I have PIX-515 Cisco PIX Firewall Version 6.3(5). I configured new VPN tunnel however it is not starting. I can see that hit count is increasing for VPN crypto access list (and all other access lists, see configuration bellow) . I monitored outside interface - no IKE traffic was captured. Debug crypto isakmp or ipsec does not show any activity related to VPN creation. Do you have ideas why VPN tunnel creation is not triggered even if there is traffic that has to be encrypted?
VPNs to other partners are working.
Here is configuration (I have changed actual IP addresses):
1. Internal private IP addresses (172.16.1.0/24) are translated to public IP address 184.108.40.206 according to Policy-NAT access list and other NAT configuration. 220.127.116.11 is not IP address of my VPN peer IP. It is source IPaddress of traffic going through the VPN tunnel to our partner network.
2. I would not like to allow all TCP traffic to go through the VPN. Therefore I allowed only traffic to destination TCP port 7130
1) You don't reallly need to NAT your 'INTERNAL-NET' when going out to the Partner. Is this a business requirement? Do you wan't to hide the 172.16... network from the Partner? This network will remain hidden in the VPN tunnel anyway (as you are using tunnel mode) from all devices in Transit. If NAT is not a requirement, remove the NAT for the Internal >> Partner net communication, and modify your crypto ACL to be as the same as the Policy NAT ACL.
Even IF you require NAT, then also try modifying the ACL as above. It could be that you hitting an 'order of operation' related issue (NAT and crypto functions). I will check the exact order and get back to you.
I would also recommend to post the output of the packet-tracer command, it would tell you what exactly is going wrong.
We have many VPN tunnels to our partners where connection is initiated on our side (we are client, they are server). I would like to hide internal IP address space by doing NAT to public IP address. This will give us flexibility to change our internal IPs without need to reconfigure crypto access lists for all VPNs. Also from security perspective we do not fully trust our partners. Therefore we have restrictive access lists for traffic going to and from our partners.
I cleaned all SAs on firewall. After that new VPN tunnels came up. So it is not problem in the configuration itself. Is it possible that somehow firewall gets into the status where new VPNs could not be initiated? I am wondering if somebody else had this problem. How can I troubleshoot if firewall is in some corrupted status? I checked CPU usage and syslog, nothing unusual.
I cannot clean SAs on production firewall for every new VPN. It causes downtime for all other services.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :