<DIV>Hi,</DIV> <DIV> </DIV> <DIV>I am having a strange behaviour with a Cisco PIX Firewall Version 6.3(5). The configuration is done , the VPN are created between the 2 differents sites. The problème is after 5 to 6 hours of running, the ping to the remote hosts doesn't go through. When i try to ping a remote host, I see the followings line in the debug icmp trace: </DIV> <DIV> </DIV> <DIV>-request from inside:10.102.158.152 to 10.5.113.142 ID=512 seq=5376 length=40<BR>44: ICMP echo-request: translating inside:10.102.158.152 to outside:10.102.158.152<BR>45: ICMP echo-request from inside:10.102.158.152 to 10.5.113.142 ID=512 seq=5632 length=40<BR>46: ICMP echo-request: translating inside:10.102.158.152 to outside:10.102.158.152<BR></DIV> <DIV>And When remote host try to ping a local machine, i can see the request coming without any reply. </DIV> <DIV> </DIV> <DIV>To get the ping work , we have to reload it. </DIV> <DIV> </DIV> <DIV>Do you have
any idea? </DIV> <DIV> </DIV> <DIV>Please find below my config file :</DIV> <DIV>PIX Version 6.3(5)<BR>interface ethernet0 auto<BR>interface ethernet1 auto<BR>nameif ethernet0 outside security0<BR>nameif ethernet1 inside security100<BR>enable password N7FecZuSHJlVZC2P encrypted<BR>passwd N7FecZuSHJlVZC2P encrypted<BR>hostname pixbenin<BR>domain-name boabenin.bj<BR>fixup protocol dns maximum-length 512<BR>fixup protocol ftp 21<BR>fixup protocol h323 h225 1720<BR>fixup protocol h323 ras 1718-1719<BR>fixup protocol http 80<BR>fixup protocol rsh 514<BR>fixup protocol rtsp 554<BR>fixup protocol sip 5060<BR>fixup protocol sip udp 5060<BR>fixup protocol skinny 2000<BR>fixup protocol smtp 25<BR>fixup protocol sqlnet 1521<BR>fixup protocol http 80<BR>fixup protocol rsh 514<BR>fixup protocol rtsp 554<BR>fixup protocol sip 5060<BR>fixup protocol sip udp 5060<BR>fixup protocol skinny 2000<BR>fixup protocol smtp 25<BR>fixup protocol sqlnet 1521<BR>fixup protocol tftp
69<BR>names<BR>access-list acl_vpn permit icmp 10.102.156.0 255.255.252.0 192.168.0.0 255.255.255.0 <BR>access-list acl_vpn permit ip 10.102.156.0 255.255.252.0 192.168.0.0 255.255.255.0 <BR>access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.5.113.128 255.255.255.224 <BR>access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.5.113.128 255.255.255.224 <BR>access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.128.0 255.255.254.0 <BR>access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.128.0 255.255.254.0 <BR>access-list acl_blgo permit icmp 10.102.156.0 255.255.252.0 10.102.130.0 255.255.255.128 <BR>access-list acl_blgo permit ip 10.102.156.0 255.255.252.0 10.102.130.0 255.255.255.128 <BR>pager lines 24<BR>mtu outside 500<BR>mtu inside 1500<BR>ip address outside 81.91.235.147 255.255.255.192<BR>ip address inside 10.102.155.135 255.255.255.128<BR>ip audit info action alarm<BR>ip audit attack action alarm<BR>pdm history enable<BR>arp
timeout 14400<BR>nat (inside) 0 10.102.156.0 255.255.252.0 0 0<BR>route outside 0.0.0.0 0.0.0.0 81.91.235.129 1<BR>route inside 10.102.156.0 255.255.252.0 10.102.155.129 1<BR>timeout xlate 3:00:00<BR>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00<BR>ip audit attack action alarm<BR>pdm history enable<BR>arp timeout 14400<BR>nat (inside) 0 10.102.156.0 255.255.252.0 0 0<BR>route outside 0.0.0.0 0.0.0.0 81.91.235.129 1<BR>route inside 10.102.156.0 255.255.252.0 10.102.155.129 1<BR>timeout xlate 3:00:00<BR>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00<BR>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00<BR>timeout sip-disconnect 0:02:00 sip-invite 0:03:00<BR>timeout uauth 0:05:00 absolute<BR>aaa-server TACACS+ protocol tacacs+ <BR>aaa-server TACACS+ max-failed-attempts 3 <BR>aaa-server TACACS+ deadtime 10 <BR>aaa-server RADIUS protocol radius <BR>aaa-server RADIUS max-failed-attempts 3 <BR>aaa-server
RADIUS deadtime 10 <BR>aaa-server LOCAL protocol local <BR>no snmp-server location<BR>no snmp-server contact<BR>snmp-server community public<BR>no snmp-server enable traps<BR>floodguard enable<BR>sysopt connection permit-ipsec<BR>crypto ipsec transform-set strong esp-3des esp-sha-hmac <BR>crypto dynamic-map dynmap 30 set transform-set strong<BR>crypto map toX 20 ipsec-isakmp<BR>crypto map toX 20 match address acl_vpn<BR>crypto map toX 20 set peer 196.200.82.35<BR>crypto map toX 20 set transform-set strong<BR>crypto map toX 30 ipsec-isakmp<BR>crypto map toX 30 match address acl_blgo<BR>crypto ipsec transform-set strong esp-3des esp-sha-hmac <BR>crypto dynamic-map dynmap 30 set transform-set strong<BR>crypto map toX 20 ipsec-isakmp<BR>crypto map toX 20 match address acl_vpn<BR>crypto map toX 20 set peer 196.200.82.35<BR>crypto map toX 20 set transform-set strong<BR>crypto map toX 30 ipsec-isakmp<BR>crypto map toX 30 match address acl_blgo<BR>crypto map toX 30 set peer
194.78.211.130<BR>crypto map toX 30 set transform-set strong<BR>crypto map toX 9990 ipsec-isakmp dynamic dynmap<BR>crypto map toX interface outside<BR>isakmp enable outside<BR>isakmp key ******** address 196.200.82.35 netmask 255.255.255.255 <BR>isakmp key ******** address 194.78.211.130 netmask 255.255.255.255 <BR>isakmp identity address<BR>isakmp policy 9 authentication pre-share<BR>isakmp policy 9 encryption 3des<BR>isakmp policy 9 hash sha<BR>isakmp policy 9 group 1<BR>isakmp policy 9 lifetime 86400<BR>isakmp policy 19 authentication pre-share<BR>isakmp policy 19 encryption 3des<BR>isakmp policy 19 hash sha<BR>isakmp policy 19 group 2<BR>isakmp policy 19 lifetime 86400<BR>telnet timeout 5<BR>ssh 194.7.174.162 255.255.255.255 outside<BR>ssh 194.7.174.163 255.255.255.255 outside<BR>ssh 10.102.156.0 255.255.252.0 inside<BR>ssh 10.102.155.0 255.255.255.0 inside<BR>ssh timeout 5<BR>console timeout 0<BR>terminal width
80<BR>Cryptochecksum:7458b1b938134f7d52ed82d4e2003210</DIV> <DIV><BR>Regrds,</DIV> <DIV> </DIV> <DIV>Kindy</DIV> <DIV> </DIV><p>
<hr size="1" />
<b>Faites de Yahoo! votre page d'accueil sur le web</b> pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. <a href="http://us.rd.yahoo.com/mail/mail_taglines/yahoofr/*http://fr.yahoo.com/set" target=_blank>Cliquez ici</a>.