel.
I see no hits on the associated access-lists for the NAT translation.
There are no attempts to xlate in the logs.
Debugs of the crypto phase 1 shows no attempt to build the tunnel (i don't think it ever gets that far in the process). The tunnel therefore does not exist and never has.
Log output:
sh access-list:
access-list bold; 1 elements
access-list bold line 1 permit ip 10.91.6.0 255.255.255.0 host 10.79.15.3 (hitcnt=0)
access-list translation2; 1 elements
access-list translation2 line 1 permit ip host 10.11.150.1 host 10.79.15.3 (hitcnt=0)
sh log:
302013: Built outbound TCP connection 74840423 for outside:10.79.15.3/5202 (10.79.15.3/5202) to inside:10.11.150.1/2492
302014: Teardown TCP connection 74840766 for outside:10.79.15.3/5202 to inside:10.11.150.1/2496 duration 0:02:01 bytes 0 SYN Timeout
Relevant parts of the config:
crypto map p 30 ipsec-isakmp
crypto map p 30 match address bold
crypto map p 30 set peer 6.19.8.7
crypto map p 30 set transform-set 3dessha
access-list bold permit ip 10.11.150.0 255.255.255.0 10.79.15.3 255.255.255.255
static (inside,outside) 10.91.6.2 access-list translation2 0 0
access-list translation2 permit ip host 10.11.150.1 10.79.15.3 255.255.255.255
The rest of the firewall configuration is up and working fine with several other ipsec tunnels and no problems.
I have a PIX 525 on my end,
I have end to end connectivity to the remote site peer. The remote site peer can ping my PIX outside interface, but IPSEC is not the issue.
I am trying to have a host on my end (10.11.150.1), connect to to a host on the remote end (10.79.15.3) inside an IPSEC tunnel.
The the goal is to have the firewall configured to NAT the inside host address on my end (10.11.150.1) to 10.91.6.2.
I think I have a NAT translation issue in the firewall. All routing from my
10.11.150.1 address to the firewall is ok. The host on my end is a couple of hops away from the PIX on my end.
My end host is supposed to try a connection attempt about every hour.
I can see the attempt to make the connection in the firewall logs, but it times out and never attempts to translate the address or build the tunnel.
I see no hits on the associated access-lists for the NAT translation.
There are no attempts to xlate in the logs.
Debugs of the crypto phase 1 shows no attempt to build the tunnel (i don't think it ever gets that far in the process). The tunnel therefore does not exist and never has.
Log output:
sh access-list:
access-list bold; 1 elements
access-list bold line 1 permit ip 10.91.6.0 255.255.255.0 host 10.79.15.3 (hitcnt=0)
access-list translation2; 1 elements
access-list translation2 line 1 permit ip host 10.11.150.1 host 10.79.15.3 (hitcnt=0)
sh log:
302013: Built outbound TCP connection 74840423 for outside:10.79.15.3/5202 (10.79.15.3/5202) to inside:10.11.150.1/2492
302014: Teardown TCP connection 74840766 for outside:10.79.15.3/5202 to inside:10.11.150.1/2496 duration 0:02:01 bytes 0 SYN Timeout
Relevant parts of the config:
crypto map p 30 ipsec-isakmp
crypto map p 30 match address bold
crypto map p 30 set peer 6.19.8.7
crypto map p 30 set transform-set 3dessha
access-list bold permit ip 10.11.150.0 255.255.255.0 10.79.15.3 255.255.255.255
static (inside,outside) 10.91.6.2 access-list translation2 0 0
access-list translation2 permit ip host 10.11.150.1 10.79.15.3 255.255.255.255