10-07-2008 04:50 PM - edited 02-21-2020 03:58 PM
Hi there,
I'm having trouble with a VPN I'm trying to create on a PIX 515. I have the crypto map's configured, I have the pre-shared key, I have the access-list in place, and I have the isakmp settings configured. I see the access-list incrementing when I initiate traffic from the desired host, but I'm receiving this message when I have debugging turned on:
IPSEC(sa_initiate): ACL = deny; no sa created
Any ideas what I can check?
Thanks in advance!
10-07-2008 05:16 PM
Hello,
Below is a troubleshooting guide for Pix L2L IPSec Tunnel.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a008009448c.shtml
If the above URL does not help, then is it possible to post your configuration of the Pix along with "Deb cry is" and "Deb cry ipsec" outputs.
Regards,
Arul
** Please rate all helpful posts **
10-08-2008 04:45 AM
Here is the only output I get from debug crypto ipsec:
IPSEC(sa_initiate): ACL = deny; no sa created
debug crypto isakmp displays nothing.
Here is my config:
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password VQVEpQa2RxgFDc9h encrypted
passwd OXQ30QDi0.VHGHVn encrypted
hostname Pix515
domain-name mycompany.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list compiled
access-list 100 deny ip host 198.2.0.50 10.0.0.0 255.0.0.0
access-list 100 permit ip 198.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list acl_mdc_outside_access_1 permit icmp any any time-exceeded
access-list acl_mdc_outside_access_1 permit icmp any any unreachable
access-list acl_mdc_outside_access_1 permit icmp any any echo-reply
access-list acl_mdc_outside_access_1 permit gre any any
access-list acl_mdc_outside_access_1 permit esp any any
access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.135.70.0 255.255.255.0
access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.135.71.0 255.255.255.0
access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.135.172.0 255.255.255.0
access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.135.173.0 255.255.255.0
access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.140.120.0 255.255.255.0
access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.140.18.0 255.255.255.0
access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.1.16.0 255.255.255.0
access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.1.63.0 255.255.255.0
pager lines 20
logging on
logging timestamp
logging buffered alerts
logging trap informational
logging history alerts
logging facility 19
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 219.91.112.242 255.255.255.240
ip address inside 53.154.233.254 255.255.255.248
arp timeout 60
global (outside) 1 219.91.77.193-219.91.77.254 netmask 255.255.255.192
global (outside) 1 219.91.112.248 netmask 255.255.255.240
nat (inside) 0 access-list 100
nat (inside) 1 198.3.0.0 255.255.255.0 0 0
nat (inside) 1 198.2.0.0 255.255.0.0 0 0
static (inside,outside) 10.147.110.2 198.2.0.50 netmask 255.255.255.255 0 0
access-group acl_mdc_outside_access_1 in interface outside
route outside 0.0.0.0 0.0.0.0 219.91.112.241 1
route inside 198.2.0.0 255.255.0.0 53.154.233.253 1
route inside 198.3.0.0 255.255.255.0 53.154.233.253 1
timeout xlate 0:30:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpn1 esp-3des esp-md5-hmac
crypto map crypto_mdc_outside 102 ipsec-isakmp
crypto map crypto_mdc_outside 102 match address VPN1_ACL
crypto map crypto_mdc_outside 102 set peer 208.116.214.211
crypto map crypto_mdc_outside 102 set transform-set vpn1
crypto map crypto_mdc_outside interface outside
isakmp enable outside
isakmp key ******** address 208.116.214.211 netmask 255.255.255.255
isakmp identity address
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 1
isakmp policy 40 lifetime 86400
10-08-2008 10:03 AM
Nyle,
What is the source and destination IP Addresses that you are using to bring up the tunnel.
Where is 10.147.110.0 network? I dont even see a route on the pix for this network.
Also, I do not see your crypto traffic being included in the NAT 0 command. Can you include this and test the ipsec tunnel.
Can you provide me the above information.
Thanks,
Arul
** Please rate all helpful posts **
10-08-2008 10:09 AM
Here's the situation: The source is a server that resides internal to my network. I'm trying to create a site-to-site VPN to a client, over the internet. The client requires that I source my server from 10.147.110.0/24. The destination is any of the networks specified in the VPN1_ACL. I created an outside static NAT that should translate 192.2.0.50 to 10.147.110.2.
When you say that you do not see the crypto traffic being included in the NAT 0 command, which traffic are you looking for? I thought the match ACL in the crypto map would catch the traffic destined for the VPN?
Thanks
10-08-2008 11:43 AM
Thanks for your help. Turns out that the other end had a different ACL configured than I did. Once we verified that their ACL matched mine, the connection came right up.
Now I know though. And for anyone else out there who receives this message: IPSEC(sa_initiate): ACL = deny; no sa created
Double check the ACL's on both ends!
10-08-2008 12:20 PM
Nyle,
Thanks for the update and taking time to rate and also update the forum with the solution.
Regards,
Arul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide