01-21-2003 10:50 AM - edited 02-21-2020 12:17 PM
I have 3 firewalls in 3 locations. the 515e is the main one that all the other locations need to connect to via VPN. I have one VPN working between a 501 and the 515e, and need to get the next one running as well.
so here's my current VPN config, the complication is this is my first multiple VPN setup.
515e:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
names
name x.x.71.8 ConstOffice
access-list acl_outbound permit ip host 192.168.50.10 any
access-list acl_outbound permit ip host 192.168.50.75 any
access-list acl_outbound permit ip host 192.168.50.201 any
access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq smtp
access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any eq pop3
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.51.0 255.255. 255.0
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host ConstOffice
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.53.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host 65.40.81.11
access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound permit ip host x.x.71.7 192.168.52.0 255.255.255.0
access-list inside_nat0_outbound permit ip host x.x.81.11 192.168.50.0 255.255.255.0
access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
icmp permit any outside
icmp permit any inside
ip address outside pppoe setroute
ip address inside 192.168.50.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
global (outside) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 192.168.50.0 255.255.255.0 0 0
access-group acl_inbound in interface outside
access-group acl_outbound in interface inside
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map vpn1 10 ipsec-isakmp
crypto map vpn1 10 match address inside_nat0_outbound
crypto map vpn1 10 set pfs group2
crypto map vpn1 10 set peer ConstOffice
crypto map vpn1 10 set transform-set myset
crypto map vpn1 20 ipsec-isakmp
crypto map vpn1 20 match address 101
crypto map vpn1 20 set pfs group2
crypto map vpn1 20 set peer x.x.81.11
crypto map vpn1 20 set transform-set myset
crypto map vpn1 interface outside
isakmp enable outside
isakmp key ******** address ConstOffice netmask 255.255.255.255
isakmp key ******** address x.x.81.11 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet ConstOffice 255.255.255.255 outside
telnet 192.168.51.0 255.255.255.0 outside
telnet 192.168.52.0 255.255.255.0 outside
telnet x.x.81.11 255.255.255.255 outside
telnet 192.168.50.201 255.255.255.255 inside
telnet 192.168.50.202 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
501e:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.52.0 255.255.255.0 host x.x.71.7
access-list inside_nat0_outbound permit ip host x.x.81.11 192.168.50.0 255.255.255.0
access-list acl_outbound permit ip 192.168.52.0 255.255.255.0 any
access-list acl_inbound permit ip host x.x.71.7 any
interface ethernet0 10baset
interface ethernet1 10full
ip address outside x.x.81.11 255.0.0.0
ip address inside 192.168.52.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.52.0 255.255.255.0 0 0
access-group acl_inbound in interface outside
access-group acl_outbound in interface inside
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map vpn1 9 ipsec-isakmp
crypto map vpn1 9 match address inside_nat0_outbound
crypto map vpn1 9 set pfs group2
crypto map vpn1 9 set peer x.x.71.7
crypto map vpn1 9 set transform-set myset
crypto map vpn1 interface outside
isakmp enable outside
isakmp key ******** address x.x.81.11 netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 192.168.50.0 255.255.255.0 outside
telnet x.x.71.7 255.255.255.255 outside
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:f4e78a76793783478f6e56f567e1f9cd
: end
So I must be missing something to get multiple VPN's up,
My debug info from the 515 is as follows:
ISAKMP (0): beginning Quick Mode exchange, M-ID of 299217336:11d5b1b8
crypto_isakmp_process_block: src x.x.81.11, dest x.x.71.7
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 299217336
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-SHA
ISAKMP: group is 2
ISAKMP (0): atts are acceptable.
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 3
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block: src x.x.81.11, dest x.x.71.7
ISAKMP (0): processing DELETE payload. message ID = 2059037963
ISAKMP (0): deleting SA: src x.x.71.7, dst x.x.81.11
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0x813d3688, conn_id = 0
ISADB: reaper checking SA 0x813d65c8, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:x.x.81.11 Ref cnt decremented to:0 Total VPN Peers:2
VPN Peer: ISAKMP: Deleted peer: ip:x.x.81.11 Total VPN peers:1
ISADB: reaper checking SA 0x813d3688, conn_id = 0
Thx,
Dave
01-21-2003 12:46 PM
Dave,
The most obvious thing I see is this in your 501 config...
crypto map vpn1 9 set peer x.x.71.7
isakmp key ******** address x.x.81.11 netmask 255.255.255.255
Either the crypto map peer address is wrong, or the isakmp key address is wrong.
Also, if you use SSH instead of telneting through the vpn tunnel, you can cut down on some of the access list statements you have in your configs. (just a helpful hint)
Hope that helps...
01-21-2003 06:56 PM
oh my goodness... thank you, I had overlooked that line I dont know how many times now and didnt even notice that.
SSH, this is my first time setting up PIX's, how do I setup the SSH on them.
thanks,
Dave
01-21-2003 07:30 PM
Dave,
Here's a link on how to set it up on the pix.....
http://www.cisco.com/warp/public/110/authtopix.shtml#localSSH
Your going to have to use an ssh client like putty or teraterm pro... here's a link to teraterm....
http://www.zip.com.au/~roca/ttssh.html
hope that helps....
01-22-2003 06:49 AM
ahh, durn it, that didnt fix the problem.
Im still getting
ISAKMP (0): beginning Quick Mode exchange, M-ID of 801661563:2fc8627b
crypto_isakmp_process_block: src BftOffice, dest MainOffice
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 801661563
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-SHA
ISAKMP: group is 2
ISAKMP (0): atts are acceptable.
ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
Is it possible its checking against the isakmp key for the first VPN thats still running? or the line that says IPSec policy invalidated proposal, what does that mean? I have the same IPSec line for both VPN's.
Also, for some reason I cant seem to ping the x.x.81.11 firewall from this location, but I can ping everything else. I can also ping the x.x.81.11 firewall from other locations, so I know its up and I know they are hittng the web from that location as well.
01-22-2003 10:38 AM
Dave,
Try changing the DH group from 1 to 2 on the 501. Looks like your PFS on your 515 want to use group 2....
isakmp policy 9 group 2
The reason you probably cannot ping is because your no nating the traffic from behind the 515 to the outside interface of the 501. If you remove the line "access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host 65.40.81.11" you probably will be able to ping. The tunnel is not up so I think that line is causing problems. It's hard to believe you can ping that from other locations seeing as though you have no access list permiting icmp or icmp echo replys....
Also make sure your access lists on both side mirror each other...
01-22-2003 11:20 AM
I would agree with the last post. Look into your acls. It seems that there might be some differences.
Here is a link that might get you on your way:
http://www.cisco.com/en/US/customer/tech/tk648/tk367/technologies_tech_note09186a00800949c5.shtml
Hope this helps!
01-22-2003 03:31 PM
Hi Dave
You may want to try rebooting your pix if you havent already. I can't count the number of times I have sat in front of a perfectly useful config that just won't work after I have tweaked it by, say, changing a target IP address. Before you change these things you have to turn of stuff like sysopt permit-ipsec, isakmp enable outside, and crypto map enable outside statements, or it just wont happen. I'd be sat there staring at it and getting cross, then after a reboot it would be like hey-presto (TM), instant vpnage! Anyway, worth a mention :)
Regards
Kev
PS Nice one on the x-over cable!
01-22-2003 05:01 PM
Dave-
I was concentrating on your question that you asked "or the line that says IPSec policy invalidated proposal, what does that mean?". I searched on that and that is when I came up with the troubleshooting url I posted earlier. I believe that your SAs are not matching up. It seems that a possiblity for this error could be that your acls that you are using are not 100% matching from both ends, and it did seem that there were some differences.
The next thing I might suggest, if rebooting, and looking at the acls don't work is delete everything to do with this tunnel and start a fresh. Since you have been making a bunch of changes over and over you might want to start clean....just a thought :)
Good luck.
01-22-2003 06:02 PM
Not sure if you have seen something like this:
However, it is the same premise as what you are doing. Maybe this will help clear the acl situation up??!!!
Really hope this helps!
01-22-2003 07:15 PM
Hello again
Just to throw something else in the mix (as if you didnt need anything else!), whilst you are taking the fine adjustment spanner/lump hammer to your config it may be a good idea to seperate your acls on the hub pix a bit more, to allow a more granular control i.e.
- acl1 for connections to site a (for site a crypto map)
- acl2 for connections to site b (for site b crypto map)
- acl3 for no NAT
acl4 for outbound connections
acl3 would at least have to include all statements in acl1 and acl2
acl4 would at least have to include all statements in acl3
More typing I know, but it makes it a hell of a lot easier to drive it.
Rgdzzz [time 4 bed:-)]
Kev
01-24-2003 05:58 AM
wow, thanks guys, that was some serious response...
I was sick for a couple days and came back to see all of them just now.
I will be banging on this problem and let ya'll know what happens, I greatly appreciate all the suggestions, it helps a lot.
Dave
01-29-2003 05:42 AM
Well, I tried some things and still have no luck, but I do have some more info.
1. I reentered the vpn info for the second vpn store on both firewalls.
2. My acl's are matched now, no differences between the existing vpn remote store and the new one's acl's.
3. I played with the isakmp policy, changed group numbers, changed policy numbers, and even took down the existing vpn to see if pointing the 'match address' to the same acl would even work.
4. I ran debug on both PIX's and on the 515e that has an existing vpn already, I was getting the same output, "SA not acceptable!" along with a bunch of other stuff. And on the 515e when running 'sho crypto ipsec sa' I get the following:
interface: outside
Crypto map tag: vpn1, local addr. MainOffice
local ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.51.0/255.255.255.0/0/0)
current_peer: ConstOffice
PERMIT, flags={origin_is_acl,}
#pkts encaps: 55367, #pkts encrypt: 55367, #pkts digest 55367
#pkts decaps: 59927, #pkts decrypt: 59927, #pkts verify 59927
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: MainOffice, remote crypto endpt.: ConstOffice
path mtu 1492, ipsec overhead 56, media mtu 1492
current outbound spi: 34e2c28d
inbound esp sas:
spi: 0x9686469a(2525382298)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: vpn1
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.52.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
current_peer: ConstOffice
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: MainOffice, remote crypto endpt.: ConstOffice
path mtu 1492, ipsec overhead 0, media mtu 1492
current outbound spi: 0
outbound pcp sas:
local crypto endpt.: MainOffice, remote crypto endpt.: BftOffice (x.x.81.11)
path mtu 1492, ipsec overhead 0, media mtu 1492
current outbound spi: 0
Office 50.0 is the 515e, 51.0 is the existing vpn, 52.0 is the new one that wont work.
on the new one running a 501e, (52.0) I get this:
interface: outside
Crypto map tag: vpn1, local addr. x.x.81.11
local ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.52.0/255.255.255.0/0/0)
current_peer: 64.53.71.7
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: x.x.81.11, remote crypto endpt.: x.x.71.7 (MainOffice)
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
On this remote site's 501e, when running debug crypto isakmp i get (I may not spell this right, its from memory) ISAK_NO_ERR_NO_TRANS
When checking hitcnt's on the acl's, the remote 501e shows that its sending data to the 515e via the vpn tunnel that its trying to establish. The 515e doesnt seem to want to accept that data.
So it seems that the 501 is setup right, but that here on the 515e, it doesnt want to allow more than one vpn, it wont accept the 52.0 network. At the bottom here I will attach my current 515e config. Thanks for all your help guys, sorry to keep beating this horse, but I cant seem to get this problem resolved.
names
name x.x.71.8 ConstOffice
name x.x.81.11 BftOffice
name x.x.71.7 MainOffice
access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any
access-list acl_inbound permit tcp any host MainOffice eq 3389
access-list acl_inbound permit icmp any any
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.51
.0 255.255.255.0
access-list inside_nat0_outbound permit ip host MainOffice 192.168.51.0 255.255.
255.0
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host Const
Office
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.52
.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 192.168.53
.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.50.0 255.255.255.0 host BftOf
fice
access-list inside_nat0_outbound permit ip host MainOffice 192.168.52.0 255.255.
255.0
access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0
access-list 101 permit ip 192.168.52.0 255.255.255.0 192.168.50.0 255.255.255.0
global (outside) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 192.168.50.0 255.255.255.0 0 0
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto map vpn1 10 ipsec-isakmp
crypto map vpn1 10 match address inside_nat0_outbound
crypto map vpn1 10 set pfs group2
crypto map vpn1 10 set peer ConstOffice
crypto map vpn1 10 set transform-set myset
crypto map vpn1 20 ipsec-isakmp
crypto map vpn1 20 match address 101
crypto map vpn1 20 set pfs group2
crypto map vpn1 20 set peer BftOffice
crypto map vpn1 20 set transform-set myset
crypto map vpn1 interface outside
isakmp enable outside
isakmp key ******** address ConstOffice netmask 255.255.255.255
isakmp key ******** address BftOffice netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
Thanks,
Dave
01-29-2003 07:02 AM
Alright, lets see if this helps out a little more....don't worry, we will get this working!!!
Also, your statement "2. My acl's are matched now, no differences between the existing vpn remote store and the new one's acl's. " make sure that there ARE NOT truly the same, however, just the concept of them. You will need to change IPs and such.
*************************************************************************************
names
name x.x.71.8 ConstOffice
name x.x.81.11 BftOffice
name x.x.71.7 MainOffice
access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any
access-list acl_inbound permit tcp any host MainOffice eq 3389
access-list acl_inbound permit icmp any any
****Seems that you just want all IP to access both remote locations....therefore, just put IP****
****BftOffice ACL should be different than ConstOffice ACL****
****These Crypto ACLs are your "interesting traffic" that defines when to engage the use of the IPSec tunnel****
****BftOffice ACL****
access-list
****ConstOffice ACL****
access-list
****The ACL needed for NO NATing to both BftOffice and ConstOffice****
access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list 101 permit ip 192.168.50.0 255.255.255.0 192.168.52.0 255.255.255.0
global (outside) 2 interface
nat (inside) 0 access-list 101
nat (inside) 2 192.168.50.0 255.255.255.0 0 0
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-sha-hmac
****ConstOffice IPSec Phase 2 SA****
crypto map vpn1 10 ipsec-isakmp
crypto map vpn1 10 match address
crypto map vpn1 10 set pfs group2
crypto map vpn1 10 set peer ConstOffice
crypto map vpn1 10 set transform-set myset
****BftOffice IPSec Phase 2 SA****
crypto map vpn1 20 ipsec-isakmp
crypto map vpn1 20 match address
crypto map vpn1 20 set pfs group2
crypto map vpn1 20 set peer BftOffice
crypto map vpn1 20 set transform-set myset
crypto map vpn1 interface outside
isakmp enable outside
isakmp key ******** address ConstOffice netmask 255.255.255.255
isakmp key ******** address BftOffice netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
*************************************************************************************
I tried to separate each piece so you can see it a little easier. I believe I got all your addressing and everything correct???...Hopefully. That url I posted a couple back is truly a very good helper.
Hope this helps! I will keep checking back. Good luck...
01-30-2003 06:12 AM
your statement "2. My acl's are matched now, no differences between the existing vpn
remote store and the new one's acl's. " make sure that there ARE NOT truly the same, however,
just the concept of them. You will need to change IPs and such.
*************************************************************************************
>>>Um, I know, I'm not that dense. :)
names
name x.x.71.8 ConstOffice
name x.x.81.11 BftOffice
name x.x.71.7 MainOffice
access-list acl_outbound permit tcp 192.168.50.0 255.255.255.0 any
access-list acl_inbound permit tcp any host MainOffice eq 3389
access-list acl_inbound permit icmp any any
****Seems that you just want all IP to access both remote locations....therefore, just put IP****
>>> just put IP what? Im sorry, I dont get what you are saying.
****BftOffice ACL should be different than ConstOffice ACL****
****These Crypto ACLs are your "interesting traffic" that defines when to engage the use of the IPSec tunnel****
>>> I have a separate ACL for Bft and Const as it is, now what I do have that may be a problem , I am not sure
is that my Const ACL is also the one that is pointed directly to NAT 0.
My Bft ACL is ACL named 101, my Const ACL is named inside_nat0_outbound and it also includes the same entries that
the Bft ACL has. Is this gonna cause problems? I could setup a 101 ACL for Const, and make say a 100 ACL as the one
that includes all the VPN ACL commands and is connected to NAT 0.
****ConstOffice IPSec Phase 2 SA****
crypto map vpn1 10 ipsec-isakmp
crypto map vpn1 10 match address
crypto map vpn1 10 set pfs group2
crypto map vpn1 10 set peer ConstOffice
crypto map vpn1 10 set transform-set myset
****BftOffice IPSec Phase 2 SA****
crypto map vpn1 20 ipsec-isakmp
crypto map vpn1 20 match address
crypto map vpn1 20 set pfs group2
crypto map vpn1 20 set peer BftOffice
crypto map vpn1 20 set transform-set myset
crypto map vpn1 interface outside
isakmp enable outside
isakmp key ******** address ConstOffice netmask 255.255.255.255
isakmp key ******** address BftOffice netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
>>> So the only thing I see different here from my existing config is possibly the match
address ACL list names, which at the moment are pointing :
crypto map vpn1 10 match address inside_nat0_outbound (const and bft access lines included)
crypto map vpn1 20 match address 101 (bft access lines only)
so instead you're saying I should have:
crypto map vpn1 10 match address 101 (const access lines only)
crypto map vpn1 20 match address 102 (bft access lines only)
and further up have:
nat (inside) 0 access-list 100 (ACL including both const and bft access entries)
Is this correct or am I missing what you're saying I need to try?
Thanks,
Dave
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide