Re: [fw-wiz] asa 5505 vpn ipsec l2l problem

From: Eric Gearhart <eric@xxxxxxxxxxxxx>
Date: Fri, 2 Oct 2009 11:33:12 -0700

On Fri, Oct 2, 2009 at 5:09 AM, Hrvoje Popovski <hrvoje@xxxxxxx> wrote:

hello eveyone,

i have asa 5505 with Base license and 7.2.4 sofware.

i'm trying to create l2l ipsec tunnel reading manual on

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/site2sit.html

and when i'm applying acl in crypto map
crypto map abcMap 1 match address acl
i'm getting this log:
Ignoring msg to mark SA with specified coordinates <abcMap, 1> dead

i don't have any debug messages (debug crypto ipsec 100)
google it but haven't found any answer.

thank you for your answers!

acl
access-list acl extended permit tcp host 192.168.11.11 host 10.1.100.13 eq
4000
access-list acl extended permit tcp host 192.168.11.11 host 10.1.110.250 eq
4000
access-list acl extended permit tcp host 192.168.11.11 eq ftp host
10.1.100.105 eq ftp
access-list acl extended permit tcp host 192.168.11.11 host 10.1.100.105 eq
ftp-data
access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.13 eq
4000
access-list acl extended permit tcp host 192.168.11.12 host 10.1.110.250 eq
4000
access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.105 eq
ftp
access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.105 eq
ftp-data

If you're not seeing IPsec build the tunnel with debug crypto, I would guess
that traffic is getting NAT'd out, and not hitting the tunnel (by the way,
you probably only need debug crypto ipsec 5, not 100...)

Do you have NAT setup on the 5505? If you do, do you have a NAT exclude ACL
setup that excludes "your device networks -> remote device networks"?

--
Eric
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Follow-Ups:
- Re: [fw-wiz] asa 5505 vpn ipsec l2l problem
  - From: Hrvoje Popovski

References:
- [fw-wiz] asa 5505 vpn ipsec l2l problem
  - From: Hrvoje Popovski

Prev by Date: Re: [fw-wiz] Cisco AnyConnect VPN Client SSL for linux;
Next by Date: Re: [fw-wiz] Cisco AnyConnect VPN Client SSL for linux;
Previous by thread: Re: [fw-wiz] asa 5505 vpn ipsec l2l problem
Next by thread: Re: [fw-wiz] asa 5505 vpn ipsec l2l problem
Index(es):
- Date
- Thread

Relevant Pages

Re: Inside hosts loses connection to the Internet - ASA5505
... access-list outside extended permit tcp 195.xxx.xxx.0 255.255.255.0 host 213.xxx.xxx.3 eq smtp ... access-list outside extended permit tcp host 193.xxx.xxx.5 host 213.xxx.xxx.5 eq www ... access-group outside in interface outside ...
(comp.dcom.sys.cisco)
Re: Inside hosts loses connection to the Internet - ASA5505
... access-list outside extended permit tcp 195.xxx.xxx.0 255.255.255.0 host 213.xxx.xxx.3 eq smtp ... access-list outside extended permit tcp host 193.xxx.xxx.5 host 213.xxx.xxx.5 eq www ... access-group outside in interface outside ...
(comp.dcom.sys.cisco)
Re: [fw-wiz] asa 5505 vpn ipsec l2l problem
... debug crypto isakmp 127 ... access-list acl extended permit tcp host 192.168.11.11 host 10.1.110.250 eq ...
(Firewall-Wizards)
[fw-wiz] asa 5505 vpn ipsec l2l problem
... i'm trying to create l2l ipsec tunnel reading manual on ... access-list acl extended permit tcp host 192.168.11.11 host 10.1.110.250 eq 4000 ...
(Firewall-Wizards)