Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
261
Views
0
Helpful
3
Replies

Missing "match Address" line

michael.g.hill
Level 1
Level 1

‎10-24-2002 05:44 AM - edited ‎03-09-2019 12:48 AM

I ran across an interesting problem. A PIX 520 stopped passing all traffic. It was in a failover config, but did not failover. The primary was taken offline to force the secondary to take over. The secondary also did not pass any traffic out the outside interface (Including internally generated pings). Looking at the log, we noticed that it was reporting that it was dropping all packets because they were not "encrypted". That morning, some VPNs were added to the pix (running version 6.2). Removing the new vpn defintions resolved the issue and traffic passed again.

Reviewing the config, I noticed in the definition of one VPN, the "Match address acl" command was left out. I understand that the PIX checks NAT acls first and then crypto map acls second, but why would this cause all traffic to stop? Does leaving this out cause the pix to see all addresses as "interesting traffic" and therefore require encryption on all traffic?

Labels:
0 Helpful
3 Replies 3

mklaphek
Level 1
Level 1

‎10-24-2002 05:57 AM

Yes, you need to add a statement telling the PIX not to NAT the IPSec packets. You do this through the NAT 0 access-list command, where the access-list specifies the IPSec traffic

0 Helpful

michael.g.hill
Level 1
Level 1

‎10-24-2002 07:48 AM

I am sorry if my question was confusing. What I was wondering was since the "Match Address ACL" was not in the config for this VPN defintion, would the PIX assume all IP addresses it sees must be "interesting traffic and therefore would require ALL traffic to be encrypted. When troubleshooting this problem with pings being generated from a workstation we put on the external net, the log showed a ping was received, but was dropped because the packet was not encrypted.

An example of what is normally seen follows:

access-list confusion-acl permit ip 10.10.10.0 255.255.255.0 host 192.168.30.5

crypto map conf 10 ipsec-isakmp

crypto map conf 10 Match address confusion-acl

the "crypto map conf 10 Match address confusion-acl" line was missing from the config. We resolved the issue by brute force by removing all three new VPN defintions from the config since I did not have a copy of the config to review initially. Hope this clears up my question: If a VPN is defined on the PIX and all required config lines are present EXCEPT the "crypto map ABC X Match Address Example-acl", what would be the behavior of the PIX and why?

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to michael.g.hill

‎10-24-2002 08:44 PM

YEs, without teh "match address" line in the config, the PIX assumes ALL traffic is interesting and encrypts everything, effectively stopping all traffic flow from a users perspective.

You need to be very careful when adding new crypto commands to the PIX cause as soon as you add a new crypto map instance, say you add this:

crypto map conf 20 ipsec-isakmp

all traffic will cease until you add the other 3 lines (match address, set transform and set peer).

0 Helpful
Customers Also Viewed These Support Documents