Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Missing "match Address" line

I ran across an interesting problem. A PIX 520 stopped passing all traffic. It was in a failover config, but did not failover. The primary was taken offline to force the secondary to take over. The secondary also did not pass any traffic out the outside interface (Including internally generated pings). Looking at the log, we noticed that it was reporting that it was dropping all packets because they were not "encrypted". That morning, some VPNs were added to the pix (running version 6.2). Removing the new vpn defintions resolved the issue and traffic passed again.

Reviewing the config, I noticed in the definition of one VPN, the "Match address acl" command was left out. I understand that the PIX checks NAT acls first and then crypto map acls second, but why would this cause all traffic to stop? Does leaving this out cause the pix to see all addresses as "interesting traffic" and therefore require encryption on all traffic?

New Member

Re: Missing "match Address" line

Yes, you need to add a statement telling the PIX not to NAT the IPSec packets. You do this through the NAT 0 access-list command, where the access-list specifies the IPSec traffic

New Member

Re: Missing "match Address" line

I am sorry if my question was confusing. What I was wondering was since the "Match Address ACL" was not in the config for this VPN defintion, would the PIX assume all IP addresses it sees must be "interesting traffic and therefore would require ALL traffic to be encrypted. When troubleshooting this problem with pings being generated from a workstation we put on the external net, the log showed a ping was received, but was dropped because the packet was not encrypted.

An example of what is normally seen follows:

access-list confusion-acl permit ip host

crypto map conf 10 ipsec-isakmp

crypto map conf 10 Match address confusion-acl

the "crypto map conf 10 Match address confusion-acl" line was missing from the config. We resolved the issue by brute force by removing all three new VPN defintions from the config since I did not have a copy of the config to review initially. Hope this clears up my question: If a VPN is defined on the PIX and all required config lines are present EXCEPT the "crypto map ABC X Match Address Example-acl", what would be the behavior of the PIX and why?

Cisco Employee

Re: Missing "match Address" line

YEs, without teh "match address" line in the config, the PIX assumes ALL traffic is interesting and encrypts everything, effectively stopping all traffic flow from a users perspective.

You need to be very careful when adding new crypto commands to the PIX cause as soon as you add a new crypto map instance, say you add this:

crypto map conf 20 ipsec-isakmp

all traffic will cease until you add the other 3 lines (match address, set transform and set peer).

CreatePlease login to create content