PIX VPN Connects, Can't Pass Traffic

[accconst]

I have a PIX 515. It is configured for a site-to-site VPN to a Watchguard SOHO 6 router. The SOHO has a DHCP interface, so I have implemented a dynamic crypto map on the PIX.

The VPN is established just fine. However, I can not pass traffic over it. (icmp echo, www, etc... nothing works)

Here is the output of the show crypto ipsec sa command; I have tried to ping the SOHO side (192.168.2.0/24) from the pix side (192.168.0.0/24) it shows that 36 packets have been encapsulated, but none have been decapsulated:

interface: outside
Crypto map tag: remote, local addr. 24.105.166.118

local ident (addr/mask/prot/port): (192.168.0.1/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.1/255.255.255.0/0/0)
current_peer: 24.195.158.149
PERMIT, flags={}
#pkts encaps: 39, #pkts encrypt: 39, #pkts digest 39
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 24.105.166.118, remote crypto endpt.: 24.195.158.149
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 507e0400

inbound esp sas:
spi: 0x2dbc2e00(767307264)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: remote
sa timing: remaining key lifetime (k/sec): (8192/25118)
IV size: 8 bytes
replay detection support: Y
spi: 0xa0fa6654(2700764756)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: remote
sa timing: remaining key lifetime (k/sec): (8192/25047)
IV size: 8 bytes
replay detection support: Y


inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0x507e0400(1350435840)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: remote
sa timing: remaining key lifetime (k/sec): (8192/25118)
IV size: 8 bytes
replay detection support: Y
spi: 0x456b0401(1164641281)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: remote
sa timing: remaining key lifetime (k/sec): (8189/25047)
IV size: 8 bytes
replay detection support: Y


outbound ah sas:


outbound pcp sas:

My PIX Config:

nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password GpCqPA0Ds/rdSxBT encrypted
passwd GpCqPA0Ds/rdSxBT encrypted
hostname pixfirewall
domain-name allegrone.local
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inside permit tcp 192.168.0.0 255.255.255.0 any eq www
access-list inside permit tcp 192.168.0.0 255.255.255.0 any eq domain
access-list inside permit udp 192.168.0.0 255.255.255.0 any eq domain
access-list inside permit tcp 192.168.0.0 255.255.255.0 any eq 443
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 64.78.61.30 eq 135

access-list inside permit tcp 192.168.0.0 255.255.255.0 host 64.78.61.30 eq 1225

access-list inside permit tcp 192.168.0.0 255.255.255.0 host 64.78.61.30 eq 1226

access-list inside permit tcp 192.168.0.0 255.255.255.0 host 64.78.61.30 eq 1227

access-list inside permit tcp 192.168.0.0 255.255.255.0 host 64.78.61.30 eq 1228

access-list inside permit tcp 192.168.0.0 255.255.255.0 any eq ftp-data
access-list inside permit tcp 192.168.0.0 255.255.255.0 any eq ftp
access-list inside permit udp 192.168.0.0 255.255.255.0 host 12.165.125.114 eq 2

access-list inside permit tcp 192.168.0.0 255.255.255.0 host 12.165.125.114 eq 2

access-list inside permit tcp 192.168.0.0 255.255.255.0 host 12.161.125.114 eq 2

access-list inside permit udp 192.168.0.0 255.255.255.0 host 12.161.125.114 eq 2

access-list inside permit tcp host 192.168.0.110 host 64.78.61.30 eq smtp
access-list inside permit tcp host 192.168.0.10 host 64.78.61.30 eq smtp
access-list inside permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list inside permit tcp 192.168.0.0 255.255.255.0 host 10.0.0.11 eq www
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 10.0.0.11 eq 443
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 10.0.0.11 eq 81
access-list inside permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list inside permit tcp 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.
0
access-list inside permit udp 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.
0
access-list inside permit icmp 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255
.0
access-list inside permit udp 192.168.0.0 255.255.255.0 host 12.165.125.114 eq 2
298
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 12.165.125.114 eq 2
298
access-list inside permit tcp 192.168.0.0 255.255.255.0 host 12.161.125.114 eq 2
298
access-list inside permit udp 192.168.0.0 255.255.255.0 host 12.161.125.114 eq 2
298
access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.254.0

access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.254.0

access-list NONAT permit ip 192.168.0.0 255.255.254.0 host 10.0.0.11
access-list NONAT permit ip host 10.0.0.11 192.168.0.0 255.255.254.0
access-list NONAT permit ip 192.168.2.0 255.255.254.0 host 10.0.0.11
access-list NONAT permit ip host 10.0.0.11 192.168.2.0 255.255.254.0
access-list NONAT permit ip 192.168.0.0 255.255.255.0 host 10.0.0.100
access-list NONAT permit ip host 10.0.0.100 192.168.0.0 255.255.255.0
access-list NONAT permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list NONAT permit ip 192.168.8.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list NONAT permit ip 192.168.0.0 255.255.255.0 192.168.8.0 255.255.255.0

access-list dmz permit icmp host 10.0.0.100 192.168.0.0 255.255.255.0
access-list dmz permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list dmz permit icmp 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list dmz permit tcp host 10.0.0.11 any eq www
access-list dmz permit tcp host 10.0.0.11 any eq 443
access-list dmz permit tcp host 10.0.0.11 any eq domain
access-list dmz permit udp host 10.0.0.11 host 192.168.0.10 eq domain
access-list outside permit tcp any host xx.xx.xx.116 eq www
access-list outside permit icmp any host xx.xx.xx.116 echo-reply
access-list outside permit tcp any host xx.xx.xx.116 eq 3389
access-list outside permit tcp any host xx.xx.xx.116 eq 443
access-list JWCVPN permit ip 192.168.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list JWCVPN permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list JWCVPN permit tcp 192.168.2.0 255.255.255.0 host 10.0.0.11 eq www
access-list JWCVPN permit tcp host 10.0.0.11 192.168.2.0 255.255.255.0 eq www
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xx.xx.xx.xx 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip address dmz 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 xx.xx.xx.117
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list NONAT
nat (dmz) 1 192.168.0.0 255.255.0.0 0 0
static (dmz,outside) xx.xx.xx.116 10.0.0.11 netmask 255.255.255.255 0 0
access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.113 1
route dmz 192.168.6.0 255.255.255.0 10.0.0.100 1
route dmz 192.168.8.0 255.255.255.0 10.0.0.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server default protocol radius
aaa-server default (inside) host 192.168.0.12 Ag4n437Q timeout 10
aaa authentication telnet console default
http 192.168.0.10 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set vpn esp-des esp-sha-hmac
crypto ipsec transform-set dynvpn esp-des esp-sha-hmac
crypto ipsec transform-set dynvpn mode transport
crypto dynamic-map DYN_MAP 10 match address JWCVPN
crypto dynamic-map DYN_MAP 10 set transform-set dynvpn
crypto map remote 5 ipsec-isakmp dynamic DYN_MAP
crypto map remote interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80

 

[accconst]

I found the culprit... looks like these lines were causing my problem:

access-list inside permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list inside permit tcp 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.0

 

[bytehd]

did you remove them or change them?

http://www.insyncva.com