04-26-2002 09:42 PM - edited 02-21-2020 11:42 AM
HI!
I have pix525 in the center and cisco router (26xx) on the other side with ipsec-isakmp crypto map between. PIX crypto map is on the outside interface.
Then we send packet from far side to center (PIX inside interface) we get IPSEC tunnel after some negotiation procedure between router and PIX. Then we have IPSEC tunnel and can send packet from inside PIX interface to far side behind the router.
But if we have no IPSEC tunnel (it's expired for example) we CAN'T build it from PIX inside interface. We can see increasing of access-list counter in crypto map. We can debug crypto isakmp and crypto ipsec on PIX and see following strings:
pix1# IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
So I should to send one packet from far side to center to build tunnel and try never to loose it :)
Could anyone help me?
04-26-2002 10:00 PM
you are using: isakmp enable outside correct? The tunnel supose be established on the outside interface. why do you want to establish the tunnel inside anyway?
04-26-2002 10:14 PM
I have packet that goes from some network before PIX - through PIX from inside to outside interface - through some IP cloud to remote Cisco26xx with crypto map. Is it reason to build IPSEC tunnel? I suppose yes. Am I wrong?
04-26-2002 10:30 PM
Yes, you need to build site-to-site ipsec tunnel (I assume the IP cloud is public). The tunnel is between PIX's outside interface and the router's interface (outside). When the packet reaches the inside interface of the PIX, it's already been encrypted (access-list permit) and it's considered internal or the packets are established from the inside.
04-26-2002 11:16 PM
Unfortunately, my English is not perfect. That's why I didn't understand you :(
So, what should I do to solve my problem?
May be I should to place crypto map on PIX inside interface and do it isakmp enable?
04-30-2002 05:54 AM
I think this entry do not match your access-list. You must add a NAT 0 entry, because the IPSEC tunnel can not establish with NAT.
In the configuration you must have an access-list entry for your vpn connection.
See this example for the pix:
access-list 100 permit ip 192.168.168.0 255.255.255.0 192.168.170.0 255.255.255.0
nat (inside) 0 access-list 100
05-05-2002 10:46 PM
I have such a string in configuration:
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
05-09-2002 01:21 PM
You need to take out the "nat (inside) 0.0.0.0 0.0.0.0 0 0 entry in your config
05-12-2002 09:46 PM
But why?
As I remember it was initial configurator that asked me if I will use NAT, I replied NO and that string in config appeared.
From the other side - I still have to use NAT but in the same address.
Do you think I should remove that string?
05-13-2002 01:56 AM
Could you 'cut and paste' all your nat and acl config so that we can analyze them.
05-13-2002 03:16 AM
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
That's all about NAT.
My troubles are from interface Videoconf-10 with security30 to outside interface CIN-5 with security0.
On interface Videoconf-10 I have acl:
access-list Videoconf-10_in permit ip any any
access-list Videoconf-10_in permit ip 10.4.78.0 255.255.255.0 host ViaVideo
And a couple of "static" sentences:
static (Videoconf-10,CIN-5) VideoStation VideoStation netmask 255.255.255.255 0 0
static (Videoconf-10,CIN-5) SOmeVideo SOmeVideo netmask 255.255.255.255 0 0
static (Videoconf-10,CIN-5) Polyspan2 Polyspan2 netmask 255.255.255.255 0 0
static (Videoconf-10,CIN-5) Polyspan1 Polyspan1 netmask 255.255.255.255 0 0
static (Videoconf-10,CIN-5) MCU1 MCU1 netmask 255.255.255.255 0 0
static (Videoconf-10,CIN-5) Accord1 Accord1 netmask 255.255.255.255 0 0
static (Videoconf-10,CIN-5) Accord2 Accord2 netmask 255.255.255.255 0 0
static (Videoconf-10,CIN-5) Accord3 Accord3 netmask 255.255.255.255 0 0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide