05-11-2007 05:25 AM
Does anybody have any idea's why a site-to-site VPN tunnel could only be established one way? I have a pix connecting to a vpn concentrator via IPSEC tunnel using NAT-T. From the concentrator if I initiate traffic to the pix, the tunnel comes up and then I can access resources behind the concentrator from the pix side.
If I try to initiate traffic from the pix side, the tunnel will not come up. Doing a debug on the pix, it doesn't even try to initiate the tunnel.
Here is a snippet from the pix config:
crypto ipsec transform-set TestSet esp-3des esp-sha-hmac
crypto map TestMap 10 ipsec-isakmp
crypto map TestMap 10 match address ACL_VPN
crypto map TestMap 10 set peer 10.10.10.1
crypto map TestMap 10 set transform-set TestSet
crypto map TestMap interface outside
isakmp enable outside
isakmp key ******** address 10.10.10.1 netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
I am just using 10. address's above for the peer as an example. The ACL_VPN specifies the local/remote subnets correctly. The default route is to the outside interface of the pix.
On the concentrator, I have specified the tunnel is bi-directional.
Anybody any idea's why it will only initiate one way?
Cheers
Brian
Solved! Go to Solution.
05-12-2007 08:26 PM
05-11-2007 05:50 AM
Is there a firewall in front of the concentrator that would be blocking the pix from initiating?
05-11-2007 05:53 AM
Hi
If the pix is not even trying to initiate the tunnel then it looks like your crypto access-list is not matching any traffic.
Are you natting the source IP's on the pix and if so does your crypto access-list reference the natted addresses which it should.
Jon
05-12-2007 08:26 PM
Please post your ACL 'ACL_VPN' and your NAT Exemption ACL.
Thanks!
05-14-2007 06:40 AM
Forgot my Nat 0, doh. Working fine now.
Cheers
Brian
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: