Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

pix to pix vpn, all internet traffic lost

I have hub and spoke vpn with 515 at hub and 506's at spokes(all running 6.2). Two tunnels where up but the configuration for the 3rd tunnel had the wrong network address referenced in the crypto access list for interesting traffic. When attempting to remove the incorrect reference and replace with the correct network address range all outbound traffic from hub pix stopped except for tunneled traffic to remote sites. Could not ping from pix the directly connected border router. Appears as if all traffic was being routed through tunnels, nothing in the clear. I had to remove all reference to the specific policy for the 3rd site (40)before clear traffic would go out to the internet and only specified traffic continued to the remotes via the vpn.

nat (inside) 0 access-list crypto_global

access-list crypto_global permit ip 207.x.x.0 255.255.255.0 209.x.x.x 255.255.255.192

access-list crypto_global permit ip 207.x.x.0 255.255.255.0 216.x.x.0 255.255.255.0

access-list crypto_global permit ip 207.x.x.0 255.255.255.0 10.40.0.0 255.255.0.0

access-list crypto_ml permit ip 207.x.x.0 255.255.255.0 209.x.x.x 255.255.255.192

access-list crypto_ps permit ip 207.x.x.0 255.255.255.0 216.x.x.0 255.255.255.0

access-list crypto_plan permit ip 207.x.x.0 255.255.255.0 10.40.0.0 255.255.0.0

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map newmap 40 ipsec-isakmp

crypto map newmap 40 set peer 12.x.x.x

crypto map newmap 40 set transform-set myset

crypto map newmap 40 match address crypto_plan

Has anyone else come across this problem, and if so, what steps can be taken to prevent such a problem in the future.

  • Other Security Subjects
2 REPLIES
New Member

Re: pix to pix vpn, all internet traffic lost

If you have a crypto map matching a non-existing access-list the PIX will

stop forwarding everything.

So be sure to create the crypto acl before the crypto map .

Also when i want to modify crypto maps , i copy paste it in the notepad , do my modifications then copy paste it back again , preceded by i "no crypto..."

This way i delete it and create a new one with no downtime

ex:

no crypto map newmap

crypto map newmap 40 ipsec-isakmp

crypto map newmap 40 set peer 12.x.x.x

.....

....

crypto map newmap interface outside

don't forget to reapply crypto map on the outside interface after deleting it

New Member

Re: pix to pix vpn, all internet traffic lost

I didn't realize that the pix would in a sense stop forwarding traffic when there is a crypto policy referencing an access-list that does not exits.

Thanks for your reply,

Christian

155
Views
0
Helpful
2
Replies