RE: [fw-wiz] Pix LAN-To-LAN Problem

• Previous message: Chris Pugrud: "RE: [fw-wiz] Certification"
• Maybe in reply to: cs 2004: "[fw-wiz] Pix LAN-To-LAN Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "cs 2004" <cskb2004@yahoo.com>, <firewall-wizards@honor.icsalabs.com>
Date: Mon, 21 Jun 2004 08:33:59 -0400

Are you sure that the traffic you are generating is supposed to be
allowed? If you are convinced that this is a result of a problem on the
remote end, one way to find out might be to run 'debug crypto isakmp'
and attempt to bring the tunnel up. If Phase 1 completes correctly,
then you can rule out an access-list on your side. In which case,
you're probably trying to generate traffic that is denied by a filter on
the concentrator.

If Phase 1 negotiation never begins, I would guess that you have an
access-list bound to the inside interface (or whichever interface the
local VPN traffic arrives on) that doesn't allow the traffic you are
attempting to send. I suppose this could also occur as a result of
interface security levels if the interface that was assigned to your
crypto map had a higher security level than the interface where the
local VPN traffic arrives at the firewall. (Though, I have never seen
this in production, and I can't imagine a scenario where this would be
appropriate.)

PaulM

> -----Original Message-----
> The tunnel can successfully be established when
> initiated by the customer (Concentrator 3030); all
> traffic then passes normally. When initiated from our
> side (PIX 535) we immediately receive
> "IPSEC(sa_initiate): ACL = deny; no sa created" while
> running "debug crypto ipsec" and "debug crypto
> isakmp". We have other VPN tunnels that function
> correctly both from the trusted and untrusted
> networks.
>
> I have a border router above my firewall and no
> filtering on that device.
>
> This problem "IPSEC(sa_initiate): ACL = deny; no sa
> created" happens everytime , i create a new tunnel,
> and dont know what happens, but with every customer i
> see this error, I tell them to make sure the proxy
> configurations match and UDP 500 traffic allowed on their
> border routers, they do some change and it goes through. But
> for this particular tunnel, I just keep getting the same
> error. Its entirely possible that
> remote end is the problem, however I want to rule out
> possible misconfiguration on my end.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Chris Pugrud: "RE: [fw-wiz] Certification"
• Maybe in reply to: cs 2004: "[fw-wiz] Pix LAN-To-LAN Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: ftp problem ... > here is my whole firewall script ... > # No restrictions on Loopback Interface ... > # or from this gateway server destine for the public Internet. ... > # Allow out secure FTP, Telnet, and SCP ... (freebsd-questions) Re: Checkpoint experiences ... decide they want the firewall used by the big boys...often repeated, ... The Nokia appliance IPSO, is useful if you don't want to take the ... It is no wonder that the Nokia interface is called ... > billions on training, and classes, consultants, support contracts, etc. ... (comp.security.firewalls) Re: Terminal Server Setup ... description GRE Tunnel Source Interface ... input packets with dribble condition detected ... output buffer failures, ... (comp.dcom.sys.cisco) Re: Lets talk about firewalls - what do we as a group think a firewall should be/have? ... part of the same network as the LAN. ... Each interface of a firewall should be distinct from ... interfaces, so a "DMZ interface" is not a requirement. ... (comp.security.firewalls) Proxy ARP and Routing ... some CPE from our ISP connected to a firewall. ... the public IPs on the physical DMZ network. ... packets to the host on the DMZ? ... on the DMZ interface. ... (SunManagers)