PIX 515e IPsec tunnel and ACLs firewall rules

Unanswered Question
Dec 3rd, 2009

Hi Srinivas and other Cisco Experts,

I would seek advise on below issue and appreciate of your assistance.

The Pix IPsec configuration is site to site. There is many acl_mdc_outside_crypto_-1_xx to difference sites from single location (AA).

When there is an issue to access lotus notes application from Site AA to Site BB, all other services are up and working. All Ipsec are working fine.

This happen one to two time per week. When it happen, users at Site AA simply cannot access lotus notes only, but other user at other sites, face no issue. The issue was resolved after remove the one of ACLs rules and add back the rule at Site AA Pix firewall.

Do you know why? I had replace new firewall, same model with difference IOS version.

Thank you very much.

Below is Site AA PIX firewall configration:

IOS version: 7.2(4)

access-list acl_mdc_outside_crypto_-1_24 extended permit ip host x.x.x.x host x.x.x.x

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map crypto_mdc_outside xx match address acl_mdc_outside_crypto_-1_24
crypto map crypto_mdc_outside xx set peer x.x.x.x
crypto map crypto_mdc_outside xx set transform-set ESP-3DES-SHA
crypto map crypto_mdc_outside interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion