Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
486
Views
0
Helpful
2
Replies

PIX stops passing all traffic on entering crypto command

Go to solution
mishag
Level 1
Level 1

‎03-11-2003 10:41 AM - edited ‎02-20-2020 10:36 PM

I have a strange problem with a PIX 515 6.1(2).

I have 3 VPN tunnels already set up. Whilst trying to configure a 4th the PIX stops passing all traffic. It happens specifically when I enter ANY "crypto map" command.

undoing the command using "no crypto map......" or "clear xlate" doesn't help either. The PIX must be rebooted before traffic passes again. The processor usage drops to zero and my telnet session to the PIX stays connected.

Anyone have any ideas?

I have put the relevant configuration below:

access-list nonat permit ip 172.50.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list nonat permit ip 172.50.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list acl_vpn1 permit ip 172.50.0.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list acl_vpn2 permit ip 172.50.0.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list acl_vpn3 permit ip 172.50.0.0 255.255.255.0 10.50.0.0 255.255.255.0

nat (inside) 0 access-list nonat

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set support esp-des esp-md5-hmac

crypto map toVPNs 10 ipsec-isakmp

crypto map toVPNs 10 match address acl_vpn1

crypto map toVPNs 10 set peer 1xx.xxx.xxx.xxx

crypto map toVPNs 10 set transform-set support

crypto map toVPNs 12 ipsec-isakmp

crypto map toVPNs 12 match address acl_vpn2

crypto map toVPNs 12 set peer 2xx.xxx.xxx.xxx

crypto map toVPNs 12 set transform-set support

crypto map toVPNs 14 ipsec-isakmp

crypto map toVPNs 14 match address acl_vpn3

crypto map toVPNs 14 set peer 3xx.xxx.xxx.xxx

crypto map toVPNs 14 set transform-set support

crypto map toVPNs interface outside

isakmp enable outside

isakmp key ******** address 1xx.xxx.xxx.xxx netmask 255.255.255.255

isakmp key ******** address 2xx.xxx.xxx.xxx netmask 255.255.255.255

isakmp key ******** address 3xx.xxx.xxx.xxx netmask 255.255.255.255

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 43200

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
awaheed
Cisco Employee
Cisco Employee

‎03-11-2003 10:55 AM

Hi Ishaq,

Kindly make sure you remove the "Crypto map" off the Interface by doing a "no crypto map toVPNs interface outside" and then add the necessary commands before reapplying the Crypto map. Usually when we add a new command " crypto map toVPNs xx ipsec-isakmp" without removing the Crypto map it starts encrypting all traffic going through the PIX. After making the required changes reapply the Crypto map.

Hope this helps,

Regards,

Aamir

-=-=-

View solution in original post

0 Helpful
2 Replies 2

Go to solution
awaheed
Cisco Employee
Cisco Employee

‎03-11-2003 10:55 AM

Hi Ishaq,

Kindly make sure you remove the "Crypto map" off the Interface by doing a "no crypto map toVPNs interface outside" and then add the necessary commands before reapplying the Crypto map. Usually when we add a new command " crypto map toVPNs xx ipsec-isakmp" without removing the Crypto map it starts encrypting all traffic going through the PIX. After making the required changes reapply the Crypto map.

Hope this helps,

Regards,

Aamir

-=-=-

0 Helpful

Go to solution
mishag
Level 1
Level 1
In response to awaheed

‎03-11-2003 11:01 AM

Worked perfectly.

Thank you very much.

Kind regards,

Misha

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card