Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
332
Views
0
Helpful
2
Replies

pix to pix vpn, all internet traffic lost

weisse1
Level 1
Level 1

‎06-06-2003 07:23 AM - edited ‎02-21-2020 12:35 PM

I have hub and spoke vpn with 515 at hub and 506's at spokes(all running 6.2). Two tunnels where up but the configuration for the 3rd tunnel had the wrong network address referenced in the crypto access list for interesting traffic. When attempting to remove the incorrect reference and replace with the correct network address range all outbound traffic from hub pix stopped except for tunneled traffic to remote sites. Could not ping from pix the directly connected border router. Appears as if all traffic was being routed through tunnels, nothing in the clear. I had to remove all reference to the specific policy for the 3rd site (40)before clear traffic would go out to the internet and only specified traffic continued to the remotes via the vpn.

nat (inside) 0 access-list crypto_global

access-list crypto_global permit ip 207.x.x.0 255.255.255.0 209.x.x.x 255.255.255.192

access-list crypto_global permit ip 207.x.x.0 255.255.255.0 216.x.x.0 255.255.255.0

access-list crypto_global permit ip 207.x.x.0 255.255.255.0 10.40.0.0 255.255.0.0

access-list crypto_ml permit ip 207.x.x.0 255.255.255.0 209.x.x.x 255.255.255.192

access-list crypto_ps permit ip 207.x.x.0 255.255.255.0 216.x.x.0 255.255.255.0

access-list crypto_plan permit ip 207.x.x.0 255.255.255.0 10.40.0.0 255.255.0.0

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map newmap 40 ipsec-isakmp

crypto map newmap 40 set peer 12.x.x.x

crypto map newmap 40 set transform-set myset

crypto map newmap 40 match address crypto_plan

Has anyone else come across this problem, and if so, what steps can be taken to prevent such a problem in the future.

Labels:
0 Helpful
2 Replies 2

mcaissie
Level 1
Level 1

‎06-06-2003 01:08 PM

If you have a crypto map matching a non-existing access-list the PIX will

stop forwarding everything.

So be sure to create the crypto acl before the crypto map .

Also when i want to modify crypto maps , i copy paste it in the notepad , do my modifications then copy paste it back again , preceded by i "no crypto..."

This way i delete it and create a new one with no downtime

ex:

no crypto map newmap

crypto map newmap 40 ipsec-isakmp

crypto map newmap 40 set peer 12.x.x.x

.....

....

crypto map newmap interface outside

don't forget to reapply crypto map on the outside interface after deleting it

0 Helpful

weisse1
Level 1
Level 1
In response to mcaissie

‎06-09-2003 09:59 AM

I didn't realize that the pix would in a sense stop forwarding traffic when there is a crypto policy referencing an access-list that does not exits.

Thanks for your reply,

Christian

0 Helpful
Customers Also Viewed These Support Documents