04-03-2007 07:01 PM - edited 02-21-2020 02:57 PM
Pls see my PIX version and the Hardware details below:
Cisco PIX Firewall Version 6.3(5)
Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz
Flash E28F128J3 @ 0x300, 16MB
I added a host on the IPsec tunnel, run the following command:
FW# sh crypto ipsec sa | be HTX0062-NAT
local ident (addr/mask/prot/port): (HTX0062-NAT/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (195.140.250.0/255.255.255.240/0/0)
current_peer: CERNER-NAT:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 206.5.104.10, remote crypto endpt.: CERNER-NAT
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
But, the remote end was unable to initiate a connection.
My senior colleage said I have to reset the tunnel to get it working. I just want to know whether IT IS RIGHT or NOT.
Regards
Kelvin Cheung
04-04-2007 06:24 PM
Yes, often you'll have to reset the tunnel if you change the crypto map.
04-16-2007 03:26 PM
I can't see my last post so I post it again.
I added a host on the existing ACL for the crypto map.
It did NOT work. Do I need to reset the IPsec tunnel?
Thanks....
Kelvin Cheung
04-16-2007 09:59 PM
Kelvin,
Yes, clear the existing tunnel -
In config mode:
clear isakmp sa
clear ipsec sa
The above will drop any existing tunnels, to rebuild the tunnel just ping your remote internal peer ip from your intrenal ip range.
Hope this helps and please rate posts!
04-17-2007 06:21 PM
Dear Jay Mia
First of all, thanks for your reply.
The command "clear isakmp sa" and "clear ipsec sa" will NOT delete any PIX configurations???
Regards
Kelvin Cheung
04-17-2007 09:52 PM
Hi Kelvin,
No, by using "clear isakmp sa" and "clear ipsec sa" it will NOT delete any configuration.
The above commands ONLY resets the SA tables for both ISAKMP and IPSec.
Hope this helps and please rate posts!!
Jay
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: