Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Netscreen to ASA IKE negotiation failure

Howdy, Y'all-

I have a Netscreen ISG2000 which is trying to host a point to point VPN with an ASA running v7.1.

On the Netscreen side, I've configured a "policy-based" VPN, which is expecting only HTTPS traffic over the tunnel. Therefore, in IKE negotiation, it expects the proposal to only include IP proto 6.

On the ASA side, the administrator (not my coworker, and I have no access) isn't seeing a place to define the outbound allowed protocols for the IKE proposal.

I can see that there is supposed to be an ACL that is tied to the crypto-map, which specifies the traffic which should be routed to the tunnel. I suspect that it is now saying "access-list (1) extended permit ip ?", which is allowing all IP protos over the tunnel.

What I want to do is something like "access-list (1) extended permit tcp .... eq 443".

Can anyone confirm that this will force the ASA to specify that it's only TCP that will be passed in the proposal?

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Netscreen to ASA IKE negotiation failure

Hi,

Yes, if you have configured your netscreen with policy based VPN, and you policy allows only https traffic to flow from your internal subnet to his internal subnet (do not forget to check the modify matching bidirectional policy option)... then his access-list on his side must be exactly symmetrical of yours (including the source and destination being host or subnet as well as port in your case it will be tcp 443)...

In the ASA he will have the access-list

access-list test permit tcp source_subnet source_netmask destination_subnet Destination_netmask eq 443

crypto map mymap 10 match address test

plz rate if this helps!

2 REPLIES
Bronze

Re: Netscreen to ASA IKE negotiation failure

Hi,

Yes, if you have configured your netscreen with policy based VPN, and you policy allows only https traffic to flow from your internal subnet to his internal subnet (do not forget to check the modify matching bidirectional policy option)... then his access-list on his side must be exactly symmetrical of yours (including the source and destination being host or subnet as well as port in your case it will be tcp 443)...

In the ASA he will have the access-list

access-list test permit tcp source_subnet source_netmask destination_subnet Destination_netmask eq 443

crypto map mymap 10 match address test

plz rate if this helps!

New Member

Re: Netscreen to ASA IKE negotiation failure

Thanks! Worked like a charm.

293
Views
0
Helpful
2
Replies
CreatePlease to create content