×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Problems configuring new LAN to LAN on PIX 6.3(5)

Unanswered Question
Jul 7th, 2009
User Badges:

Hi there,

I got a problem configuring a new L2L Tunnel on a PIX515E with version 6.3(5).

My ex-colleague configured the PIX and the VPN with dynamic crypto maps like this:

crypto ipsec transform-set transform-1 esp-des esp-md5-hmac

crypto ipsec transform-set transform-2 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set transform-1

crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40

crypto dynamic-map outside_dyn_map 40 set transform-set transform-1

crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60

crypto dynamic-map outside_dyn_map 60 set transform-set transform-2

crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80

crypto dynamic-map outside_dyn_map 80 set transform-set transform-2

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside


isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp keepalive 10

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 120

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400




Now I have to configure another VPN tunnel to another costumer.

So I add the following config to the PIX:

-adding acl to the nat0 config-


access-list acl-vpn-to-costumer permit ip local-network cosumer-network

crypto map outside_map 10 ipsec-isakmp

crypto map outside_map 10 match address acl-vpn-to-costumer

crypto map outside_map 10 set pfs

crypto map outside_map 10 set peer xx.xx.xx.xx

crypto map outside_map 10 set transform-set transform-3

isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode


After I configured it I tried to ping the other side but no luck. I looked into the access-lists and I can see the hitcount is incrementing. I did a debug crypto isakmp but no output for the new connection.


I'm out of ideas. Is it possible the PIX 6.3 doesnt like dyn and static crypto maps at same time?


thanks in advance





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
carenas123 Tue, 07/14/2009 - 13:18
User Badges:
  • Silver, 250 points or more

Be sure that you have configured all of the access lists necessary to complete your IPsec VPN configuration and that those access lists define the correct traffic. This list contains simple things to check when you suspect that an ACL is the cause of problems with your IPsec VPN.


http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution9


Actions

This Discussion