Re: [fw-wiz] PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN



Wow, 3 responses so far!
on 2007-09-12 11:56 Christopher J. Wargaski said the following:
I have seen this when there is a routing problem. Can the 515 ping the
outside interface of the 501?

Yes, there is 100% reachability on both sides.

on 2007-09-12 23:08 Glenn Crissman said the following:
First guess is check your NAT 0 access lists on both sides. If you don't
have an acl entry there matching your interesting traffic acl for the
515 / 501 L2L VPN it won't attempt to come up. The PIX will NAT the
traffic (or at least attempt to) before it hits the crypto engine.

I've cleared the nat 0 entries on both sides already...I'm reasonably
sure that's not it. We're not even seeing IPSec try to *start*, basically.

on 2007-09-12 16:38 Julian M. Dragut said the following:
I've had the same issue with 515 and 2 X 505's running 6.4, and I had
to remove the crypto map from the 515 before adding the second 505,
and then re-apply it to the interface.

It looks like the ACL and maps could get corrupted, therefore, before
adding anything to the crypto map, I always make sure I unbind it,
make the changes and then rebind it.

This seems like the most likely candidate. We'll have to find time to
bring down all the VPNs and try rebuilding from scratch.

//jbaltz
--
jerry b. altzman jbaltz@xxxxxxxxxxx www.jbaltz.com
thank you for contributing to the heat death of the universe.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Pix 515 VLAN NAT0 issues
    ... that ACL will be exempt from NAT. ... the packet at the time the PIX receives the packet. ... ACL applied to an inside interface would have the internal IPs as ... accepted as having a translation and satisfying the security policies. ...
    (comp.dcom.sys.cisco)
  • Re: PIX 525 and swapping interface definitions
    ... If the ACL is used in a crypto map or static or nat ... then the extra ACL line referencing the old interface ... access-lists were absolutely mutually exclusive by design, ...
    (comp.dcom.sys.cisco)
  • Re: Questions on "sysopt connection permit-ipsec"
    ... :interface enabled for IPSEC, say the outside interface: ... :even if the outside interface ACL does not explicitly allow for it. ... :access-list ipsectraffic permit tcp host 10.1.1.3 any ... When an IPSec packet is received and successfully decoded, ...
    (comp.dcom.sys.cisco)
  • RE: [fw-wiz] PIX Config Problem
    ... All is correct with exception of ACL 100 destination ... host IP, should be the outside interface IP. ... I use the 501 w/ DSL config as well and use "interface" option in my ... I'm testing the new 6.3.1 code and have found the following in the ACL ...
    (Firewall-Wizards)
  • Re: Why does my 506 keeps deny vpn-connections.
    ... According to the log is because the ACL ... That line would allow the VPN clients to send icmp. ... you need to use 'interface' followed by the interface name. ... And notice you overlapped the dhcp pool with the vpn address pool. ...
    (comp.dcom.sys.cisco)