08-04-2005 05:56 AM
Hi,
I have created site to site vpn using pix515e and cisco 3000 concentrator.
I have following config:
(inside host network): A.B.17.0
(Remote host network): X.Y.Z.0
ip address Internet L.M.N.2 255.255.255.240
ip address inside e.f.g.2 255.255.255.240
access-list inside_access_in permit ip host A.B.17.2 X.Y.Z.0 255.255.255.0
access-list Internet_access_in permit ip X.Y.Z.0 255.255.255.0 host A.B.17.2
access-list inside_outbound_nat0_acl permit ip host A.B.17.2 X.Y.Z.0255.255.255.0
access-list Internet_cryptomap_20 permit ip host A.B.17.2 X.Y.Z.0255.255.255.0
global (Internet) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
access-group Internet_access_in in interface Internet
access-group inside_access_in in interface inside
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map Internet_dyn_map_1 20 match address Internet_cryptomap_dyn_20
crypto dynamic-map Internet_dyn_map_1 20 set transform-set ESP-3DES-MD5
crypto map Internet_map 20 ipsec-isakmp
crypto map Internet_map 20 match address Internet_cryptomap_20
crypto map Internet_map 20 set peer P.P.P.P
crypto map Internet_map 20 set transform-set ESP-3DES-MD5
crypto map Internet_map interface Internet
isakmp enable Internet
isakmp key &&&&&&& address P.P.P.P netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
Concentrator access-list:
access-list
access-list 13 permit ip X.Y.Z.0 0.0.0.255 A.B.17.0 0.0.0.255
access-list 13 permit ip A.B.17.0 0.0.0.255 X.Y.Z.0 0.0.0.255
Issue is: host from A.B.C.2 is able to initiate the vpn tunnel and communicate to the other host fine. But X.Y.Z.35 is not able to initiate the tunnel.
When tried debug it shows:
1d00h: IPSec(validate_transform_proposal): proxy identities not supported
1d00h: ISAKMP: IPSec policy invalidated proposal
1d00h: ISAKMP (0:2): SA not acceptable!
Even PDM not allwoing me to put reverse crypto rule.
Can anybody guide why tunnel provide one way access, If access list issue then how to put Reverse Crypto access-list by PDM.
Regards
Amol
08-10-2005 05:25 AM
Here is a document on configuring IPSec between PIX Firewall and Cisco VPN 3000 Concentrator.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide