RE: IPSec VPN - Interesting traffic only trigger crypto map

Kim,

Remove the following lines from the ASA:

crypto map static-map 5 set nat-t-disable
crypto map static-map 5 set phase1-mode aggressive
crypto map static-map 5 set connection-type bi-directional

Run a debug on the PIX with 'debug cry isa 2', send interesting traffic from Dallas, check 'show cry isa sa', see if your phase 1 tunnel is up.

I don't think you want to enabled quick mode (aggressive) with a main mode sender. The ASA may be intelligent enough to negotiate main mode, but I don't think the PIX will do the same.

Give those a shot and let us know what you find.

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Teu Kim Loon ???
Sent: Thursday, July 23, 2009 10:21 AM
To: Alberto Rivai
Cc: Cisco certification; ccielab_at_groupstudy.com
Subject: Re: IPSec VPN - Interesting traffic only trigger crypto map from one end

Below is the error I see when trying to initiate connections behind PIX. On
the ASA side, I didn't see any error or traffic.
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created
IPSEC(sa_initiate): ACL = deny; no sa created

I found this bug. Is this application to PIX?
"Configuring two crypto map entries using the same name but different
priorities, different peers, different access lists, causes the
second crypto map entry to be ineffective and no corresponding
security associations are established. [...]
The workaround is to avoid configuring two crypto map entries with
the same name but different priority, different peers, and different
access lists [...] (CSCea25305)"

<<<<ASA Config>>>>

object-group network BRAZIL_REMOTE
 network-object 192.168.95.128 255.255.255.128
 network-object 192.168.96.0 255.255.254.0
object-group network BRAZIL_LOCAL
 network-object host 144.72.247.54
 network-object 172.26.39.0 255.255.255.0
 network-object 192.168.120.0 255.255.255.0
 network-object 192.168.122.0 255.255.255.0
 network-object 192.168.124.0 255.255.255.0
 network-object 172.26.72.0 255.255.254.0
 network-object 172.17.248.0 255.255.248.0

access-list L2L_BRAZIL extended permit ip object-group BRAZIL_LOCAL
object-group BRAZIL_REMOTE

crypto ipsec transform-set L2L_GM_BRAZIL esp-des esp-md5-hmac

group-policy 1.1.1.1 internal
group-policy 1.1.1.1 attributes
vpn-tunnel-protocol ipsec
vpn-filter none
vpn-idle-timeout none
webvpn
functions none

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy 1.1.1.1
accounting-server-group default_ar
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key XXXXXXX
no chain
no trust-point
isakmp keepalive disable
peer-id-validate req

crypto map static-map 5 match address L2L_BRAZIL
crypto map static-map 5 set peer 1.1.1.1
crypto map static-map 5 set transform-set L2L_BRAZIL
crypto map static-map 5 set security-association lifetime seconds 86400
crypto map static-map 5 set security-association lifetime kilobytes 4608000
crypto map static-map 5 set nat-t-disable
crypto map static-map 5 set phase1-mode aggressive
crypto map static-map 5 set connection-type bi-directional

crypto map static-map interface outside
 crypto isakmp enable outside

<<<<PIX Config>>>>

 access-list dallas1_vpn permit ip 192.168.95.128 255.255.255.128
192.168.120.0 255.255.255.0
access-list dallas1_vpn permit ip 192.168.96.0 255.255.254.0 192.168.120.0
255.255.255.0
access-list dallas1_vpn permit ip 192.168.95.128 255.255.255.128 172.26.39.0
255.255.255.0
access-list dallas1_vpn permit ip 192.168.96.0 255.255.254.0 172.26.39.0
255.255.255.0
access-list dallas1_vpn permit ip 192.168.95.128 255.255.255.128
192.168.122.0 255.255.255.0
access-list dallas1_vpn permit ip 192.168.96.0 255.255.254.0 192.168.122.0
255.255.255.0
access-list dallas1_vpn permit ip 192.168.95.128 255.255.255.128
192.168.124.0 255.255.255.0
access-list dallas1_vpn permit ip 192.168.96.0 255.255.254.0 192.168.124.0
255.255.255.0
access-list dallas1_vpn permit ip 192.168.95.128 255.255.255.128 172.26.72.0
255.255.254.0
access-list dallas1_vpn permit ip 192.168.96.0 255.255.254.0 172.26.72.0
255.255.254.0
access-list dallas1_vpn permit ip 192.168.96.0 255.255.254.0 host
144.72.247.54
access-list dallas1_vpn permit ip 192.168.95.128 255.255.255.128 host
144.72.247.54
access-list dallas1_vpn permit ip 192.168.95.128 255.255.255.128
172.17.248.0 255.255.248.0
access-list dallas1_vpn permit ip 192.168.96.0 255.255.254.0 172.17.248.0
255.255.248.0

nat (inside) 0 access-list inside_nonat
access-list inside_nonat permit ip any 192.168.122.0 255.255.255.0
access-list inside_nonat permit ip any 192.168.124.0 255.255.255.0
....

 crypto map Tempe interface outside
isakmp enable outside
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth
no-config-mode

 crypto map Tempe 20 ipsec-isakmp
crypto map Tempe 20 match address dallas1_vpn
crypto map Tempe 20 set peer 2.2.2.2
crypto map Tempe 20 set transform-set Tempe
crypto map Tempe 20 set security-association lifetime seconds 86400
kilobytes 4602000

On Thu, Jul 23, 2009 at 7:49 AM, Alberto Rivai <bartoqid_at_yahoo.com> wrote:

> Usually its because wrong access-list to match the encrypted traffic,
> common
> mistake
>
> --- On Thu, 7/23/09, Teu Kim Loon e<5i &e+ <kim.teu_at_gmail.com> wrote:
>
> From: Teu Kim Loon e<5i &e+ <kim.teu_at_gmail.com>
> Subject: IPSec VPN - Interesting traffic only trigger crypto map from one
> end
> To: "Cisco certification" <security_at_groupstudy.com>,
> ccielab_at_groupstudy.com
> Date: Thursday, July 23, 2009, 10:14 AM
>
> Hello Experts,
> IPSec VPN between ASA 8.0 and PIX 6.3.B I verified identical IKE and IPSec
> configuration on both ends.B However, I am only able to initiate
> connection
> from ASA.
>
> Any idea why?
>
> Thanks.
> Kim
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

--
May All Behappy!!!
Kim Loon Teu
UE=uBW
CCIE 19369
www.kimteu.com
http://www.linkedin.com/in/kimteu
All conditioned phenomena
Are like a dream, an illusion, a bubble, a shadow
Like the dew, or like lightning
You should discern them like this
R;GPSPN*7(#,HgCN;CE]S0#,HgB6R`Hg5g#,S&WwHgJG9[
Blogs and organic groups at http://www.ccie.net