I do have crypto maps with the same name. I truncated the config output. I
have to use the same name because the crypto map is tied to one interface.
I don't see a way to tie different crypto maps to the same interface.
I didn't use ASDM to configure ASA.
I have reconfigured the Crypto ACL to make them mirror of each other. Still
not luck.
On Thu, Jul 23, 2009 at 10:55 AM, Craig Miller
<ripperthejack2001_at_yahoo.com>wrote:
>
> That bug doesn't apply, you don't have multiple crypto maps with the same
> name, unless you truncated the output of your show run.
>
> The previous poster was right, look at your protected networks, they don't
> match on both sides, also, if you have a dynamic cryptomap (whih I don't
see
> but could be truncated off the list), the dynamic map needs to be placed at
> the bottom of hte list, or it could cause SA issues as well.
>
> Other things to check, NAT-T, verify ISAKMP is enabled properly etc. I have
> seen the ASA ASDM leave off the ISAKMP configuration before.
>
> But I think your mis-matched ACL / protected networks is your problem.
>
> Craig
>
> --- On Thu, 7/23/09, Teu Kim Loon e<5i�&e+ <kim.teu_at_gmail.com> wrote:
>
> > From: Teu Kim Loon e<5i�&e+ <kim.teu_at_gmail.com>
> > Subject: Re: IPSec VPN - Interesting traffic only trigger crypto map
> from one end
> > To: "Alberto Rivai" <bartoqid_at_yahoo.com>
> > Cc: "Cisco certification" <security_at_groupstudy.com>,
> ccielab_at_groupstudy.com
> > Date: Thursday, July 23, 2009, 9:21 AM
> > Below is the error I see when trying
> > to initiate connections behind PIX. On
> > the ASA side, I didn't see any error or traffic.
> > IPSEC(sa_initiate): ACL = deny; no sa created
> > IPSEC(sa_initiate): ACL = deny; no sa created
> > IPSEC(sa_initiate): ACL = deny; no sa created
> > IPSEC(sa_initiate): ACL = deny; no sa created
> >
> > I found this bug. Is this application to PIX?
> > "Configuring two crypto map entries using the same name but
> > different
> > priorities, different peers, different access lists, causes
> > the
> > second crypto map entry to be ineffective and no
> > corresponding
> > security associations are established. [...]
> > The workaround is to avoid configuring two crypto map
> > entries with
> > the same name but different priority, different peers, and
> > different
> > access lists [...] (CSCea25305)"
> >
> >
> >
> > <<<<ASA Config>>>>
> >
> > object-group network BRAZIL_REMOTE
> > network-object 192.168.95.128 255.255.255.128
> > network-object 192.168.96.0 255.255.254.0
> > object-group network BRAZIL_LOCAL
> > network-object host 144.72.247.54
> > network-object 172.26.39.0 255.255.255.0
> > network-object 192.168.120.0 255.255.255.0
> > network-object 192.168.122.0 255.255.255.0
> > network-object 192.168.124.0 255.255.255.0
> > network-object 172.26.72.0 255.255.254.0
> > network-object 172.17.248.0 255.255.248.0
> >
> > access-list L2L_BRAZIL extended permit ip object-group
> > BRAZIL_LOCAL
> > object-group BRAZIL_REMOTE
> >
> > crypto ipsec transform-set L2L_GM_BRAZIL esp-des
> > esp-md5-hmac
> >
> > group-policy 1.1.1.1 internal
> > group-policy 1.1.1.1 attributes
> > vpn-tunnel-protocol ipsec
> > vpn-filter none
> > vpn-idle-timeout none
> > webvpn
> > functions none
> >
> > tunnel-group 1.1.1.1 type ipsec-l2l
> > tunnel-group 1.1.1.1 general-attributes
> > default-group-policy 1.1.1.1
> > accounting-server-group default_ar
> > tunnel-group 1.1.1.1 ipsec-attributes
> > pre-shared-key XXXXXXX
> > no chain
> > no trust-point
> > isakmp keepalive disable
> > peer-id-validate req
> >
> > crypto map static-map 5 match address L2L_BRAZIL
> > crypto map static-map 5 set peer 1.1.1.1
> > crypto map static-map 5 set transform-set L2L_BRAZIL
> > crypto map static-map 5 set security-association lifetime
> > seconds 86400
> > crypto map static-map 5 set security-association lifetime
> > kilobytes 4608000
> > crypto map static-map 5 set nat-t-disable
> > crypto map static-map 5 set phase1-mode aggressive
> > crypto map static-map 5 set connection-type bi-directional
> >
> > crypto map static-map interface outside
> > crypto isakmp enable outside
> >
> > <<<<PIX Config>>>>
> >
> > access-list dallas1_vpn permit ip 192.168.95.128
> > 255.255.255.128
> > 192.168.120.0 255.255.255.0
> > access-list dallas1_vpn permit ip 192.168.96.0
> > 255.255.254.0 192.168.120.0
> > 255.255.255.0
> > access-list dallas1_vpn permit ip 192.168.95.128
> > 255.255.255.128 172.26.39.0
> > 255.255.255.0
> > access-list dallas1_vpn permit ip 192.168.96.0
> > 255.255.254.0 172.26.39.0
> > 255.255.255.0
> > access-list dallas1_vpn permit ip 192.168.95.128
> > 255.255.255.128
> > 192.168.122.0 255.255.255.0
> > access-list dallas1_vpn permit ip 192.168.96.0
> > 255.255.254.0 192.168.122.0
> > 255.255.255.0
> > access-list dallas1_vpn permit ip 192.168.95.128
> > 255.255.255.128
> > 192.168.124.0 255.255.255.0
> > access-list dallas1_vpn permit ip 192.168.96.0
> > 255.255.254.0 192.168.124.0
> > 255.255.255.0
> > access-list dallas1_vpn permit ip 192.168.95.128
> > 255.255.255.128 172.26.72.0
> > 255.255.254.0
> > access-list dallas1_vpn permit ip 192.168.96.0
> > 255.255.254.0 172.26.72.0
> > 255.255.254.0
> > access-list dallas1_vpn permit ip 192.168.96.0
> > 255.255.254.0 host
> > 144.72.247.54
> > access-list dallas1_vpn permit ip 192.168.95.128
> > 255.255.255.128 host
> > 144.72.247.54
> > access-list dallas1_vpn permit ip 192.168.95.128
> > 255.255.255.128
> > 172.17.248.0 255.255.248.0
> > access-list dallas1_vpn permit ip 192.168.96.0
> > 255.255.254.0 172.17.248.0
> > 255.255.248.0
> >
> > nat (inside) 0 access-list inside_nonat
> > access-list inside_nonat permit ip any 192.168.122.0
> > 255.255.255.0
> > access-list inside_nonat permit ip any 192.168.124.0
> > 255.255.255.0
> > ....
> >
> > crypto map Tempe interface outside
> > isakmp enable outside
> > isakmp key ******** address 2.2.2.2 netmask 255.255.255.255
> > no-xauth
> > no-config-mode
> >
> > crypto map Tempe 20 ipsec-isakmp
> > crypto map Tempe 20 match address dallas1_vpn
> > crypto map Tempe 20 set peer 2.2.2.2
> > crypto map Tempe 20 set transform-set Tempe
> > crypto map Tempe 20 set security-association lifetime
> > seconds 86400
> > kilobytes 4602000
> >
> >
> >
> > On Thu, Jul 23, 2009 at 7:49 AM, Alberto Rivai <bartoqid_at_yahoo.com>
> > wrote:
> >
> > > Usually its because wrong access-list to match the
> > encrypted traffic,
> > > common
> > > mistake
> > >
> > > --- On Thu, 7/23/09, Teu Kim Loon e<5i &e+
> > <kim.teu_at_gmail.com>
> > wrote:
> > >
> > > From: Teu Kim Loon e<5i &e+ <kim.teu_at_gmail.com>
> > > Subject: IPSec VPN - Interesting traffic only trigger
> > crypto map from one
> > > end
> > > To: "Cisco certification" <security_at_groupstudy.com>,
> > > ccielab_at_groupstudy.com
> > > Date: Thursday, July 23, 2009, 10:14 AM
> > >
> > > Hello Experts,
> > > IPSec VPN between ASA 8.0 and PIX 6.3.B I
> > verified identical IKE and IPSec
> > > configuration on both ends.B However, I am only
> > able to initiate
> > > connection
> > > from ASA.
> > >
> > > Any idea why?
> > >
> > > Thanks.
> > > Kim
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> > --
> > May All Behappy!!!
> > Kim Loon Teu
> > UE=uBW
> > CCIE 19369
> > www.kimteu.com
> > http://www.linkedin.com/in/kimteu
> >
> > All conditioned phenomena
> > Are like a dream, an illusion, a bubble, a shadow
> > Like the dew, or like lightning
> > You should discern them like this
> > R;GPSPN*7(#,HgCN;CE]S0#,HgB6R`Hg5g#,S&WwHgJG9[
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
>
>
--
May All Behappy!!!
Kim Loon Teu
e< i�&d<&
CCIE 19369
www.kimteu.com
http://www.linkedin.com/in/kimteu
All conditioned phenomena
Are like a dream, an illusion, a bubble, a shadow
Like the dew, or like lightning
You should discern them like this
d8e��f� d8:f3�o<�e&�f"&e9;f3!e=1o<�e&�i�2d:&e&�g�5o<�e:�d=�e&�f�/h'�
Blogs and organic groups at http://www.ccie.net
Received on Thu Jul 23 2009 - 10:59:46 ART