[c-nsp] Cannot initiate tunnel (ASA to PIX )

JR Colmenares sforcejr at yahoo.com
Wed Oct 22 17:27:57 EDT 2008 

Mike,

Thanks for pointing that out. That was my mistake when posting the question. It is actually correct in the config

1- I was able to ping from company B when the tunnel was up. Could it be related to the "crypto dynamic-map" command that is not matched up on both ends? 
Shoudl I enter this on the pix?

crypto dynamic-map dynmap 90 set transform-set strong AES256 
crypto dynamic-map dynmap 90 set pfs 

2- Also there have been other tunnels there (PIX) before that were using 3des instead of aes-256

3- Is there any command to clear the crypto map connections, just like "clear xlate" for ACLs?

4- What is the proper way to delete an specific crypto map, in this case "ToRemote 39"?  I might start it over with a different name to totally separate it from the ones with 3des encryption

5- Woudl the ASA device need the the command "sysopt connection permit-ipsec"

6- Should I assume the misconfiguration is in the Pix since the tunnel can be initiated from the ASA?

7- Would entering a line on the ASA to poll from an NTP server in companyB would help to keep the tunnel up or just entering "isakmp keepalive 20" in the ASA would do that?

8- Could I assume that the misconfiguration is taking place in the PIX(ComapnyB) since the tunnel can be initiated from the ASA (CompanyA)
 
Sorry for loading you with more questions, but I am not sure who else will take interest in this question and I am needing to resolve this ASAP

Thanks

JRC
--- On Wed, 10/22/08, Michael K. Smith - Adhost <mksmith at adhost.com> wrote:

> From: Michael K. Smith - Adhost <mksmith at adhost.com>
> Subject: RE: [c-nsp] Cannot initiate tunnel (ASA to PIX )
> To: sforcejr at yahoo.com, cisco-nsp at puck.nether.net
> Date: Wednesday, October 22, 2008, 1:38 PM
> Hello:
> 
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of JR Colmenares
> > Sent: Tuesday, October 21, 2008 8:07 PM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] Cannot initiate tunnel (ASA to PIX )
> > 
> > On a L2L tunnel "CompanyA" can initiate the
> tunnel but "CompanyB" cannot.
> > 
> >  Company A's ASA 5505 config
> 
> Typo?
> 
> access-list nonat permit ip 10.0.0.0 255.0.0.0
> 192.168.102.0 255.255.255.0 
> access-list CompanyA permit ip 10.0.0.0 255.0.0.0
> 192.168.102.0 255.255.255.0
> 
> Shouldn't those be 192.168.103.0/24?
> 
> Regards,
> 
> Mike

More information about the cisco-nsp mailing list