09-22-2010 07:22 AM - edited 02-21-2020 04:52 PM
Dear all,
I am having a PIX firewall in which 20 VPNs are terminated. one of my new requirment is to establish a vpn tunnel to another location in which i dont have access. my side i am having a pool of private ips that is only allowed through the tunnel.I have configured a one to one nat with one of the pool IP and my internal server.
I have tried a lot VPN tunnel is not comming up
Please check the brief configuration and the attached full configuration. In my config 10.66.100.208 255.255.255.248 is the ip pool and 192.168.0.239 is my server. when i try to ping 192.168.108.75 from 192.168.0.239 VPN acl count is increasing but tunnel is not comming up
Please look in to this and help me to sourt out this issue.
==============================================================
access-list NAT permit ip 10.66.100.208 255.255.255.248 host 192.168.108.75
access-list NAT permit ip 10.66.100.208 255.255.255.248 host 10.67.1.5
access-list NI permit ip 10.66.100.208 255.255.255.248 host 192.168.108.75
access-list NI permit ip 10.66.100.208 255.255.255.248 host 10.67.1.5
crypto ipsec transform-set NI esp-3des esp-sha-hmac
isakmp policy 25 authentication pre-share
isakmp policy 25 encryption 3des
isakmp policy 25 hash sha
isakmp policy 25 group 5
isakmp policy 25 lifetime 1440
crypto map forsberg 38 ipsec-isakmp
crypto map forsberg 38 match address NI
crypto map forsberg 38 set peer 1.1.1.250
crypto map forsberg 38 set transform-set NI
crypto map forsberg 38 set security-association lifetime seconds 3600
static (inside,outside) 10.66.100.209 192.168.0.239 netmask 255.255.255.255 0 0
isakmp key Fa$1xx!@$ address 1.1.1.250 netmask 255.255.255.255
======================================================================================
pixfirewall# sh access-list NI
access-list NI; 2 elements
access-list NI line 1 permit ip 10.66.100.208 255.255.255.248 host 192.168.108.75 (hitcnt=87)
access-list NI line 2 permit ip 10.66.100.208 255.255.255.248 host 10.67.1.5 (hitcnt=0)
pixfirewall#
Solved! Go to Solution.
09-22-2010 10:10 AM
Hi,
The reason for this can be many. Can you paste the entire debugs over here? Just "clear crypto isakmp sa" and "clear crypto ipsec sa" and then initiate the tunnel to get the complete set of debugs.
Thanks and Regards,
Prapanch
09-22-2010 08:04 AM
Hi,
What do the debugs say when bringing the tunnel up? Please enable "debugs crypto isa 127" and "debug crypto ipsec 127" and paste those outputs here after sanitizing it.
Thanks and Regards,
Prapanch
09-22-2010 08:57 AM
Hi Prapanch, Thanks for you kind support \
Please check the debug crypto ipse 127 out put , I believe here is the issue.
when i do debug crypto isa 127 i can t see the peer IP address
pixfirewall# debug crypto ipse 127
pixfirewall# IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
Could you please suggest me ......
Please note that my side I am using cisco PIX 6.3 and the other side they are using cisco router. I got the other side ACL , I am mentioning that as well. I dont have any other config of my peer end.
Extended IP access list FDN-VPN
10 permit ip host 192.168.108.75 10.66.100.208 0.0.0.7
20 permit ip host 10.67.1.5 10.66.100.208 0.0.0.7
09-22-2010 10:10 AM
Hi,
The reason for this can be many. Can you paste the entire debugs over here? Just "clear crypto isakmp sa" and "clear crypto ipsec sa" and then initiate the tunnel to get the complete set of debugs.
Thanks and Regards,
Prapanch
09-22-2010 11:29 AM
Thanks Prapanch, Thanks for your support
After clearing the Isakmp and ipsec it started working
09-22-2010 07:08 PM
Great. Glad to know that!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide