[VPN] PIX-to-PIX VPN problem

Catalin Condurache catalin at sychron.com
Sun Jan 26 09:00:05 EST 2003


Hi,
I have two PIX515 in two offices working fine with CiscoVPN clients. I'm
trying to create a VPN Tunnel between offices using the PIXes.
So, following some documentation I updated the configurations on the both
PIXes, but I'm getting:

"IPSEC(sa_initiate): ACL = deny; no sa created"

The Cisco VPN clients still can connect.
The configs are very similar, just some interchanges regarding the outside
interfaces and the peers IPs.

------------------------
access-list inside_outbound_nat0_acl permit ip any 10.2.95.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip <NETWORK1> 255.255.0.0
<NETWORK2> 255.255.0.0
access-list outside_cryptomap_dyn_20 permit ip any 10.2.95.0 255.255.255.0
access-list users_splitTunnelAcl permit ip 10.0.0.0 255.0.0.0 any
access-list 110 permit ip <NETWORK1> 255.255.0.0 <NETWORK2> 255.255.0.0
ip address outside <IP1_OUTSIDE> 255.255.255.248
ip address inside <IP1_INSIDE> 255.255.0.0
ip local pool VPN_Group 10.2.95.100-10.2.95.200
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 <GATEWAY1> 1
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 11 ipsec-isakmp
crypto map outside_map 11 match address 110
crypto map outside_map 11 set peer <IP2_OUTSIDE>
crypto map outside_map 11 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication <WIN_HOST>
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address <IP2_OUTSIDE> netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
------------------------------

------------------------
access-list inside_outbound_nat0_acl permit ip any 10.1.95.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip <NETWORK2> 255.255.0.0
<NETWORK1> 255.255.0.0
access-list outside_cryptomap_dyn_20 permit ip any 10.1.95.0 255.255.255.0
access-list users_splitTunnelAcl permit ip 10.0.0.0 255.0.0.0 any
access-list 110 permit ip <NETWORK2> 255.255.0.0 <NETWORK1> 255.255.0.0
ip address outside <IP2_OUTSIDE> 255.255.255.248
ip address inside <IP2_INSIDE> 255.255.0.0
ip local pool VPN_Group 10.1.95.100-10.1.95.200
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 <GATEWAY2> 1
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 11 ipsec-isakmp
crypto map outside_map 11 match address 110
crypto map outside_map 11 set peer <IP1_OUTSIDE>
crypto map outside_map 11 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication <WIN_HOST>
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address <IP1_OUTSIDE> netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
------------------------------

And all I'm getting when initiate traffic is 
"IPSEC(sa_initiate): ACL = deny; no sa created"
I found that is about 'proxy mismatches' and there are some troubles with
ACLs, but I can't see where.

Many thanks for any suggestions!
Catalin





More information about the VPN mailing list