Check the pix static routes as well. If the remote network is a subnet
of the existing inside network you may need to put in more explicit

-----Original Message-----
[] On Behalf Of Paul
Sent: Monday, February 14, 2005 4:11 PM
Subject: RE: [fw-wiz] Cisco Concentrator - pix515 Lan-to-Lan

Two things come to mind right away. The first is that there is some
sort of
routing problem. Make sure that all necessary routers and hosts have a
route that points to the inside interface of the
The second is that - and this is something most people learn the hard
way -
the interface and tunnel filters on the VPN 3000 series are *NOT*
If you want traffic to flow, it must be explicitly defined for both
directions in all applicable filters.

Also, if neither of these solve your problem, do you see any errors in
VPN 3000's log?


-----Original Message-----
Subject: [fw-wiz] Cisco Concentrator - pix515 Lan-to-Lan

Hi list,

I have a problem with configurin Lan-to-Lan on VPN concentrator 3000
on one side and pix 515 on the other.

Here it is:

On central side there is network
There is one Lan-to-Lan that is working great with network
copied the pix conf from this site (change isakmp key, access-list,..)
VPN tunel can be established from either ends. The SA's are established.

If I ping from central site (behind concentrator) to my network behind
( I can see echo and eho-replay packets on my pix (debug
trace), the number of packets encrypted an dekrypted on pix is
(sh crypto ipsec sa). So I gues that packets are comming from the tunel
going back in?!

But on the concentrator, if I go to Monitoring-Sessions, the session is
established but there are only TX packet. RX packet is 0!

What could be wrong? There are no error messages in the pix or

Thanks for your help, By

firewall-wizards mailing list

This email and any files transmitted with it are confidential and are int=
ended solely for the use of the individual or entity to whom they are add=
ressed. This communication represents the originator's personal views and=
opinions, which do not necessarily reflect those of Thales Communication=
s, Inc. If you are not the original recipient or the person responsible f=
or delivering the email to the intended recipient, be advised that you ha=
ve received this email in error, and that any use, dissemination, forward=
ing, printing, or copying of this email is strictly prohibited. If you re=
ceived this email in error, please immediately notify Administrator2@Thal=

firewall-wizards mailing list