06-06-2003 07:23 AM - edited 02-21-2020 12:35 PM
I have hub and spoke vpn with 515 at hub and 506's at spokes(all running 6.2). Two tunnels where up but the configuration for the 3rd tunnel had the wrong network address referenced in the crypto access list for interesting traffic. When attempting to remove the incorrect reference and replace with the correct network address range all outbound traffic from hub pix stopped except for tunneled traffic to remote sites. Could not ping from pix the directly connected border router. Appears as if all traffic was being routed through tunnels, nothing in the clear. I had to remove all reference to the specific policy for the 3rd site (40)before clear traffic would go out to the internet and only specified traffic continued to the remotes via the vpn.
nat (inside) 0 access-list crypto_global
access-list crypto_global permit ip 207.x.x.0 255.255.255.0 209.x.x.x 255.255.255.192
access-list crypto_global permit ip 207.x.x.0 255.255.255.0 216.x.x.0 255.255.255.0
access-list crypto_global permit ip 207.x.x.0 255.255.255.0 10.40.0.0 255.255.0.0
access-list crypto_ml permit ip 207.x.x.0 255.255.255.0 209.x.x.x 255.255.255.192
access-list crypto_ps permit ip 207.x.x.0 255.255.255.0 216.x.x.0 255.255.255.0
access-list crypto_plan permit ip 207.x.x.0 255.255.255.0 10.40.0.0 255.255.0.0
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map newmap 40 ipsec-isakmp
crypto map newmap 40 set peer 12.x.x.x
crypto map newmap 40 set transform-set myset
crypto map newmap 40 match address crypto_plan
Has anyone else come across this problem, and if so, what steps can be taken to prevent such a problem in the future.
06-06-2003 01:08 PM
If you have a crypto map matching a non-existing access-list the PIX will
stop forwarding everything.
So be sure to create the crypto acl before the crypto map .
Also when i want to modify crypto maps , i copy paste it in the notepad , do my modifications then copy paste it back again , preceded by i "no crypto..."
This way i delete it and create a new one with no downtime
ex:
no crypto map newmap
crypto map newmap 40 ipsec-isakmp
crypto map newmap 40 set peer 12.x.x.x
.....
....
crypto map newmap interface outside
don't forget to reapply crypto map on the outside interface after deleting it
06-09-2003 09:59 AM
I didn't realize that the pix would in a sense stop forwarding traffic when there is a crypto policy referencing an access-list that does not exits.
Thanks for your reply,
Christian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide