07-07-2009 04:15 AM
Hi there,
I got a problem configuring a new L2L Tunnel on a PIX515E with version 6.3(5).
My ex-colleague configured the PIX and the VPN with dynamic crypto maps like this:
crypto ipsec transform-set transform-1 esp-des esp-md5-hmac
crypto ipsec transform-set transform-2 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set transform-1
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set transform-1
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set transform-2
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set transform-2
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 120
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
Now I have to configure another VPN tunnel to another costumer.
So I add the following config to the PIX:
-adding acl to the nat0 config-
access-list acl-vpn-to-costumer permit ip local-network cosumer-network
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address acl-vpn-to-costumer
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer xx.xx.xx.xx
crypto map outside_map 10 set transform-set transform-3
isakmp key ******** address XX.XX.XX.XX netmask 255.255.255.255 no-xauth no-config-mode
After I configured it I tried to ping the other side but no luck. I looked into the access-lists and I can see the hitcount is incrementing. I did a debug crypto isakmp but no output for the new connection.
I'm out of ideas. Is it possible the PIX 6.3 doesnt like dyn and static crypto maps at same time?
thanks in advance
07-14-2009 01:18 PM
Be sure that you have configured all of the access lists necessary to complete your IPsec VPN configuration and that those access lists define the correct traffic. This list contains simple things to check when you suspect that an ACL is the cause of problems with your IPsec VPN.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution9
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide