R: [c-nsp] lan-to-lan pix-vpn3k unidirectional problem
Peder at NetworkOblivion
peder at networkoblivion.com
Fri Nov 25 10:49:06 EST 2005
> p.s.: Could be that I have to remove the 'crypto map outside_map
interface outside' command before adding lines
> to the crypto map (for the new vpn) and then add again the 'crypto
map outside_map interface outside' to correctly
> configure the new tunnel? (pix supports only one crypto map for
interface)
I've never seen that debug message before, but I think you are right
about the cause being that you didn't de-apply the crypto map. Whenever
you add a new crypto map entry, you ALWAYS have to de-apply and re-apply
it for it to work correctly. I've even run into a lot of instances
where changing the crypto map without de-applying it kills the pix and
it needs to be physically powered off and on (management is dead). I
generally use notepad and setup something like this.
no isakmp enable outside
no crypto map outside_map interface outside
isakmp key [***KEY***] address 1.1.1.1 netmask 255.255.255.255
crypto map outside_map 70 match address 112
crypto map outside_map 70 set pfs group2
crypto map outside_map 70 set peer 1.1.1.1
crypto map outside_map 70 set transform-set [LAN-to-LAN]
crypto map outside_map interface outside
isakmp enable outside
Then you just copy and paste and nobody even notices it is down.
PA
More information about the cisco-nsp
mailing list