Re: [fw-wiz] asa 5505 vpn ipsec l2l problem



and when i'm applying acl in crypto map
crypto map abcMap 1 match address acl
i'm getting this log:
Ignoring msg to mark SA with specified coordinates <abcMap, 1> dead

i don't have any debug messages (debug crypto ipsec 100) google it but
haven't found
any answer.

thank you for your answers!

acl
access-list acl extended permit tcp host 192.168.11.11 host 10.1.100.13 eq
4000
access-list acl extended permit tcp host 192.168.11.11 host 10.1.110.250
eq 4000
access-list acl extended permit tcp host 192.168.11.11 eq ftp host
10.1.100.105 eq ftp
access-list acl extended permit tcp host 192.168.11.11 host 10.1.100.105
eq ftp-data
access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.13 eq
4000
access-list acl extended permit tcp host 192.168.11.12 host 10.1.110.250
eq 4000
access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.105
eq ftp
access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.105
eq ftp-data


You can only use 'permit ip' in an access-list used for crypto map match,
and your access-list is set to use tcp.

If you need to filter VPN traffic down to the port and protocol level, use
the access-list applied to the outside interface, not the access-list
applied to the VPN tunnel's crypto map.

PaulM


_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: PIX 525 and swapping interface definitions
    ... If the ACL is used in a crypto map or static or nat ... then the extra ACL line referencing the old interface ... access-lists were absolutely mutually exclusive by design, ...
    (comp.dcom.sys.cisco)
  • Re: clear crypto map in pix
    ... I take you refer to policy elements within the crypto map. ... I removed one of my crypto maps on one router and the pix to try to ... (including a change to the ACL you used in the element definition), ... Cisco documents that you must clear ...
    (comp.dcom.sys.cisco)
  • Re: [fw-wiz] PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN
    ... have an acl entry there matching your interesting traffic acl for the ... to remove the crypto map from the 515 before adding the second 505, ... and then re-apply it to the interface. ...
    (Firewall-Wizards)
  • Re: [fw-wiz] PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN
    ... to remove the crypto map from the 515 before adding the second 505, ... and then re-apply it to the interface. ... It looks like the ACL and maps could get corrupted, therefore, before ... and FG already have an IPSec lan-to-lan VPN between them that works fine. ...
    (Firewall-Wizards)