--===============1409364671==
Content-Type: multipart/alternative; boundary="0-1644056276-1147164956=:13201"
Content-Transfer-Encoding: 8bit

--0-1644056276-1147164956=:13201
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Hi,

I am having a strange behaviour with a Cisco PIX Firewall Version 6.3(5). The configuration is done , the VPN are created between the 2 differents sites. The problème is after 5 to 6 hours of running, the ping to the remote hosts doesn't go through. When i try to ping a remote host, I see the followings line in the debug icmp trace:

-request from inside:10.102.158.152 to 10.5.113.142 ID=512 seq=5376 length=40
44: ICMP echo-request: translating inside:10.102.158.152 to outside:10.102.158.152
45: ICMP echo-request from inside:10.102.158.152 to 10.5.113.142 ID=512 seq=5632 length=40
46: ICMP echo-request: translating inside:10.102.158.152 to outside:10.102.158.152

And When remote host try to ping a local machine, i can see the request coming without any reply.

To get the ping work , we have to reload it.

Do you have any idea?

Please find below my config file :
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password N7FecZuSHJlVZC2P encrypted
passwd N7FecZuSHJlVZC2P encrypted
hostname pixbenin
domain-name boabenin.bj
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_vpn permit icmp 10.102.156.0 255.255.252.0 192.168.0.0 255.255.255.0
access-list acl_vpn permit ip 10.102.156.0 255.255.252.0 192.168.0.0 255.255.255.0
access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.5.113.128 255.255.255.224
access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.5.113.128 255.255.255.224
access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.128.0 255.255.254.0
access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.128.0 255.255.254.0
access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.130.0 255.255.255.128
access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.130.0 255.255.255.128
pager lines 24
mtu outside 500
mtu inside 1500
ip address outside 81.91.235.147 255.255.255.192
ip address inside 10.102.155.135 255.255.255.128
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 10.102.156.0 255.255.252.0 0 0
route outside 0.0.0.0 0.0.0.0 81.91.235.129 1
route inside 10.102.156.0 255.255.252.0 10.102.155.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 10.102.156.0 255.255.252.0 0 0
route outside 0.0.0.0 0.0.0.0 81.91.235.129 1
route inside 10.102.156.0 255.255.252.0 10.102.155.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto dynamic-map dynmap 30 set transform-set strong
crypto map toX 20 ipsec-isakmp
crypto map toX 20 match address acl_vpn
crypto map toX 20 set peer 196.200.82.35
crypto map toX 20 set transform-set strong
crypto map toX 30 ipsec-isakmp
crypto map toX 30 match address acl_blgo
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto dynamic-map dynmap 30 set transform-set strong
crypto map toX 20 ipsec-isakmp
crypto map toX 20 match address acl_vpn
crypto map toX 20 set peer 196.200.82.35
crypto map toX 20 set transform-set strong
crypto map toX 30 ipsec-isakmp
crypto map toX 30 match address acl_blgo
crypto map toX 30 set peer 194.78.211.130
crypto map toX 30 set transform-set strong
crypto map toX 9990 ipsec-isakmp dynamic dynmap
crypto map toX interface outside
isakmp enable outside
isakmp key ******** address 196.200.82.35 netmask 255.255.255.255
isakmp key ******** address 194.78.211.130 netmask 255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
isakmp policy 19 authentication pre-share
isakmp policy 19 encryption 3des
isakmp policy 19 hash sha
isakmp policy 19 group 2
isakmp policy 19 lifetime 86400
telnet timeout 5
ssh 194.7.174.162 255.255.255.255 outside
ssh 194.7.174.163 255.255.255.255 outside
ssh 10.102.156.0 255.255.252.0 inside
ssh 10.102.155.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:7458b1b938134f7d52ed82d4e2003210

Regrds,

Kindy



---------------------------------
Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.
--0-1644056276-1147164956=:13201
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Hi,
 
I am having a strange behaviour with a Cisco PIX Firewall Version 6.3(5). The configuration is done , the VPN are created between the 2 differents sites. The problème is after 5 to 6 hours of running, the ping to the remote hosts doesn't go through. When i try to ping a remote host, I see the followings line in the debug icmp trace:
 
-request from inside:10.102.158.152 to 10.5.113.142 ID=512 seq=5376 length=40
44: ICMP echo-request: translating inside:10.102.158.152 to outside:10.102.158.152
45: ICMP echo-request from inside:10.102.158.152 to 10.5.113.142 ID=512 seq=5632 length=40
46: ICMP echo-request: translating inside:10.102.158.152 to outside:10.102.158.152
And When remote host try to ping a local machine, i can see the request coming without any reply.
 
To get the ping work , we have to reload it.
 
Do you have
any idea? 
 
Please find below my config file :
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password N7FecZuSHJlVZC2P encrypted
passwd N7FecZuSHJlVZC2P encrypted
hostname pixbenin
domain-name boabenin.bj
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp
69
names
access-list acl_vpn permit icmp 10.102.156.0 255.255.252.0 192.168.0.0 255.255.255.0
access-list acl_vpn permit ip 10.102.156.0 255.255.252.0 192.168.0.0 255.255.255.0
access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.5.113.128 255.255.255.224
access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.5.113.128 255.255.255.224
access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.128.0 255.255.254.0
access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.128.0 255.255.254.0
access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.130.0 255.255.255.128
access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.130.0 255.255.255.128
pager lines 24
mtu outside 500
mtu inside 1500
ip address outside 81.91.235.147 255.255.255.192
ip address inside 10.102.155.135 255.255.255.128
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp
timeout 14400
nat (inside) 0 10.102.156.0 255.255.252.0 0 0
route outside 0.0.0.0 0.0.0.0 81.91.235.129 1
route inside 10.102.156.0 255.255.252.0 10.102.155.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 10.102.156.0 255.255.252.0 0 0
route outside 0.0.0.0 0.0.0.0 81.91.235.129 1
route inside 10.102.156.0 255.255.252.0 10.102.155.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server
RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto dynamic-map dynmap 30 set transform-set strong
crypto map toX 20 ipsec-isakmp
crypto map toX 20 match address acl_vpn
crypto map toX 20 set peer 196.200.82.35
crypto map toX 20 set transform-set strong
crypto map toX 30 ipsec-isakmp
crypto map toX 30 match address acl_blgo
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto dynamic-map dynmap 30 set transform-set strong
crypto map toX 20 ipsec-isakmp
crypto map toX 20 match address acl_vpn
crypto map toX 20 set peer 196.200.82.35
crypto map toX 20 set transform-set strong
crypto map toX 30 ipsec-isakmp
crypto map toX 30 match address acl_blgo
crypto map toX 30 set peer
194.78.211.130
crypto map toX 30 set transform-set strong
crypto map toX 9990 ipsec-isakmp dynamic dynmap
crypto map toX interface outside
isakmp enable outside
isakmp key ******** address 196.200.82.35 netmask 255.255.255.255
isakmp key ******** address 194.78.211.130 netmask 255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
isakmp policy 19 authentication pre-share
isakmp policy 19 encryption 3des
isakmp policy 19 hash sha
isakmp policy 19 group 2
isakmp policy 19 lifetime 86400
telnet timeout 5
ssh 194.7.174.162 255.255.255.255 outside
ssh 194.7.174.163 255.255.255.255 outside
ssh 10.102.156.0 255.255.252.0 inside
ssh 10.102.155.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
terminal width
80
Cryptochecksum:7458b1b938134f7d52ed82d4e2003210

Regrds,
 
Kindy
 




Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.
--0-1644056276-1147164956=:13201--

--===============1409364671==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
VPN mailing list
VPN@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
--===============1409364671==--