TUNNEL UP BUT NO TRAFFIC PASSING THROUGH
Hello, we have a customer that has been working with us like 1 month with no problem. We did a connection between a fortigate firewall and a Cisco 2811. Now the tunnel is up but no traffic is going and coming through it. I did remake the whole configuration for this costumer: Key, cryptomap and access-list. The tunnel comes up but again, no traffic is coming or going.
Any hints ?
Thanks.
Hi,
Below is an excellent document on Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
If this doc does not help, do post your configuration along with the Src and Dest IP Addresses that you are trying to ping across the tunnel.
Regards,
Arul
*Pls rate if it helps*
Similar Messages
-
Does user traffic pass through Controller and Aironet 1030?
Hi All,
I want to beat out some questions that I cannot find exactly guideline in Cisco. I intend to implement 2 Airespace 2000 controller and some 1010s and one 1030 to my main office and branch office. At present, there is a 512kbps WAN link between this two office. So I don't want to let the traffic within the branch office to pass through the WAN link. Therefore, I intend to use the solution that 1 controller stay in main office to serve the 1010s in main office and 1 controller stay in remote office to serve the 1010s in remote office. But the remote site only needs 1 AP, thus I would like to use one 1030 to stay in branch office and 2 controller stay in main office to perform controller's redundancy. I would like to know Does the clients' traffic pass through the link between 1030 and controller as the same as 1010? I does very confuse whether 1030 has this feature because I found some blur instruction of 1030 in Cisco.
Further, if I place one of the controller in remote office, how can I control the APs in remote office to choose the local controller instead of the controller in main office using Layer 3 discovery method? Does any know? Thanks!
Jason,
best regards,Hi Jason,
Hopefully this info will clear this up for you;
Q. Can I install an access point (AP) at a remote office and install a Cisco WLC at my headquarters? Does the Lightweight AP Protocol (LWAPP) work over a WAN?
A. Yes, you can have the WLCs across the WAN from the APs. LWAPP works over a WAN. Use Remote Edge AP (REAP) mode. REAP allows the control of an AP by a remote controller that is connected via a WAN link. Traffic is bridged onto the LAN link locally, which avoids the need to unnecessarily send local traffic over the WAN link. This is precisely one of the greatest advantages of having WLCs in your wireless network.
Note: Not all lightweight APs support REAP. For example, the 1030 AP supports REAP, but the 1010 and 1020 AP do not support REAP. Before you plan to implement REAP, check to determine if the APs support it. Cisco IOS Software APs that have been converted to LWAPP do not support REAP.
Q. I want to set up the Cisco 1030 Lightweight Access Point (AP) with a Cisco WLC in Remote Edge AP (REAP) mode. In this mode, is all wireless traffic tunneled back to the WLC? Additionally, if the AP cannot contact the WLC, what happens to the wireless clients?
A. The 1030 AP tunnels all WLC traffic (control and management traffic) to the WLC via Lightweight AP Protocol (LWAPP). All data traffic stays local to the AP. The 1030 REAP can only reside on a single subnet because it cannot perform IEEE 802.1Q VLAN tagging. As such, traffic on each service set identifier (SSID) terminates on the same subnet on the wired network. So, while wireless traffic may be segmented over the air between SSIDs, user traffic is not separated on the wired side. Access to local network resources is maintained throughout WAN outages.
At times of WAN link outage, all WLANs except the first is decommissioned. Therefore, use WLAN 1 as the primary WLAN and plan security policies accordingly. Cisco recommends that you use a local authentication/encryption method, such as the Wi-Fi Protected Access (WPA) Pre-Shared Key (WPA-PSK), on this first WLAN.
Note: Wired Equivalent Privacy (WEP) suffices, but this method is not recommended because of known security vulnerabilities.
If you use WPA-PSK (or WEP), properly configured users are still able to gain access to local network resources even when the WAN link is down.
From this doc;
http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a008064a991.shtml
Hope this helps!
Rob
Please remember to rate helpful posts..... -
Black box able to log traffic passing through...
Hi
I'm looking for a box able to sniff the tcp/ip traffic (source ip address, destination ip address and ports) passing from it's ingress interface to the egress interface and viceversa (useful the bypass option if this box fails) without any change of the traffic passing through, just logging it and sending this log to a syslog server.
We need it as solution to be compliant with the new police law against computer criminals where is written that all the internet traffic has to be logged (we offer sometimes transparent internet access to our customers where we do not put any kind of equipment as firewall, proxy or something else, only the router providing the internet access).
Do you know if Cisco provide something like that ? Other vendors ?
Any other idea how to be compliant with this request ?
Thanks
Pls advise
RicCisco Intrusion Prevention System Sensor can be used to log ip traffic. You can manually configure the sensor to capture all IP traffic associated with a host you specify by IP address. You can specify how long you want the IP traffic to be logged, how many packets you want logged, and how many bytes you want logged. The sensor stops logging IP traffic at the first parameter you specify.You can also have the sensor log IP packets every time a particular signature is fired. You can specify how long you want the sensor to log IP traffic and how many packets and bytes you want logged
-
Only some of the traffic passing through inline vlan pair
Here is my network setup
firewall<---- >(g1/2)Coreswitch 6500 with IDSM(TG9/1)<-----> (TG9/1) Distrib switch with FWSM---------Accessswitch
configuration in core switch
interface GigabitEthernet1/2.11
description **** ****
encapsulation dot1Q 211
ip vrf forwarding VRF11
ip address 10.2.11.73 255.255.255.248
ip ospf network point-to-point
standby 1 ip 10.2.11.75
standby 1 priority 110
standby 1 preempt
interface GigabitEthernet1/2.37
description **** ****
encapsulation dot1Q 237
ip vrf forwarding VRF37
ip address 10.2.37.73 255.255.255.248
ip ospf network point-to-point
standby 1 ip 10.2.37.75
standby 1 priority 110
standby 1 preempt
interface TenGigabitEthernet9/1.11
description **** ****
encapsulation dot1Q 311
ip vrf forwarding VRF11
ip address 10.2.11.2 255.255.255.252
ip ospf network point-to-point
interface TenGigabitEthernet9/1.12
description **** ****
encapsulation dot1Q 312
ip vrf forwarding VRF12
ip address 10.2.12.2 255.255.255.252
ip ospf network point-to-point
configuration in Distribution switch:
interface TenGigabitEthernet9/1.11
description **** ****
encapsulation dot1Q 311
ip vrf forwarding VRF11
ip address 10.2.11.1 255.255.255.252
no ip route-cache
ip ospf network point-to-point
interface TenGigabitEthernet9/1.37
description ********
encapsulation dot1Q 337
ip vrf forwarding VRF37
ip address 10.2.37.1 255.255.255.252
no ip route-cache
ip ospf network point-to-point
i have seggregated n/w like this. i am using inline vlan pair , to pass all the traffic through the IDSM module ,
i am using the monitoring port gi0/8
config in core switch
intrusion-detection module 8 data-port 2 trunk allowed-vlan 211-260,311-360
IDSM
physical-interfaces GigabitEthernet0/8
subinterface-type inline-vlan-pair
subinterface 11
description
vlan1 211
vlan2 311
exit
subinterface 37
description
vlan1 237
vlan2 337
exit
Problem i am facing is , some of the vlan-pair traffic passing through the IDSM some of the traffic are not passing , here i have given the statistics
MAC statistics from interface GigabitEthernet0/8
Statistics From Subinterface 11
Statistics From Vlan 211
Total Packets Received On This Vlan = 0
Total Bytes Received On This Vlan = 0
Total Packets Transmitted On This Vlan = 0
Total Bytes Transmitted On This Vlan = 0
Statistics From Vlan 311
Total Packets Received On This Vlan = 0
Total Bytes Received On This Vlan = 0
Total Packets Transmitted On This Vlan = 0
Total Bytes Transmitted On This Vlan = 0
Statistics From Subinterface 37
Statistics From Vlan 237
Total Packets Received On This Vlan = 3189658726
Total Bytes Received On This Vlan = 64165872092928
Total Packets Transmitted On This Vlan = 3549575166
Total Bytes Transmitted On This Vlan = 64165872092928
Statistics From Vlan 337
Total Packets Received On This Vlan = 3549575166
Total Bytes Received On This Vlan = 64165872092928
Total Packets Transmitted On This Vlan = 3189658726
Total Bytes Transmitted On This Vlan = 64165872092928
Statistics From Subinterface 38
Statistics From Vlan 238
Total Packets Received On This Vlan = 2215151150
Total Bytes Received On This Vlan = 64165872092928
Total Packets Transmitted On This Vlan = 126546964
Total Bytes Transmitted On This Vlan = 64165866995200
Statistics From Vlan 338
Total Packets Received On This Vlan = 126546964
Total Bytes Received On This Vlan = 64165866995200
Total Packets Transmitted On This Vlan = 2215151150
Total Bytes Transmitted On This Vlan = 64165872092928
Give me idea experts , so that i can resolve this issue.
Help me thanks in advanceI believe the issue is because of the config below:
interface GigabitEthernet1/2.11
description **** ****
encapsulation dot1Q 211
ip vrf forwarding VRF11
ip address 10.2.11.73 255.255.255.248
ip ospf network point-to-point
standby 1 ip 10.2.11.75
standby 1 priority 110
standby 1 preempt
encapsulation dot1Q 311
ip vrf forwarding VRF11
ip address 10.2.11.2 255.255.255.252
ip ospf network point-to-point
interface TenGigabitEthernet9/1.12
description **** ****
encapsulation dot1Q 312
ip vrf forwarding VRF12
ip address 10.2.12.2 255.255.255.252
ip ospf network point-to-point
As you can see we have 2 ip subnets in the VRF 11 .73 & .2 in vlan 211 & 311 respectively.
The switch is doing intervlan routing directly without having to go through the IDSM for VRF 11.
What we need to remember is IDSM does not do routing, and it can only bridge vlans.
Hence we have to force to packet to go through the IDSM.
Here is what we do when we use IDSM to see traffic going between vlans.:
Normally, with vlans, and IDSM inline mode, we have one IP subnet and 2 Vlans.
IDSM2 in inline mode necessitates an additional artificial Vlan on the SAME subnet as the Vlan you wish to sense.
A layer 3 switch interface needs to be configured within this additional artificial Vlan.
In a nutshell, we need to create 2 Vlans that share one same ip subnet and put SVI on only one of the Vlans.
In your case you will need one ip between vlans 211 & 311 in VRF 11 to force the data to go through the IDSM.
I can understand if this is a bit tricky to understand.
Please go through my design document for IDSM inline mode, which explains the basic concepts and packet walk in detail.
It will explain why we need the above and how arp makes the mac-address table populate correct entries, (with one ip subnet for 2 vlans) so that traffic goes through the IDSM.
https://supportforums.cisco.com/docs/DOC-12206
- Sid -
AAA Authentication for Traffic Passing through ASA
I am setting up AAA authentication for traffic that will pass through my ASA. I am having difficulty enabling 'aaa authentication secure-http-client'. Without secure communications enabled access functions as expected. When I enable access, I get prompted for a username/password. The username/password is entered. Authentication passes (show uauth). The requested page (http://www.cisco.com) switches to https://x.x.x.x (a resolved IP address for the site). Eventually (5 seconds), I am asked to accept or deny a certificated. Interestingly, the certificate is for the ASA and not the requested site (http://www.cisco.com).
Am I missing something?
firewall# show run aaa
aaa authentication http console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication match guestnetwork_access guestnetwork RADIUS
aaa authentication secure-http-client
firewall# show access-li guestnetwork_access
access-list guestnetwork_access; 2 elements
access-list guestnetwork_access line 1 extended deny udp 10.255.255.0 255.255.255.0 any eq domain (hitcnt=33)
access-list guestnetwork_access line 2 extended permit ip 10.255.255.0 255.255.255.0 any (hitcnt=412)
firewall# show run aaa-s
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.250.14
key xxxxx
firewall# show run http
http server enableyour definition for the aaa-server is different to the aaa authentication server-group
try
aaa authentication http console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL -
Does IPv6 traffic "pass-through" or "drop" by cisco waas?
Since cisco waas is not yet supported IPv6, if i am running IPv4 and IPv6 dual stack mode on the same circuit, does IPv6 traffic get dropped by the waas or does waas put IPv6 traffic in "pass-through" mode and let it goes? I am thinking, waas will treat IPv6 as non-IP traffic and will let it goes. Am i right?
Hi Joe and Kanwai,
One note though - if your running WCCP as the redirection mode, you won't get the IPv6 traffic redirected, as WCCP does NOT support IPv6. Hence you won't see IPv6 traffic at all on the WAAS device.
Best Regards
Finn Poulsen -
High delay when traffic passes through the tunnel
Hello,
i have a dmvpn topology, .
When i try to ping the real ip on the hub's outside interface from the spoke, the delay is approximately 100ms, but when i ping the tunnel ip address the delay becomes 4000ms.
Your help is really appreciatedCan you post the configuration?
Did you set the MTU of the tunnel interface correctly?
Also check the switching (CEF/Process Switching) configuration.
Regards
Farrukh -
Hello,
i try to setup a IPSEC VPN (Site-by-Site or if not possible Client-BySite) between a Netgear Pro Safe Router and Windows Server 2012.
The Problem: Tunnel is up and running, but no Ping, no traffic at all.
the Server 2012 uses HyperV and has one hardware-NIC with public ip, lets say 123.123.123.1.
if no site-by-site is possible in my situation with built-in-tools this server would be only a client-site which would "dial-up" to the netgear box.
the server has a second virtual NIC with IP 192.168.137.1. Routing and RAS is enabled, because there are two virtual other servers whichs has 192.168.137.2 and 192.168.137.3.
The Netgear-ProSafe has public ip 122.122.122.1 and LAN-Subnet 192.168.21.0/24.
I created the Tunnel in the Advanced-Firewall-Options-Window. Both, Windows and the Router, say, the VPN-Tunnel is okay. Also, i can see ESP-Packets with wireshark.
If i ping (from router to server and other direction) i get no response. Some people said, the RAS itselfe could not accept packages, but i tried from one of the virtual clients also (192.168.137.2) and no ping there also.
i tried to add a route for subnet 192.168.21.0 with 192.168.137.1 as gateway but that didn't helped also.
now, after all this time i spend today to this problem i'm a bit confused.
as i know vpn-connections there are always virtual devices, and routes for the vpn-subnets assigned to this device.
the windows firewall does not create any device, and it does not create any route - i suppose, this is because "routing and ras or windows firewall-service" does this work "internally". is that correct? do i need any routes?
i was wondering why the ICMP packet from my ping in wireshark had the public ip as source (123.123.123.1) and not the "internal" 192.168.137.1 - and i tried to restrict the vpn-rule only for the virtual internal NIC but this isn't possible, as
it is no option inside the gui.
it would be great if somebody could explain me how config and packages SHOULD look....i've never used the built-in vpn/ipsec/ras services before, so i don't know how things has to be for a correct working environment. also, i need a solution and any help
to solve the problem would be great also!
now i try to sleep one night - maybe i get some nice idea after some hours of sleeping. good night.
Addition: After some more tests i find out that if i change the local endpoint (endpoint 1) from the virtual network (192.168.137.0/24) to the public ip of the server (123.123.123.1) inside the tunnel-rule and inside the vpn-policy of the router i can access
the netgear and other devices in the remote-network 192.168.21.0 over this ip-adresses. ping is not working, but other things seems to work fine. i want to be able to ping as well ofcourse and this wired configuration looks wrong to me...can some network-professional
help out with an explanation?
Second Addition: I can set the Local Endpoint also to "any" and it does work - but ping still does not work :-(
Third Addition: The Ping does work if i disable the NAT-Functionality on the Physical NIC. ....mhm.....I would definitly recommend the usage of a virtual router instead using windows onboard-firewall to make the site-to-site tunnel!
as you can see in my linked thread above (Link)
this scenario is not supported from microsoft! you will run into problems!
we do run a hyperv virtual machine and install the wonderful distribution pfsense inside this box. pfsense is a software-linux-router with ipsec-functionality, which works like a charm!
and by the way i recommend to not use the products of netgear! they are expensive, very slow and the service is not good!
we have good experience with Vigor-Routers! They are less expensive, the Service is very good, and the devices are much faster, AND! ...the vpn-connections stay stable up!
this experience was very time-intensive to make! hope this will help someone else in the future. -
I apologize if this is a repeat, but I can't tell if my question has been posted.
For the past several weeks, all incoming traffic via Safari 5.0.5, but not Firefox,containing cost/price figures appear in Euros, not US Dollars. My responses, however, are received correctly in US Dollars. Wierd, and irritating. Any ideas?To answer the post title FireFox save all downloads automatically in the download folder, which you can find in the Documents folder. If you want to choose where to save your downloads go to tools>options>check always ask me where to save files.
Secondly, I am assuming you have IE 8 installed as this is the only version that supports this fix that is currently not in beta. Go to control panel>internet options>advanced tab and reset the settings at the bottom. This may or may not fix the problem but it is a good first step. -
CUCM ISUP-OLI / ANI II pass-through
Hi, I've a Cisco UBE that receive a SIP calls from a remote provider. This provider send ANI-II Digits into a From header like:
Received:
INVITE sip:[email protected]:5060 SIP/2.0
From: <sip:[email protected]:5060>;isup-oli=00;tag=SDs1ts901-10.50.83.40+1+161e1d+61e8c298
but when CUBE pass-through this call it strip ANI II Digits
Sent:
INVITE sip:[email protected]:5060 SIP/2.0
From: <sip:[email protected]>;tag=850A3664-1051
Is there any way to avoid this? I need to pass-through ISUP-OLI on From header.I found this document that describe what I need.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/cube/configuration/cube-book/pass-unsupported.html -
Sip passing through nat but rtp is not - no audio
Sip passing through nat but rtp is not
I'm looking at traffic leaving my router with a sniffer. I see SIP traffic but I do not see RTP traffic. The phones ring on both sides but I do not get any audio.
interface f0/0.100
ip address 192.168.10.1 255.255.255.0
ip nat outside
ip nat pool VoIP 192.168.10.1 192.168.10.1 prefix-length 24
ip nat inside source route-map VoIP pool VoIP overload
ip nat inside source static tcp 10.1.1.2 49201 192.168.10.54 49201 extendable
access-list 1 permit ip host 10.1.1.2 any
route-map VoIP permit 10
match ip address 1
match interface f0/0.100
set interface f0/0.100Hello,
You can enable "ip nat service sip" or "ip nat service h323" and "ip nat
service h225" commands. As per the documentation, they are enabled by
default. In the latest IOS there is a new feature added to Cisco IOS that
ensures that even RTP packets get translated to one of the allowed ports as
specified by the RFC. The command to enable the feature is "ip nat service
allow-sip-even-rtp-ports"
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6640/pro
d_white_paper0900aecd80597bc7.html
Hope this helps.
Regards,
NT -
MIAW WindowType - preventing pass-through clicks, but non-modal?
Other than the 10 types listed in the Help files, does anyone
know about any
other window types? What I'm specifically looking for is like
a tool
palette - which floats over the stage, but if you click on
it, the clicks do
not pass through the MIAW to the stage below it. So far, the
only way I
know to do that is to make it a modal dialog box, which is
NOT what I want,
because I want to still be able to click on things on the
stage, just not if
they're directly behind the tool palette.
Alternatively, is there a way to make sure all mouse-clicks
within a MIAW do
NOT pass through to the stage behind it? I'm using type 4,
"Movable window
without size box or zoom box", which seems to be the closest
one to what I
want, but I need to stop those pass-through clicks from
messing up the
stage..."Darrel Hoffman" <[email protected]> wrote in message
news:[email protected]...
> The point of checking for MouseDown inside a MouseWithin
handler is
> that you can click and "paint" tiles over any number of
sprites,
> without having to release the mouse button and click
each sprite
> individually. If I put everything into MouseUp/MouseDown
handlers,
> then you'd have to click each sprite one by one in order
to change
> the tiles, which is incredibly tedious compared the
smooth
> click-and-drag method I'm using.
>
> As I've said, checking to see if the mouse is within the
rect of the
> MIAW *does* prevent clickthroughs. In other words, I do
have a
> working solution to my problem. I just still think it's
far more
> code than should be necessary to do what should by all
rights happen
> by default, especially since I have to incorporate this
same code
> into several different mouse events in a bunch of
different
> behaviors. (It will be even worse if I at some point
decide to have
> more than one tool palette MIAW up at the same time for
some reason,
> since I'd have to check for each of them, and then check
*within*
> each of them as well in case they overlap eachother...)
>
> We kind of got sidetracked with the whole idea of a
moving sprite
> underneath the MIAW to catch stray mouse events - a
technique which
> doesn't work 100% because moving the MIAW causes a stray
mouse-click
> when you release it.
>
> I just wish there were some default setting for MIAW's
which
> prevented clickthroughs automatically. It's pretty much
an
> aesthetic thing now, since I have a working solution,
but I don't
> like ugly code (even if nobody but me will ever see it),
and I wish
> there was a better way to do it. Just seems like it
should be the
> default behavior. Think of any other program you've
seen. Indeed,
> since we all know Director, think of that. Say you've
got the Score
> window and the Cast window and the Script window and
> who-knows-what-else all open at once, and they're all
overlapping on
> your screen. When you click on one, only the one on top
responds.
> This is what you expect when you click on something in
any program.
> You'd run into all kinds of problems if the ones
underneath also
> responded to your clicks (or any other mouse events for
that
> matter). This is basically the same thing I'm trying to
do with my
> little tool palette, but it seems you have to write a
whole bunch of
> scripts just to make that happen? That just doesn't seem
right to
> me.
>
> Anyhow, thanks for your suggestions everyone. And if
anyone knows a
> way to make MIAW's do this automatically, please let me
know.
Darrel,
out of all the possible ways to do what you want, you have
probably
picked the worse.
Now you run into trouble, of course.
First:
Read up on the way events are processed in Director, and
passed or not
passed from object to object.
Second:
Did you actually READ what I wrote? You just keep repeating
the same
things that dont make sense...
The mouseDown event is not the problem, the problem is that
you check
for a mouseDown STATE, not handle a mouseDown EVENT.
You can change your code easily to provide for this and have
the same
result.
Third:
When mouseClicks are somehow not intercepted in the MIAW,
then handle
them yourself in the MIAW.
I agree with Mike that it is your approach to the problem
that creates
this complexity.
If you stick to handling events in the way Director gives
them to you,
you will not have those strange things.
good luck,
Richad. -
Cisco ASA - Pass Through QoS Traffic
Hi Sirs,
Given the following topology:
Switch - IP Phone (Branch) |----| Router |----| MPLS |----| Router |----| ASA |----| Switch - Voice Network (Head Office)
My question, the ASA can impact the QoS traffic to pass through it?
Thank you!
Rafael TrujilhoHi Andrew,
I want the ASA does NOT take any markings, NOT impacting the quality applied to voice traffic.
Regards,
Trujilho -
To avoid the 403.7 errors when the destination server requires certificate authentication, how does SSL bridging reverse proxy inspect the traffic for safety without breaking the certificate authentication?
I'm not asking for specific configuration steps on this. I just want an easy to understand overview on the process of how the laptop or smartphone authentication device certificate would pass through while TMG/ISA is still protecting the destination
from attacks.I'm not sure if SSL Bridging is the same with Cert Authentication,...but...
The way it works when Bridging SSL for published SSL web sites is by the ISA having a copy of the same Cert used on the published site. You buy the cert for the Site and install it on the web server and get it set up with the site,..then export it
with the private key. Take the exported Cert and install it on the TMG and configure it into the Web Publishing Rule.
The SSL tunnel coming in terminates at the TMG,...meaning the SSL Tunnel was only between the user and the TMG (not between the user and the site as it would appear on the surface). Then the traffic is inspected or whatever would be intended to do with it.
Then a new distinct independent SSL Tunnel is created between the TMG and the SSL Site and the traffic is passed on to the site at that point. AFAIK, the Reverse Proxy only happens between the two tunnels while the traffic is unencrypted. -
I have a third party firewall behind a Cisco ASA. The Cisco ASA is doing PAT as there are no other IP addresses available. The third party firewall is attempting to build an IPSec tunnel to another firewall. The IPSec tunnel is not coming up. When I do a capture on the Cisco ASA firewall I see traffic hit the inside interface and leave the outside interface. I then see the reply traffic return and hit the outside interface of my Cisco ASA but it is not being allowed to pass through to the inside interface.I have enabled NAT-T on the thrid party firewall but it still does not get the reply traffic becuase it gets stopped at the Cisco ASA.
Any thoughts?Is your third party FW attached directly to your ASA? If not, do you have a route to that device on your ASA?
Please perform a packet-tracer to see why the return traffic is not reaching the third party FW..
packet-tracer input outside udp 500 500 detail
If the packet-tracer shows traffic going through successfully, perhaps it is your third party FW that is blocking the traffic?
Please reply with packet-tracer results.
Kind Regards,
Kevin
**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.
Maybe you are looking for
-
Using JNLP with Netbeans on Mac OSX
I am trying to get an idea on JNLP by running locally from folder before I start using it with web server. Therefore its a new-bie question. I have a jar file in "netbeansProjectFolder/dist" folder along with library folders. I created a jnlp file in
-
I want to get rid of Yahoo which was part of a download.
I agreed to a Firefox download. What was downloaded was Yahoo pages and toolbar. I don't want them. How can I get rid of this.
-
Is it possible to play a video playlist on a loop in Quicktime?
I have several videos that I would like to string together as a playlist and then have that playlist loop? Is this possible to do in Quicktime? Thanks for any insight!
-
I can't get my brain around what is probably a very simple problem: I want a paragraph style that applies boldfacing to any character up to an including the first colon in a paragraph. If I used a nested style "through 1 :" the whole graf is bold if
-
REP-56048, report server crash
Oracle 10g Report on the web Red Hat Linux server When output is directed to FILE, everything is OK When same output is directed for screen viewing (DESTYPE=CACHE) there is crash Is there a MAX limit to CACHE output size?