[fw-wiz] Pix LAN-To-LAN Problem

• Previous message: Allan: "[fw-wiz] Certification ?"
• Next in thread: Melson, Paul: "RE: [fw-wiz] Pix LAN-To-LAN Problem"
• Maybe reply: Melson, Paul: "RE: [fw-wiz] Pix LAN-To-LAN Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Thu, 17 Jun 2004 06:31:18 -0700 (PDT)

Hi wizards,

I have a typical problem negotiating LAN-To-LAN VPN
tunnels from my pix. I myself have worked on various
IPSEC supportive devices including the PIX, but for
some reason, this is really troubling me now.

Here is the scenario:

I have PIX on my side and a Cisco concentrator on the
customer end.

The tunnel can successfully be established when
initiated by the customer (Concentrator 3030); all
traffic then passes normally. When initiated from our
side (PIX 535) we immediately receive
"IPSEC(sa_initiate): ACL = deny; no sa created" while
running "debug crypto ipsec" and "debug crypto
isakmp". We have other VPN tunnels that function
correctly both from the trusted and untrusted
networks.

I have a border router above my firewall and no
filtering on that device.

This problem "IPSEC(sa_initiate): ACL = deny; no sa
created" happens everytime , i create a new tunnel,
and dont know what happens, but with every customer i
see this error, I tell them to make sure the proxy
configurations match and UDP 500 traffic allowed on
their border routers, they do some change and it goes
through. But for this particular tunnel, I just keep
getting the same error. Its entirely possible that
remote end is the problem, however I want to rule out
possible misconfiguration on my end.

Any clue? suggestions.

Best
Chandan

                
__________________________________
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
http://mobile.yahoo.com/maildemo
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Allan: "[fw-wiz] Certification ?"
• Next in thread: Melson, Paul: "RE: [fw-wiz] Pix LAN-To-LAN Problem"
• Maybe reply: Melson, Paul: "RE: [fw-wiz] Pix LAN-To-LAN Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [Edit] VPN pix 506 to 501 ... ... After, if that not resolve the problem, i will change the crypto map by ... > which tells the PIX to ignore the interface ACLs for tunnel traffic. ... unless you had turned that off with 'logging message'... ... (comp.dcom.sys.cisco) Re: IPsec performance just 55% of WAN bandwidth ... It looks like pings with a payload larger than 1418 bytes are ... I do not know why 1000 exactly, and PIX offers no way to ... SHA-1 is used for the authentication, ... Are the pings going inside the tunnel or outside the tunnel? ... (comp.security.misc) Re: IPsec performance just 55% of WAN bandwidth ... It looks like pings with a payload larger than 1418 bytes are ... I do not know why 1000 exactly, and PIX offers no way to ... SHA-1 is used for the authentication, ... Are the pings going inside the tunnel or outside the tunnel? ... (comp.security.firewalls) Re: Cisco PIX VPN access-lists ... IPSec tunnel between a Cisco PIX and a Juniper SSG 20. ... Can you specify host and port access lists using that crypto map match ... (comp.dcom.sys.cisco) Re: PIX 501 <-> Concentrator remote client question ... Configure an IPSEC tunnel from my PIX to the office where I work. ... set a default route to the hub-facing side of the 'dumb router'. ... route to 'inside' of PIX on port B ... (comp.dcom.sys.cisco)