Re: [fw-wiz] PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN

I've had the same issue with 515 and 2 X 505's running 6.4, and I had
to remove the crypto map from the 515 before adding the second 505,
and then re-apply it to the interface.

It looks like the ACL and maps could get corrupted, therefore, before
adding anything to the crypto map, I always make sure I unbind it,
make the changes and then rebind it.

On 9/12/07, Jerry B. Altzman <jbaltz@xxxxxxxxxxx> wrote:
Hi,

I wonder if any of you have encountered this problem before with
PIX<->PIX VPNs.

A client of mine has 3 firewalls: a Fortigate, a 515 and a 501. The 515
and FG already have an IPSec lan-to-lan VPN between them that works fine.

We'd like to set up a mesh of L2L VPNs, but first steps first: we need
to connect the 515 to the new 501.

I've gone through the configurations, followed the directions from
cisco's website, cleared everything out and done everything *but*
restarted the 515 (which is in production and might cause some
consternation if it were rebooted willy-nilly)

I've watched the logging output, and it doesn't seem that the 501/515
pair even attempt to do the phase 1 IPSec negotiations. It's just that
NOTHING happens at all.

Has anyone seen this? Any received wisdom on this? My search-engine-fu
must be weak, I've not managed to tease out a solution to this from the
all-seeing GoogleEye.

Thanks!

//jbaltz
--
jerry b. altzman jbaltz@xxxxxxxxxxx www.jbaltz.com
thank you for contributing to the heat death of the universe.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards




--
Best regards,


Julian Dragut
If you knew that you wouldn't fall, how far would you have gone?
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: PIX 525 and swapping interface definitions
    ... If the ACL is used in a crypto map or static or nat ... then the extra ACL line referencing the old interface ... access-lists were absolutely mutually exclusive by design, ...
    (comp.dcom.sys.cisco)
  • Re: [fw-wiz] PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN
    ... have an acl entry there matching your interesting traffic acl for the ... to remove the crypto map from the 515 before adding the second 505, ... and then re-apply it to the interface. ...
    (Firewall-Wizards)
  • PIX-515E Default routing and cryptos
    ... should be pumped out and natted to which interface. ... fixup protocol dns maximum-length 512 ... crypto map outside_map 20 match address outside_cryptomap_20 ... isakmp policy 20 authentication pre-share ...
    (comp.dcom.sys.cisco)
  • Re: IPSEC to PIX 515
    ... as for the "savvis" interface - we are in teh midst of switching from ... access-group savvist in interface savvist ... crypto map outside 1 match address savvis ... fixup protocol dns maximum-length 512 ...
    (comp.dcom.sys.cisco)
  • Re: PIX-515E Default routing and cryptos
    ... reach the crypto map. ... should be pumped out and natted to which interface. ... fixup protocol dns maximum-length 512 ... isakmp policy 20 authentication pre-share ...
    (comp.dcom.sys.cisco)