Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
356
Views
0
Helpful
4
Replies

PIX 515E VPN question

stevezups
Level 1
Level 1

‎08-18-2005 03:06 PM - edited ‎02-21-2020 01:55 PM

Hi, I'm trying to setup a L2L VPN tunnel between a PIX 515E and and 506E. I have already one tunnel made between the 515E and another 506E. Anyways, on the 515E, when I try to send interesting traffic through to get the other side of the tunnel. The traffic passes through my NAT 0 ACL and not the ACL assigned to the crypto map match address command. Does anyone know why this could be happening?

Labels:
0 Helpful
4 Replies 4

sachinraja
Level 9
Level 9

‎08-18-2005 09:13 PM

steve,

Normally the nat 0 ACL will be the same as the crypto ACL.. any traffic sent across the IPSEC should be no-natted before putting it across the tunnel.. once nat 0 is done, the tunnel tries to come up and if the parameters matches, traffic flows end to end...

Run a debug crypto ipsec / debug crypto isakmp and see the error message... there could be some mismatch in paramters which is not forcing the IPSEC to come up...

Let us know..

Raj

0 Helpful

stevezups
Level 1
Level 1
In response to sachinraja

‎08-19-2005 04:58 AM

Raj,

Here's the funny thing, when I look at the debug from the 515E the connection connects. I even get an SPI number. But, the 506E shows no debugs and no SPI numbers. It seems like the 515E side makes a tunnel but the 506E side doesn't.

0 Helpful

rating_is_vital
Level 1
Level 1
In response to stevezups

‎08-21-2005 06:29 PM

Hi,

Can you post the config?

0 Helpful

stevezups
Level 1
Level 1
In response to rating_is_vital

‎08-21-2005 10:20 PM

Hi all,

Actually we fixed the problem but I don't know how. On the 506E we changed the "crypto map name" different to the name on the 515E. Basicly, on the 515E we had a statement "crypto map thunder". On the 506E I changed the "crypto map thunder" to "crypto map remote" and now everything works fine.

What I don't understand is, I thought the crypto map name was only locally significant so you can bind the crypto map statement to an interface. Like "crypto map thunder interface outside". Both 515E and 506E are running PIX OS 6.3(5). Can anyone explain this to me.

Thanks,

Stevan

0 Helpful
Customers Also Viewed These Support Documents