Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Pix firewall for both site to site and site to client

I have cisco pix firewall which i have configured for both site to site and site to clinet. Clients are able to connect using vpn client but when i have a site to site with customer's firewall(Symantec) and when i try to ping his internal ip address 170.102.16.14 i am getting this error message from the firewall

IPSEC(sa_initiate): ACL = deny; no sa created.

Below is my ipsec configuration for both site to site and site to client. Can some on help me in rectifying the problem. instance 10 is for site to client and instance 20 in crypto is for the site to site.

nat (inside) 0 access-list 108

access-list 108 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list 108 permit ip 192.168.2.0 255.255.255.0 host 170.102.16.41

access-list 110 permit ip 192.168.2.0 255.255.255.0 host 170.102.16.41

sysopt security fragguard

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap 20 ipsec-isakmp

crypto map mymap 20 match address 110

crypto map mymap 20 set peer x.x.x.x1

crypto map mymap 20 set transform-set myset

crypto map mymap client authentication authinbound

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp key ******** address x.x.x.x1 netmask 255.255.255.255 no-xauth no-conf

ig-mode

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

vpngroup vpn3000 address-pool ippool

vpngroup vpn3000 dns-server 192.168.1.64

vpngroup vpn3000 wins-server 192.168.1.24

vpngroup vpn3000 default-domain test.dom

vpngroup vpn3000 split-tunnel 108

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

Thanks in Advance

1 REPLY
Bronze

Re: Pix firewall for both site to site and site to client

That message usually has something to do with the ACL not allowing that function. Looking at the ACL I am assuming that the host is the actual firewall on the otherside. If not then that could be the problem.

80
Views
0
Helpful
1
Replies
CreatePlease to create content