Re: Multiple PIX-PIX Site to Site VPN

mpdavies · ‎09-26-2002

I am configuring multiple site to site VPN connections using PIX firewalls to terminate (in a hub, spoke configuration). I get to create my next crypto map seq-number on the hub PIX and the firewall collapses. However, the previously configured ipsec tunnels stay active but i cannot use any of the static routes configured to access external networks , NAT fails, internet access etc.

we have tried CLEAR CRYPTO IPSEC SA, CLEAR CRYPTO ISAKMP SA and reloads to no avail.

What could be wrong ? Any help would be appreciated.

mike-greene · ‎09-26-2002

Hi, make sure your not pointing the second crypto map match address to an access list that is not there.

Is there any way you can post your config?

mpdavies · ‎09-27-2002

Thanks Mike, I have it resolved now.

I found that when I started my next 'crypto map mapname 10 ...... ' command, the firewall would knock out other connections through the firewall that I had allowed, e.g. stop machines with static routes getting outside, like my proxy server.

Once I had completed the crypto map set, then the connections were once again available.

The workround I used was to cut and past into the firwall the whole specific crypto set all at the same time, eg

crypto map SPAIN 10 ipsec-isakmp

crypto map SPAIN 10 match address 105

crypto map SPAIN 10 set peer 10x.10x.10x.10x

crypto map SPAIN 10 set transform-set MADRID

very strange, but thanks again.