Trouble with site-to-site VPN on PIX 515

Unanswered Question
Oct 7th, 2008
User Badges:
  • Bronze, 100 points or more

Hi there,


I'm having trouble with a VPN I'm trying to create on a PIX 515. I have the crypto map's configured, I have the pre-shared key, I have the access-list in place, and I have the isakmp settings configured. I see the access-list incrementing when I initiate traffic from the desired host, but I'm receiving this message when I have debugging turned on:


IPSEC(sa_initiate): ACL = deny; no sa created


Any ideas what I can check?


Thanks in advance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
branfarm1 Wed, 10/08/2008 - 04:45
User Badges:
  • Bronze, 100 points or more

Here is the only output I get from debug crypto ipsec:


IPSEC(sa_initiate): ACL = deny; no sa created


debug crypto isakmp displays nothing.


Here is my config:



PIX Version 6.3(4)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password VQVEpQa2RxgFDc9h encrypted

passwd OXQ30QDi0.VHGHVn encrypted

hostname Pix515

domain-name mycompany.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list compiled

access-list 100 deny ip host 198.2.0.50 10.0.0.0 255.0.0.0

access-list 100 permit ip 198.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

access-list acl_mdc_outside_access_1 permit icmp any any time-exceeded

access-list acl_mdc_outside_access_1 permit icmp any any unreachable

access-list acl_mdc_outside_access_1 permit icmp any any echo-reply

access-list acl_mdc_outside_access_1 permit gre any any

access-list acl_mdc_outside_access_1 permit esp any any

access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.135.70.0 255.255.255.0

access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.135.71.0 255.255.255.0

access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.135.172.0 255.255.255.0

access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.135.173.0 255.255.255.0

access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.140.120.0 255.255.255.0

access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.140.18.0 255.255.255.0

access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.1.16.0 255.255.255.0

access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.1.63.0 255.255.255.0

pager lines 20

logging on

logging timestamp

logging buffered alerts

logging trap informational

logging history alerts

logging facility 19

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 219.91.112.242 255.255.255.240

ip address inside 53.154.233.254 255.255.255.248

arp timeout 60

global (outside) 1 219.91.77.193-219.91.77.254 netmask 255.255.255.192

global (outside) 1 219.91.112.248 netmask 255.255.255.240

nat (inside) 0 access-list 100

nat (inside) 1 198.3.0.0 255.255.255.0 0 0

nat (inside) 1 198.2.0.0 255.255.0.0 0 0

static (inside,outside) 10.147.110.2 198.2.0.50 netmask 255.255.255.255 0 0

access-group acl_mdc_outside_access_1 in interface outside

route outside 0.0.0.0 0.0.0.0 219.91.112.241 1

route inside 198.2.0.0 255.255.0.0 53.154.233.253 1

route inside 198.3.0.0 255.255.255.0 53.154.233.253 1

timeout xlate 0:30:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set vpn1 esp-3des esp-md5-hmac

crypto map crypto_mdc_outside 102 ipsec-isakmp

crypto map crypto_mdc_outside 102 match address VPN1_ACL

crypto map crypto_mdc_outside 102 set peer 208.116.214.211

crypto map crypto_mdc_outside 102 set transform-set vpn1

crypto map crypto_mdc_outside interface outside

isakmp enable outside

isakmp key ******** address 208.116.214.211 netmask 255.255.255.255

isakmp identity address

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 1

isakmp policy 40 lifetime 86400



ajagadee Wed, 10/08/2008 - 10:03
User Badges:
  • Cisco Employee,

Nyle,


What is the source and destination IP Addresses that you are using to bring up the tunnel.


Where is 10.147.110.0 network? I dont even see a route on the pix for this network.


Also, I do not see your crypto traffic being included in the NAT 0 command. Can you include this and test the ipsec tunnel.


Can you provide me the above information.


Thanks,

Arul


** Please rate all helpful posts **



branfarm1 Wed, 10/08/2008 - 10:09
User Badges:
  • Bronze, 100 points or more

Here's the situation: The source is a server that resides internal to my network. I'm trying to create a site-to-site VPN to a client, over the internet. The client requires that I source my server from 10.147.110.0/24. The destination is any of the networks specified in the VPN1_ACL. I created an outside static NAT that should translate 192.2.0.50 to 10.147.110.2.


When you say that you do not see the crypto traffic being included in the NAT 0 command, which traffic are you looking for? I thought the match ACL in the crypto map would catch the traffic destined for the VPN?


Thanks


branfarm1 Wed, 10/08/2008 - 11:43
User Badges:
  • Bronze, 100 points or more

Thanks for your help. Turns out that the other end had a different ACL configured than I did. Once we verified that their ACL matched mine, the connection came right up.


Now I know though. And for anyone else out there who receives this message: IPSEC(sa_initiate): ACL = deny; no sa created


Double check the ACL's on both ends!

ajagadee Wed, 10/08/2008 - 12:20
User Badges:
  • Cisco Employee,

Nyle,


Thanks for the update and taking time to rate and also update the forum with the solution.


Regards,

Arul

Actions

This Discussion