R: [c-nsp] lan-to-lan pix-vpn3k unidirectional problem

Zacchello Marco Marco.Zacchello at netengineering.it
Fri Nov 25 03:25:55 EST 2005 

Ok, 
this is the config for my side:

isakmp identity address
isakmp nat-traversal 60
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp enable outside

isakmp key [***KEY***] address 1.1.1.1 netmask 255.255.255.255 

crypto ipsec transform-set [LAN-to-LAN] esp-3des esp-md5-hmac 

crypto map outside_map 70 match address 112
crypto map outside_map 70 set pfs group2
crypto map outside_map 70 set peer 1.1.1.1
crypto map outside_map 70 set transform-set [LAN-to-LAN] 
crypto map outside_map interface outside

access-list inside_outbound_nat0_acl remark  *** [LAN-to-LAN] ***
access-list inside_outbound_nat0_acl permit ip 10.200.50.0 255.255.255.0 172.16.250.0 255.255.255.0 

access-list 112 remark  *** Tunnel verso [LAN-to-LAN] ***
access-list 112 permit ip 10.200.50.0 255.255.255.0 172.16.250.0 255.255.255.0

route inside 10.200.40.0 255.255.255.0 172.16.0.2 1
nat (inside) 0 access-list inside_outbound_nat0_acl


the other side is a VPN3k, so I can't write here the config, however when the vpn lan-to-lan  start from
the VPN3k, the tunnel works fine, so ike and ipsec settings are correct.
However , we tested another lan-to-lan towards another VPN3k (one we control) and the problem is the same,
the pix doesn't start the vpn, but accept without problem the vpn3k to start the vpn.

So I can't add more vpn to the pix, I have to test a new vpn pix-to-pix, but it seems to me that probably also
this would fail.
No-one has any idea about: "IPSEC(sa_initiate): ACL = deny; no sa created" debug message. 
thanks

Marco

p.s.: Could be that I have to remove the 'crypto map outside_map interface outside' command before adding lines
to the crypto map (for the new vpn) and then add again the  'crypto map outside_map interface outside' to correctly
configure the new tunnel? (pix supports only one crypto map for interface)



-----Messaggio originale-----
Da: Peder @ NetworkOblivion [mailto:peder at networkoblivion.com]
Inviato: venerdì 25 novembre 2005 3.47
A: Zacchello Marco; cisco-nsp Mailing List
Oggetto: Re: [c-nsp] lan-to-lan pix-vpn3k unidirectional problem


Without the configs from both ends, there isn't much that we can tell you.

Zacchello Marco wrote:
> Hi to all,
> 
> mine: PIX 515 running 6.3(3) with 10+ vpn tunnels up and running;  Theirs: VPN3K with several (a dozen or so) vpn tunnels as well.
> 
> Tunnel will initiate and come up normally when they send traffic from the servers on their side to my servers.  As long as they initiate the tunnel, I can get to them, and vice-versa.  If the tunnel is down, I am not able to bring it up - I get the error message in my debugs:  
> "IPSEC(sa_initiate): ACL = deny; no sa created" ...???
> 
> We have verified phase 1 and 2 parameters, and it is not an acl mismatch - those have been checked many times.  PSK's match, etc. - we cannot find a discrepancy in the configs between the two firewalls.  Cisco has no answer either - the case has been open a week, and they are back to asking for my configs and debug output.  Starting over at square 1...
> 
> After re-reading crypto pix command documetation, I notice a TIP suggesting to clear the 'crypto map MYMAP interface outside' and then to configure it again, I've done it, and after that (pinging from ny side) the debug show some isakmp negotiation (but from the degub seems that is the VPN3k to open the isakmp negotiation) that at lst fails.
> 
> I can't understand why they can bring the tunnel up, but my side cannot?  I've got many vpn tunnels up and running, and have done this many times.  Thaks in advance, any and all help is appreciated.
> 
> 
> Marco
> 
> 
> 
> 
> 
> ******************* DISCLAIMER *******************************
> Le informazioni contenute in questa comunicazione e gli eventuali documenti allegati hanno carattere confidenziale e sono ad uso esclusivo del destinatario. Nel caso questa comunicazione Vi sia pervenuta per errore, Vi informiamo che la sua diffusione e riproduzione è contraria alla legge e preghiamo di darci prontamente avviso e di cancellare quanto ricevuto. Grazie.
> 
> This e-mail message and any files transmitted with it contain confidential information intended only for the person(s) to whom it is addressed. If you are not the intended recipient, you are hereby notified that any use or distribution of this e-mail is strictly prohibited: please notify the sender and delete the original message. Thank you.
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 

-- 

Network stuff you didn't know....
http://www.networkoblivion.com

More information about the cisco-nsp mailing list