Quantcast
Channel: IEOC - INE's Online Community
Viewing all articles
Browse latest Browse all 10672

Site-2-Site VPN can only ping one way

May 17, 2013, 3:30 am
$
0
0

 

 

Hello Everyone,

I'm having a problem with site-to-site vpn using PIX & FORTINET 60B, If I ping from network behind PIX say "ping 172.21.1.102", it is SUCCESFUL but when I ping from network behind FORTINET it is "Request Timed Out".  

FORTINET VPN CONFIGS:

config vpn ipsec phase1
    edit "HOTEL_FW"
        set interface "wan1"
        set nattraversal disable
        set dhgrp 2
        set keylife 86400
        set proposal 3des-sha1
        set dpd disable
        set remote-gw 222.127.244.54
        set psksecret ENC xxxxxxxxxxxxxxxx
    next
end

config vpn ipsec phase2
    edit "HOTEL_FW_2"
        set keepalive enable
        set pfs disable
        set phase1name "HOTEL_FW"
        set proposal 3des-sha1
        set replay disable
        set dst-subnet 10.100.10.0 255.255.255.0
        set keylifeseconds 86400
        set src-subnet 172.21.1.0 255.255.255.0
    next
end

 

PIX501 config.

access-list NONAT permit ip 10.100.10.0 255.255.255.0 172.21.1.0 255.255.255.0
ip address outside 222.127.244.54 255.255.255.252
ip address inside 10.100.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 10.100.10.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 222.127.244.53 1
http server enable
http 10.100.10.2 255.255.255.255 inside
sysopt connection permit-ipsec
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
crypto map MYMAP 10 ipsec-isakmp
crypto map MYMAP 10 match address NONAT
crypto map MYMAP 10 set peer 121.97.122.253
crypto map MYMAP 10 set transform-set MYSET
crypto map MYMAP 10 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map MYMAP interface outside
isakmp enable outside
isakmp key ******* address 121.97.122.253 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400

I also tried this command on PIX:

PIX# debug packet outside src 172.21.1.102 netmask 255.255.255.255 dst 10.100.10.2 netmask 255.255.255.255 proto icmp

but nothings happen. I'm am new to site-site vpn, hope you can help me.. Thanks in advance..

Search
Viewing all articles
Browse latest Browse all 10672
Search