You mentioned in your first post that you cannot initiate it from the ASA
does that mean you can from the PIX to the ASA?
If you can connect one way that would tell me that your phase 1 and pahase 2
setting are fine.
As already mentioned ensure that your proxy acls are exact mirrors of each
other.
The general reason I have found for one way VPNs is lack of routing for the
protected networks, if there is no next hop for those destination networks
in your proxy acl, that sends the traffic out the interface that your crypto
map is assigned to it will never get matched, and a crypto session will
never be initiated.
A good sign of this is very little meaningful crypto debug output.
So basically ensure your peer IPs are reachable and that each device has
routes to the destination networks that will be encrypted.
You are also right in the fact that you can only have one active crypto map
assigned to each interface, so you really have no choice but to use the
sequence numbers if you have multiple vpns. Havent looked at the bug though.
HTH
Stu
2009/7/23 Teu Kim Loon e<5i�&e+ <kim.teu_at_gmail.com>
> I do have crypto maps with the same name. I truncated the config output. I
> have to use the same name because the crypto map is tied to one interface.
> I don't see a way to tie different crypto maps to the same interface.
>
> I didn't use ASDM to configure ASA.
>
> I have reconfigured the Crypto ACL to make them mirror of each other.
> Still
> not luck.
>
> On Thu, Jul 23, 2009 at 10:55 AM, Craig Miller
> <ripperthejack2001_at_yahoo.com>wrote:
>
> >
> > That bug doesn't apply, you don't have multiple crypto maps with the same
> > name, unless you truncated the output of your show run.
> >
> > The previous poster was right, look at your protected networks, they
> don't
> > match on both sides, also, if you have a dynamic cryptomap (whih I don't
> see
> > but could be truncated off the list), the dynamic map needs to be placed
> at
> > the bottom of hte list, or it could cause SA issues as well.
> >
> > Other things to check, NAT-T, verify ISAKMP is enabled properly etc. I
> have
> > seen the ASA ASDM leave off the ISAKMP configuration before.
> >
> > But I think your mis-matched ACL / protected networks is your problem.
> >
> > Craig
> >
> > --- On Thu, 7/23/09, Teu Kim Loon e<5i &e+ <kim.teu_at_gmail.com> wrote:
> >
> > > From: Teu Kim Loon e<5i &e+ <kim.teu_at_gmail.com>
> > > Subject: Re: IPSec VPN - Interesting traffic only trigger crypto map
> > from one end
> > > To: "Alberto Rivai" <bartoqid_at_yahoo.com>
> > > Cc: "Cisco certification" <security_at_groupstudy.com>,
> > ccielab_at_groupstudy.com
> > > Date: Thursday, July 23, 2009, 9:21 AM
> > > Below is the error I see when trying
> > > to initiate connections behind PIX. On
> > > the ASA side, I didn't see any error or traffic.
> > > IPSEC(sa_initiate): ACL = deny; no sa created
> > > IPSEC(sa_initiate): ACL = deny; no sa created
> > > IPSEC(sa_initiate): ACL = deny; no sa created
> > > IPSEC(sa_initiate): ACL = deny; no sa created
> > >
> > > I found this bug. Is this application to PIX?
> > > "Configuring two crypto map entries using the same name but
> > > different
> > > priorities, different peers, different access lists, causes
> > > the
> > > second crypto map entry to be ineffective and no
> > > corresponding
> > > security associations are established. [...]
> > > The workaround is to avoid configuring two crypto map
> > > entries with
> > > the same name but different priority, different peers, and
> > > different
> > > access lists [...] (CSCea25305)"
> > >
> > >
> > >
> > > <<<<ASA Config>>>>
> > >
> > > object-group network BRAZIL_REMOTE
> > > network-object 192.168.95.128 255.255.255.128
> > > network-object 192.168.96.0 255.255.254.0
> > > object-group network BRAZIL_LOCAL
> > > network-object host 144.72.247.54
> > > network-object 172.26.39.0 255.255.255.0
> > > network-object 192.168.120.0 255.255.255.0
> > > network-object 192.168.122.0 255.255.255.0
> > > network-object 192.168.124.0 255.255.255.0
> > > network-object 172.26.72.0 255.255.254.0
> > > network-object 172.17.248.0 255.255.248.0
> > >
> > > access-list L2L_BRAZIL extended permit ip object-group
> > > BRAZIL_LOCAL
> > > object-group BRAZIL_REMOTE
> > >
> > > crypto ipsec transform-set L2L_GM_BRAZIL esp-des
> > > esp-md5-hmac
> > >
> > > group-policy 1.1.1.1 internal
> > > group-policy 1.1.1.1 attributes
> > > vpn-tunnel-protocol ipsec
> > > vpn-filter none
> > > vpn-idle-timeout none
> > > webvpn
> > > functions none
> > >
> > > tunnel-group 1.1.1.1 type ipsec-l2l
> > > tunnel-group 1.1.1.1 general-attributes
> > > default-group-policy 1.1.1.1
> > > accounting-server-group default_ar
> > > tunnel-group 1.1.1.1 ipsec-attributes
> > > pre-shared-key XXXXXXX
> > > no chain
> > > no trust-point
> > > isakmp keepalive disable
> > > peer-id-validate req
> > >
> > > crypto map static-map 5 match address L2L_BRAZIL
> > > crypto map static-map 5 set peer 1.1.1.1
> > > crypto map static-map 5 set transform-set L2L_BRAZIL
> > > crypto map static-map 5 set security-association lifetime
> > > seconds 86400
> > > crypto map static-map 5 set security-association lifetime
> > > kilobytes 4608000
> > > crypto map static-map 5 set nat-t-disable
> > > crypto map static-map 5 set phase1-mode aggressive
> > > crypto map static-map 5 set connection-type bi-directional
> > >
> > > crypto map static-map interface outside
> > > crypto isakmp enable outside
> > >
> > > <<<<PIX Config>>>>
> > >
> > > access-list dallas1_vpn permit ip 192.168.95.128
> > > 255.255.255.128
> > > 192.168.120.0 255.255.255.0
> > > access-list dallas1_vpn permit ip 192.168.96.0
> > > 255.255.254.0 192.168.120.0
> > > 255.255.255.0
> > > access-list dallas1_vpn permit ip 192.168.95.128
> > > 255.255.255.128 172.26.39.0
> > > 255.255.255.0
> > > access-list dallas1_vpn permit ip 192.168.96.0
> > > 255.255.254.0 172.26.39.0
> > > 255.255.255.0
> > > access-list dallas1_vpn permit ip 192.168.95.128
> > > 255.255.255.128
> > > 192.168.122.0 255.255.255.0
> > > access-list dallas1_vpn permit ip 192.168.96.0
> > > 255.255.254.0 192.168.122.0
> > > 255.255.255.0
> > > access-list dallas1_vpn permit ip 192.168.95.128
> > > 255.255.255.128
> > > 192.168.124.0 255.255.255.0
> > > access-list dallas1_vpn permit ip 192.168.96.0
> > > 255.255.254.0 192.168.124.0
> > > 255.255.255.0
> > > access-list dallas1_vpn permit ip 192.168.95.128
> > > 255.255.255.128 172.26.72.0
> > > 255.255.254.0
> > > access-list dallas1_vpn permit ip 192.168.96.0
> > > 255.255.254.0 172.26.72.0
> > > 255.255.254.0
> > > access-list dallas1_vpn permit ip 192.168.96.0
> > > 255.255.254.0 host
> > > 144.72.247.54
> > > access-list dallas1_vpn permit ip 192.168.95.128
> > > 255.255.255.128 host
> > > 144.72.247.54
> > > access-list dallas1_vpn permit ip 192.168.95.128
> > > 255.255.255.128
> > > 172.17.248.0 255.255.248.0
> > > access-list dallas1_vpn permit ip 192.168.96.0
> > > 255.255.254.0 172.17.248.0
> > > 255.255.248.0
> > >
> > > nat (inside) 0 access-list inside_nonat
> > > access-list inside_nonat permit ip any 192.168.122.0
> > > 255.255.255.0
> > > access-list inside_nonat permit ip any 192.168.124.0
> > > 255.255.255.0
> > > ....
> > >
> > > crypto map Tempe interface outside
> > > isakmp enable outside
> > > isakmp key ******** address 2.2.2.2 netmask 255.255.255.255
> > > no-xauth
> > > no-config-mode
> > >
> > > crypto map Tempe 20 ipsec-isakmp
> > > crypto map Tempe 20 match address dallas1_vpn
> > > crypto map Tempe 20 set peer 2.2.2.2
> > > crypto map Tempe 20 set transform-set Tempe
> > > crypto map Tempe 20 set security-association lifetime
> > > seconds 86400
> > > kilobytes 4602000
> > >
> > >
> > >
> > > On Thu, Jul 23, 2009 at 7:49 AM, Alberto Rivai <bartoqid_at_yahoo.com>
> > > wrote:
> > >
> > > > Usually its because wrong access-list to match the
> > > encrypted traffic,
> > > > common
> > > > mistake
> > > >
> > > > --- On Thu, 7/23/09, Teu Kim Loon e<5i &e+
> > > <kim.teu_at_gmail.com>
> > > wrote:
> > > >
> > > > From: Teu Kim Loon e<5i &e+ <kim.teu_at_gmail.com>
> > > > Subject: IPSec VPN - Interesting traffic only trigger
> > > crypto map from one
> > > > end
> > > > To: "Cisco certification" <security_at_groupstudy.com>,
> > > > ccielab_at_groupstudy.com
> > > > Date: Thursday, July 23, 2009, 10:14 AM
> > > >
> > > > Hello Experts,
> > > > IPSec VPN between ASA 8.0 and PIX 6.3.B I
> > > verified identical IKE and IPSec
> > > > configuration on both ends.B However, I am only
> > > able to initiate
> > > > connection
> > > > from ASA.
> > > >
> > > > Any idea why?
> > > >
> > > > Thanks.
> > > > Kim
> > > >
> > > >
> > > > Blogs and organic groups at http://www.ccie.net
> > > >
> > > >
> > > _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > > --
> > > May All Behappy!!!
> > > Kim Loon Teu
> > > UE=uBW
> > > CCIE 19369
> > > www.kimteu.com
> > > http://www.linkedin.com/in/kimteu
> > >
> > > All conditioned phenomena
> > > Are like a dream, an illusion, a bubble, a shadow
> > > Like the dew, or like lightning
> > > You should discern them like this
> > > R;GPSPN*7(#,HgCN;CE]S0#,HgB6R`Hg5g#,S&WwHgJG9[
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
> >
>
>
> --
> May All Behappy!!!
> Kim Loon Teu
> e< i &d<&
> CCIE 19369
> www.kimteu.com
> http://www.linkedin.com/in/kimteu
>
> All conditioned phenomena
> Are like a dream, an illusion, a bubble, a shadow
> Like the dew, or like lightning
> You should discern them like this
> d8e f d8:f3 o< e& f"&e9;f3!e=1o< e& i 2d:&e& g 5o< e: d= e& f /h'
>
>
--
_________________________
Stuart Hare
stuart.hare_at_googlemail.com
_________________________
Blogs and organic groups at http://www.ccie.net
Received on Thu Jul 23 2009 - 22:19:11 ART