Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

Trouble with site-to-site VPN on PIX 515

Hi there,

I'm having trouble with a VPN I'm trying to create on a PIX 515. I have the crypto map's configured, I have the pre-shared key, I have the access-list in place, and I have the isakmp settings configured. I see the access-list incrementing when I initiate traffic from the desired host, but I'm receiving this message when I have debugging turned on:

IPSEC(sa_initiate): ACL = deny; no sa created

Any ideas what I can check?

Thanks in advance!

6 REPLIES
Cisco Employee

Re: Trouble with site-to-site VPN on PIX 515

Hello,

Below is a troubleshooting guide for Pix L2L IPSec Tunnel.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a008009448c.shtml

If the above URL does not help, then is it possible to post your configuration of the Pix along with "Deb cry is" and "Deb cry ipsec" outputs.

Regards,

Arul

** Please rate all helpful posts **

Bronze

Re: Trouble with site-to-site VPN on PIX 515

Here is the only output I get from debug crypto ipsec:

IPSEC(sa_initiate): ACL = deny; no sa created

debug crypto isakmp displays nothing.

Here is my config:

PIX Version 6.3(4)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password VQVEpQa2RxgFDc9h encrypted

passwd OXQ30QDi0.VHGHVn encrypted

hostname Pix515

domain-name mycompany.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list compiled

access-list 100 deny ip host 198.2.0.50 10.0.0.0 255.0.0.0

access-list 100 permit ip 198.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0

access-list acl_mdc_outside_access_1 permit icmp any any time-exceeded

access-list acl_mdc_outside_access_1 permit icmp any any unreachable

access-list acl_mdc_outside_access_1 permit icmp any any echo-reply

access-list acl_mdc_outside_access_1 permit gre any any

access-list acl_mdc_outside_access_1 permit esp any any

access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.135.70.0 255.255.255.0

access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.135.71.0 255.255.255.0

access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.135.172.0 255.255.255.0

access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.135.173.0 255.255.255.0

access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.140.120.0 255.255.255.0

access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.140.18.0 255.255.255.0

access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.1.16.0 255.255.255.0

access-list VPN1_ACL permit ip 10.147.110.0 255.255.255.0 10.1.63.0 255.255.255.0

pager lines 20

logging on

logging timestamp

logging buffered alerts

logging trap informational

logging history alerts

logging facility 19

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 219.91.112.242 255.255.255.240

ip address inside 53.154.233.254 255.255.255.248

arp timeout 60

global (outside) 1 219.91.77.193-219.91.77.254 netmask 255.255.255.192

global (outside) 1 219.91.112.248 netmask 255.255.255.240

nat (inside) 0 access-list 100

nat (inside) 1 198.3.0.0 255.255.255.0 0 0

nat (inside) 1 198.2.0.0 255.255.0.0 0 0

static (inside,outside) 10.147.110.2 198.2.0.50 netmask 255.255.255.255 0 0

access-group acl_mdc_outside_access_1 in interface outside

route outside 0.0.0.0 0.0.0.0 219.91.112.241 1

route inside 198.2.0.0 255.255.0.0 53.154.233.253 1

route inside 198.3.0.0 255.255.255.0 53.154.233.253 1

timeout xlate 0:30:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set vpn1 esp-3des esp-md5-hmac

crypto map crypto_mdc_outside 102 ipsec-isakmp

crypto map crypto_mdc_outside 102 match address VPN1_ACL

crypto map crypto_mdc_outside 102 set peer 208.116.214.211

crypto map crypto_mdc_outside 102 set transform-set vpn1

crypto map crypto_mdc_outside interface outside

isakmp enable outside

isakmp key ******** address 208.116.214.211 netmask 255.255.255.255

isakmp identity address

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 1

isakmp policy 40 lifetime 86400

Cisco Employee

Re: Trouble with site-to-site VPN on PIX 515

Nyle,

What is the source and destination IP Addresses that you are using to bring up the tunnel.

Where is 10.147.110.0 network? I dont even see a route on the pix for this network.

Also, I do not see your crypto traffic being included in the NAT 0 command. Can you include this and test the ipsec tunnel.

Can you provide me the above information.

Thanks,

Arul

** Please rate all helpful posts **

Bronze

Re: Trouble with site-to-site VPN on PIX 515

Here's the situation: The source is a server that resides internal to my network. I'm trying to create a site-to-site VPN to a client, over the internet. The client requires that I source my server from 10.147.110.0/24. The destination is any of the networks specified in the VPN1_ACL. I created an outside static NAT that should translate 192.2.0.50 to 10.147.110.2.

When you say that you do not see the crypto traffic being included in the NAT 0 command, which traffic are you looking for? I thought the match ACL in the crypto map would catch the traffic destined for the VPN?

Thanks

Bronze

Re: Trouble with site-to-site VPN on PIX 515

Thanks for your help. Turns out that the other end had a different ACL configured than I did. Once we verified that their ACL matched mine, the connection came right up.

Now I know though. And for anyone else out there who receives this message: IPSEC(sa_initiate): ACL = deny; no sa created

Double check the ACL's on both ends!

Cisco Employee

Re: Trouble with site-to-site VPN on PIX 515

Nyle,

Thanks for the update and taking time to rate and also update the forum with the solution.

Regards,

Arul

300
Views
9
Helpful
6
Replies