Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

VPN only initiated one way

Does anybody have any idea's why a site-to-site VPN tunnel could only be established one way? I have a pix connecting to a vpn concentrator via IPSEC tunnel using NAT-T. From the concentrator if I initiate traffic to the pix, the tunnel comes up and then I can access resources behind the concentrator from the pix side.

If I try to initiate traffic from the pix side, the tunnel will not come up. Doing a debug on the pix, it doesn't even try to initiate the tunnel.

Here is a snippet from the pix config:

crypto ipsec transform-set TestSet esp-3des esp-sha-hmac

crypto map TestMap 10 ipsec-isakmp

crypto map TestMap 10 match address ACL_VPN

crypto map TestMap 10 set peer 10.10.10.1

crypto map TestMap 10 set transform-set TestSet

crypto map TestMap interface outside

isakmp enable outside

isakmp key ******** address 10.10.10.1 netmask 255.255.255.255

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

I am just using 10. address's above for the peer as an example. The ACL_VPN specifies the local/remote subnets correctly. The default route is to the outside interface of the pix.

On the concentrator, I have specified the tunnel is bi-directional.

Anybody any idea's why it will only initiate one way?

Cheers

Brian

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: VPN only initiated one way

Please post your ACL 'ACL_VPN' and your NAT Exemption ACL.

Thanks!

4 REPLIES
Green

Re: VPN only initiated one way

Is there a firewall in front of the concentrator that would be blocking the pix from initiating?

Hall of Fame Super Blue

Re: VPN only initiated one way

Hi

If the pix is not even trying to initiate the tunnel then it looks like your crypto access-list is not matching any traffic.

Are you natting the source IP's on the pix and if so does your crypto access-list reference the natted addresses which it should.

Jon

New Member

Re: VPN only initiated one way

Please post your ACL 'ACL_VPN' and your NAT Exemption ACL.

Thanks!

New Member

Re: VPN only initiated one way

Forgot my Nat 0, doh. Working fine now.

Cheers

Brian

379
Views
0
Helpful
4
Replies
CreatePlease to create content