royalblues Sun, 08/19/2007 - 11:58
User Badges:
  • Green, 3000 points or more

The error is at phase 1 itself.


Are you sure you have the same properties at both the ends in terms on isakmp policies, encryption, hash, authentication and group?


Narayan

dradhika Sun, 08/19/2007 - 22:24
User Badges:
  • Cisco Employee,

Hi Sheeraz,


On router can you replace,

crypto isakmp key 6 cisco123 address 203.82.55.106 255.255.255.252

with

crypto isakmp key cisco123 address 203.82.55.106 255.255.255.252

and check.

Also, if you can remove the netmask on both the device in the crypto isakmp key cli if you are establising the tunnel just between these two device.


Cli will to look as below w/o mask-

On router -

crypto isakmp key cisco123 address 203.82.55.106

on pix -

isakmp key cisco123 address 203.130.2.164


HTH,

Radhika

sheerazkhatri Mon, 08/20/2007 - 05:39
User Badges:

Thank you Radhika for the advise... I did what you suggested but didnt work... Anymore ideas ??

Sheeraz


dradhika Mon, 08/20/2007 - 09:39
User Badges:
  • Cisco Employee,

have you deleted access-list 104 on router by any chance? or just did not include it in the attachment?


Thanks,

Radhika

sheerazkhatri Tue, 08/21/2007 - 05:17
User Badges:

Sorry for that... ACL 104 is not in the attachement. Following is the ACL 104.


access-list 104 permit ip 10.0.0.0 0.0.255.255 190.190.0.0 0.0.255.255

access-list 104 permit ip 172.16.0.0 0.0.255.255 190.190.0.0 0.0.255.255

access-list 104 permit ip 10.3.1.224 0.0.0.31 190.190.0.0 0.0.255.255

access-list 104 permit ip 10.0.0.0 0.0.255.255 172.16.21.0 0.0.0.255

access-list 104 permit ip 10.3.1.224 0.0.0.31 172.16.21.0 0.0.0.255

access-list 104 permit ip 172.16.0.0 0.0.255.255 172.16.21.0 0.0.0.255


Hope this works.

Sheeraz

dradhika Tue, 08/21/2007 - 09:10
User Badges:
  • Cisco Employee,

From attached config files.

crypto access list on pix(101) seems to contain different ace's from that on router(104).


Otherwise all the vpn cli seems to be ok.

Can you check the nat is not done for the traffic on both the device.


2.

ip route 190.190.0.0 255.255.0.0 203.82.55.106


here I do not see any interface with ip on this subnet 203.82.55.106.

If 190.190.0.0 is the inside network of pix , then doesn't the next hop ip in this route needs to be 203.130.2.161 instead of 203.82.55.106.


Thanks,

Radhika


dradhika Tue, 08/21/2007 - 09:15
User Badges:
  • Cisco Employee,

Also if possible , can you disable the ipsec on both the devices and check if you are able to ping the peer ip address and the inside network of the remote device from router (both outside interface and inside interface).


Thanks,

Radhika

Actions

This Discussion