05-11-2007 05:25 AM
Does anybody have any idea's why a site-to-site VPN tunnel could only be established one way? I have a pix connecting to a vpn concentrator via IPSEC tunnel using NAT-T. From the concentrator if I initiate traffic to the pix, the tunnel comes up and then I can access resources behind the concentrator from the pix side.
If I try to initiate traffic from the pix side, the tunnel will not come up. Doing a debug on the pix, it doesn't even try to initiate the tunnel.
Here is a snippet from the pix config:
crypto ipsec transform-set TestSet esp-3des esp-sha-hmac
crypto map TestMap 10 ipsec-isakmp
crypto map TestMap 10 match address ACL_VPN
crypto map TestMap 10 set peer 10.10.10.1
crypto map TestMap 10 set transform-set TestSet
crypto map TestMap interface outside
isakmp enable outside
isakmp key ******** address 10.10.10.1 netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
I am just using 10. address's above for the peer as an example. The ACL_VPN specifies the local/remote subnets correctly. The default route is to the outside interface of the pix.
On the concentrator, I have specified the tunnel is bi-directional.
Anybody any idea's why it will only initiate one way?
Cheers
Brian
Solved! Go to Solution.
05-12-2007 08:26 PM
05-11-2007 05:50 AM
Is there a firewall in front of the concentrator that would be blocking the pix from initiating?
05-11-2007 05:53 AM
Hi
If the pix is not even trying to initiate the tunnel then it looks like your crypto access-list is not matching any traffic.
Are you natting the source IP's on the pix and if so does your crypto access-list reference the natted addresses which it should.
Jon
05-12-2007 08:26 PM
Please post your ACL 'ACL_VPN' and your NAT Exemption ACL.
Thanks!
05-14-2007 06:40 AM
Forgot my Nat 0, doh. Working fine now.
Cheers
Brian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide