01-09-2008 12:14 AM - edited 03-03-2019 08:11 PM
Hi Experts,
I have the diagram below:
Server A -> A Firewall -> Router A <-> Router B <- B Firewall <- Server B
I am trying to do crypto map between Router A and B. There is NATed being done at both the firewall end.
Server A: 192.168.5.11
NATed at Firewall to 203.120.5.11
Server B: 172.16.16.11
NATed at Firewall to 203.123.16.11
I have done a permit access -list for 203.120.5.11 and 203.123.16.11 for the crypto map configuration.
But my question is whether i need to open any ports at the firewall end?
Currently the crypto not able to up.
Thanks.
Solved! Go to Solution.
01-09-2008 12:50 AM
Cindy
At the risk of making your headache worse :)
Phase 1 of your IPSEC is working fine.
The key bit out of your error file is
local_proxy= 172.26.128.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.23.184.0/255.255.255.0/0/0 (type=4),
Jan 9 08:32:45.649 GMT: IPSEC(validate_transform_proposal): proxy identities not supported
This is telling you that the routers disagree between what the local and remote networks are.
As you are Natting your servers to 203.x.x.x addressing these should not be the local and remote subnets.
Can you recheck your crypto map access-list and if still not clear post your router configs.
Jon
01-09-2008 12:23 AM
Hi Cindy
If the IPSEC tunnel is between the 2 routers which it sounds as if it is then the answer is it depends :). As an example
Server A telnets to Server B.
1) Is there an access-list on the A firewall on the inside interface that might stop the traffic reaching router A.
2) If not can you confirm that the firewall is doing the NAT translation correctly.
3) Assuming 1 & 2 are okay is there a rule on firewall B that allows telnet traffic from ServerA to Server B.
If 3 is okay then no you should not have to open any more ports because the return traffic will be allowed as the ASA's are stateful firewalls.
If you are using something like ping between the 2 servers you may need additional access-list entries.
When you try to initiate a connection and you have
debug crypto isa
debug crypto ipsec
turned on on router A do you see anything ?
Jon
01-09-2008 12:36 AM
01-09-2008 12:50 AM
Cindy
At the risk of making your headache worse :)
Phase 1 of your IPSEC is working fine.
The key bit out of your error file is
local_proxy= 172.26.128.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.23.184.0/255.255.255.0/0/0 (type=4),
Jan 9 08:32:45.649 GMT: IPSEC(validate_transform_proposal): proxy identities not supported
This is telling you that the routers disagree between what the local and remote networks are.
As you are Natting your servers to 203.x.x.x addressing these should not be the local and remote subnets.
Can you recheck your crypto map access-list and if still not clear post your router configs.
Jon
01-09-2008 01:11 AM
Jon,
Great! Headache reduce tremendously..! :D
Put in the access list to any any..n yup,
you are right on the routers not agreeing on the local n remote networks..
i am there already..:) can see the encrpytion traffic already..thanks a lot!
01-09-2008 01:15 AM
Cindy
Glad to be of help and appreciate the rating.
Good advert for Netpro - better than headache pills :)
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide