Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
468
Views
0
Helpful
1
Replies

one way VPN

amolrajgure
Level 1
Level 1

‎08-04-2005 05:56 AM

Hi,

I have created site to site vpn using pix515e and cisco 3000 concentrator.

I have following config:

(inside host network): A.B.17.0

(Remote host network): X.Y.Z.0

ip address Internet L.M.N.2 255.255.255.240

ip address inside e.f.g.2 255.255.255.240

access-list inside_access_in permit ip host A.B.17.2 X.Y.Z.0 255.255.255.0

access-list Internet_access_in permit ip X.Y.Z.0 255.255.255.0 host A.B.17.2

access-list inside_outbound_nat0_acl permit ip host A.B.17.2 X.Y.Z.0255.255.255.0

access-list Internet_cryptomap_20 permit ip host A.B.17.2 X.Y.Z.0255.255.255.0

global (Internet) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

access-group Internet_access_in in interface Internet

access-group inside_access_in in interface inside

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map Internet_dyn_map_1 20 match address Internet_cryptomap_dyn_20

crypto dynamic-map Internet_dyn_map_1 20 set transform-set ESP-3DES-MD5

crypto map Internet_map 20 ipsec-isakmp

crypto map Internet_map 20 match address Internet_cryptomap_20

crypto map Internet_map 20 set peer P.P.P.P

crypto map Internet_map 20 set transform-set ESP-3DES-MD5

crypto map Internet_map interface Internet

isakmp enable Internet

isakmp key &&&&&&& address P.P.P.P netmask 255.255.255.255

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

Concentrator access-list:

access-list

access-list 13 permit ip X.Y.Z.0 0.0.0.255 A.B.17.0 0.0.0.255

access-list 13 permit ip A.B.17.0 0.0.0.255 X.Y.Z.0 0.0.0.255

Issue is: host from A.B.C.2 is able to initiate the vpn tunnel and communicate to the other host fine. But X.Y.Z.35 is not able to initiate the tunnel.

When tried debug it shows:

1d00h: IPSec(validate_transform_proposal): proxy identities not supported

1d00h: ISAKMP: IPSec policy invalidated proposal

1d00h: ISAKMP (0:2): SA not acceptable!

Even PDM not allwoing me to put reverse crypto rule.

Can anybody guide why tunnel provide one way access, If access list issue then how to put Reverse Crypto access-list by PDM.

Regards

Amol

Labels:
0 Helpful
1 Reply 1

owillins
Level 6
Level 6

‎08-10-2005 05:25 AM

Here is a document on configuring IPSec between PIX Firewall and Cisco VPN 3000 Concentrator.

http://www.cisco.com/warp/public/707/vpn_pix_private.html

0 Helpful
Customers Also Viewed These Support Documents