Thanks for the reply. Yes we already checked it. We even configured our pre-shared key to a very simple one to avoid mistake. Thanks.

Regards,

John

I'm also wondering right now because suddenly, ISAKMP session stopped. I tried to erase the crypto map that corresponds to that tunnel and re-apply it again. Now, I don't even see my PIX firewall initiating Phase 1 session. What should I check again? Should I see my PIX firewall doing Phase 1 even if he configured something on his end that prevents me from initiating it?

Regards,

John

Hi,

For anyone who can help me, here's my configuration.

Interesting traffic:

access-list test permit ip 10.252.4.0 255.255.255.0 10.254.0.0 255.255.0.0

ISAKMP Policy:

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption 3des

isakmp policy 9 hash md5

isakmp policy 9 group 1

isakmp policy 9 lifetime 86400

Crypto Maps:

crypto map outside 90 ipsec-isakmp

crypto map outside 90 match address test

crypto map outside 90 set pfs group2

crypto map outside 90 set peer x.x.x.x

crypto map outside 90 set transform-set testing

crypto ipsec transform-set testing esp-3des esp-md5-hmac

crypto map outside interface outside

Pre-shared key:

isakmp key secret address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode

For translation:

global (outside) 12 10.252.4.250

nat (inside) 12 10.252.1.250 255.255.255.255 0 0

I can see the access-list test being hit but the PIX firewall doesn't initiate the connection. Please help.

Regards,

John

Hi

I see your NAT statements have 12, have you got any others that could be NATTING the 10.252.4.0/24 network?

Also check the isakmp polcies on both routers.

Can you doa bedug of isakmp?