05-24-2007 06:45 AM
I'm trying to set up a branch office VPN. I'm using a PIX-506e, my peer is a PIX-515. I've attached my (sanitized) configuration, and there's an equivalent one in the 515.
Network setup:
BO1 Inside: 192.168.0.0
BO2 Inside: 130.45.14.0
We cannot establish a Security Association. We can, of course, ping each other's outside addresses.
Two initial questions:
1. Can someone see anything obviously wrong?
2. The command "clear isakmp sa" breaks any existing sas; is there a command that forces one PIX to attempt to form a SA with its peer?
Thanks in advance,
dpm
05-24-2007 08:19 AM
First of all you do not need to have both of these statements in one pix.
Access-list cleanVPN permit ip 130.45.14.0 255.255.255.0 192.168.0.0 255.255.255.0
Access-list cleanVPN permit ip 192.168.0.0 255.255.255.0 130.45.14.0 255.255.255.0
You should have the first in B02 and the next in B01.
It is also recommended and good form to use separate acl's to define this traffic and the traffic defined by your nat (inside) 0 statement, even though it is the same. So I would change it to
B02
Nat (inside) 0 access-list cleanVPN_nat0
Access-list cleanVPN permit ip 130.45.14.0 255.255.255.0 192.168.0.0 255.255.255.0
Access-list cleanVPN_nat0 permit ip 130.45.14.0 255.255.255.0 192.168.0.0 255.255.255.0
Crypto map cleanVPNmap 88 match address cleanVPN
B01
Nat (inside) 0 access-list cleanVPN_nat0
Access-list cleanVPN permit ip 192.168.0.0 255.255.255.0 130.45.14.0 255.255.255.0
Access-list cleanVPN_nat0 permit ip 192.168.0.0 255.255.255.0 130.45.14.0 255.255.255.0
Crypto map cleanVPNmap 88 match address cleanVPN
Let me know how that goes.
05-24-2007 09:07 AM
Thanks, I appreciate your help.
One question though: I think my problem is that the PIXs are/can not form a SA. I can see how the change you suggested would affect routing traffic through the tunnel once formed, but my problem is that I can't get a tunnel formed at all.
Is there a command to force one PIX to form a SA with a peer?
Thanks,
Dean
05-24-2007 09:15 AM
No, you must initiate traffic which matches the traffic defined in your crypto acl's.
try this and ensure it is the same on both ends...
no isakmp identity hostname
isakmp identity address
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide