PIX Tunnel Issue

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

A colleague was building 3 x PIX Tunnels from different sites, but all with the same destination. I built correctly, but two have an issue.

The issue was that the ACL's he had used on the first site (which he copied and pasted onto the next two PIX's) was already in use with an exisiting crypto map and another ACL which was not even being applied to an interface.

Anways, I don't know a huge amount about PIX's, but I can get by.

So I corrected the both ACL's and then changed the crypto map newmap 310 match address 500.

After this the tunnel still wasn't being built, so I decided to rip out the tunnel and start a new one from scratch.

So I did the following:

no access-list acl100 permit ip x.x.x.x 255.255.0.0 x.x.x.x 255.255.255.0
no access-list 310 permit ip x.x.x.x 255.255.0.0 x.x.x.x 255.255.255.0
no crypto map newmap 310 ipsec-isakmp
no crypto map newmap 310 match address 310
no crypto map newmap 310 set peer x.x.x.x
no crypto map newmap 310 set transform-set myset
no isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode

Then ran clear cryto isakmp sa and reloaded pix.

After it had rebooted I created the following:

access-list 500 permit ip x.x.x.x 255.255.0.0 x.x.x.x 255.255.255.0
access-list acl100 permit ip x.x.x.x 255.255.0.0 x.x.x.x 255.255.255.0
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
crypto map newmap 500 ipsec-isakmp
crypto map newmap 500 match address 500
crypto map newmap 500 set peer x.x.x.x
crypto map newmap 500 set transform-set myset
crypto map newmap interface outside

This is the syntax he used on the first tunnel, which was fine (I have just modified ACL's). Now the tunnel will not build on the other two PIX's.

Things we know:

- Pre Shared Key is the same both ends
- IP Address's Source & Destination are correct
- Correct Authentication/Encryption Methods are being used

Any ideas would be appreciated.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

to be honest it's a bit confusing (for me anyway!) from the info you have given.

If you can show the current config split into 3 tunnels - i.e.

Tunnel 1

Site 1 config

Site 2 config

Tunnel 2

Site 1 config

Site 3 config

Tunnel 3

Site 1 config

Site 4 config

This way it may become apparent where the config has gone wrong. Without seeing the config on both pixes for each tunnel it's not possible to see if there is anything wrong, cos basically that cryptomap up there, to me is correct.