1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PIX Tunnel Issue

Discussion in 'General Cisco Certifications' started by craigie, Nov 11, 2009.

  1. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    A colleague was building 3 x PIX Tunnels from different sites, but all with the same destination. I built correctly, but two have an issue.

    The issue was that the ACL's he had used on the first site (which he copied and pasted onto the next two PIX's) was already in use with an exisiting crypto map and another ACL which was not even being applied to an interface.

    Anways, I don't know a huge amount about PIX's, but I can get by.

    So I corrected the both ACL's and then changed the crypto map newmap 310 match address 500.

    After this the tunnel still wasn't being built, so I decided to rip out the tunnel and start a new one from scratch.

    So I did the following:

    no access-list acl100 permit ip x.x.x.x 255.255.0.0 x.x.x.x 255.255.255.0
    no access-list 310 permit ip x.x.x.x 255.255.0.0 x.x.x.x 255.255.255.0
    no crypto map newmap 310 ipsec-isakmp
    no crypto map newmap 310 match address 310
    no crypto map newmap 310 set peer x.x.x.x
    no crypto map newmap 310 set transform-set myset
    no isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode

    Then ran clear cryto isakmp sa and reloaded pix.

    After it had rebooted I created the following:

    access-list 500 permit ip x.x.x.x 255.255.0.0 x.x.x.x 255.255.255.0
    access-list acl100 permit ip x.x.x.x 255.255.0.0 x.x.x.x 255.255.255.0
    isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
    crypto map newmap 500 ipsec-isakmp
    crypto map newmap 500 match address 500
    crypto map newmap 500 set peer x.x.x.x
    crypto map newmap 500 set transform-set myset
    crypto map newmap interface outside

    This is the syntax he used on the first tunnel, which was fine (I have just modified ACL's). Now the tunnel will not build on the other two PIX's.

    Things we know:

    - Pre Shared Key is the same both ends
    - IP Address's Source & Destination are correct
    - Correct Authentication/Encryption Methods are being used

    Any ideas would be appreciated.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  2. danielno8

    danielno8 Gigabyte Poster

    1,305
    48
    92
    to be honest it's a bit confusing (for me anyway!) from the info you have given.

    If you can show the current config split into 3 tunnels - i.e.

    Tunnel 1

    Site 1 config

    Site 2 config

    Tunnel 2

    Site 1 config

    Site 3 config

    Tunnel 3

    Site 1 config

    Site 4 config

    This way it may become apparent where the config has gone wrong. Without seeing the config on both pixes for each tunnel it's not possible to see if there is anything wrong, cos basically that cryptomap up there, to me is correct.
     
    Certifications: CCENT, CCNA
    WIP: CCNP

Share This Page

Loading...