PIX 515E - VPN connections

Similar Questions

• Cisco VPN Client behind PIX 515E,-> VPN concentrator

  I'm trying to configure a client as follows:

  The user is running Cisco VPN Client 4.0. They are behind a 6.1 PIX 515E (4), and I need to connect to a VPN concentrator located outside of our network. We use PAT for address translation. As far as I know, to allow ipsec through Firewall 1 tunnel, I need to upgrade the pix to 6.3 and activate "fixup protocol esp-ike.

  Is there another way to do this? I am also curious to know how much more easy/better this will work if we were dealing with pptp.

  You don't necessarily need to fixup protocol esp-ike active. The remote Hub there encapsulation NAT - T enabled so that clients behind the NAT can run?

• PIX 515e VPN 3005 concentrator cannot pass phase 1

  My list of vpn access increases, so I know that it is correct. IM testing with ping. Debug configurations and follow. Remote location through VPN connection attempt with THE. Thanks to all who can help. His failure in the first phase which means configuration mess up, but I can't find a miss-match for me? Maybe ive been looking at this for a long time.

  Pix515e config:

  ----------------

  Crypto ipsec transform-set esp - esp-md5-hmac aptset

  aptmap 10 ipsec-isakmp crypto map

  aptmap 10 correspondence address vpn crypto card

  card crypto aptmap 10 peers set yyy.xxx.xxx.131

  card crypto aptmap 10 transform-set aptset

  aptmap interface card crypto outside

  ISAKMP allows outside

  ISAKMP key * address yyy.xxx.xxx.131 netmask 255.255.255.255

  part of pre authentication ISAKMP policy 10

  encryption of ISAKMP policy 10

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  Debugs ipsec, isakmp, ca

  -------------------------

  Peer VPN: ISAKMP: approved new addition: ip:yyy.xxx.xxx.131 Total VPN peer: 1

  Peer VPN: ISAKMP: ip:yyy.xxx.xxx.131 Ref cnt is incremented to peers: 1 Total peer VPN: 1

  ISAKMP (0): early changes of Main Mode

  ISAKMP (0): retransmission of phase 1... IPSEC (key_engine): request timer shot: count = 1,.

  local (identity) = zzz.xxx.xxx.226, distance = yyy.xxx.xxx.131,

  local_proxy = 192.168.33.0/255.255.255.0/0/0 (type = 4),

  remote_proxy = 192.168.65.0/255.255.255.0/0/0 (type = 4)

  ISAKMP (0): retransmission of phase 1...

  ISAKMP (0): delete SA: src zzz.xxx.xxx.226 dst yyy.xxx.xxx.131

  ISADB: Reaper checking HIS 0x81377ad8, id_conn = 0 DELETE IT!

  Peer VPN: ISAKMP: ip:yyy.xxx.xxx.131 Ref cnt decremented to peers: 0 Total of VPN peer: 1

  Peer VPN: ISAKMP: deleted peer: ip:yyy.xxx.xxx.131 VPN peer Total: 0

  results of ' show crypto isamkp his. "

  -----------------------------------

  Total: 1

  Embryonic: 1

  Src DST in the meantime created State

  YYY.xxx.xxx.131 zzz.xxx.xxx.226 MM_NO_STATE 0 0

  Error messages on the concentrator 3005

  ------------------------------------

  11:14:47.640 57 07/01/2004-SEV = 4 RPT IKE/48 = 23 yyy.xxx.xxx.226

  Support useful treatment of error: ID payload: 1

  11:15:02.770 58 07/01/2004-SEV = 4 RPT IKE/48 = 24 yyy.xxx.xxx.226

  Support useful treatment of error: ID payload: 1

  3005 page concentrator Lan-To-Lan settings

  -----------------------

  Activated

  External interface

  Answer only

  YYY.xxx.xxx.226 peer

  Digital cert: no (use preshared keys)

  Transmission of the CERT: (full certification chain)

  Preshared key: {same on pix}

  AUTH: esp, md5, hmac-128

  encryption: des-56

  proposal of IKE: IKE-DES-MD5

  Filter: none

  IPSec NAT - T not verified

  No bandwidth policy

  Routing: no

  I noticed that you have a lifetime and a pfs group configured on the pix. The pfs group is 2 which I think will not work with-although I'm not positive, as I have only used with 3des. Diffie-Hellman Group1 should work with simple.

  In any case, recheck the config vpn 3000 to see if a group and life expectancy have been speced on config. If not, or if you are not sure, then remove the two outside the pix and run the command of his clear cry on the pix. Then try again and let me know what you find.

• Customer Cisco PIX 501 VPN connects but no connection to the local network

  Hi all:

  I am able to make a VPN connection to a PIX 501. The remote client is assigned an IP (192.168.2.1) also, but not able to access all the machines in the local network connected to the PIX.

  I have attached the PIX configuration.

  Advice will be greatly appreciated.

  ********************

  6.3 (5) PIX version

  interface ethernet0 car

  interface ethernet1 100full

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  enable password xxxx

  passwd xxxxx

  pixfirewall hostname

  domain ciscopix.com

  fixup protocol dns-length maximum 512

  fixup protocol ftp 21

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol http 80

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol sip 5060

  fixup protocol sip udp 5060

  fixup protocol 2000 skinny

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol tftp 69

  names of

  access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

  access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

  pager lines 24

  Outside 1500 MTU

  Within 1500 MTU

  IP address outside dhcp setroute

  IP address inside 192.168.1.1 255.255.255.0

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool ippool 192.168.2.1 - 192.168.2.5

  location of PDM 192.168.2.0 255.255.255.0 outside

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  NAT (inside) - 0 102 access list

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  Timeout xlate 0:05:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225

  H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00

  Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00

  Timeout, uauth 0:05:00 absolute

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + 3 max-failed-attempts

  AAA-server GANYMEDE + deadtime 10

  RADIUS Protocol RADIUS AAA server

  AAA-server RADIUS 3 max-failed-attempts

  AAA-RADIUS deadtime 10 Server

  AAA-server local LOCAL Protocol

  Enable http server

  http 192.168.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  SNMP-Server Community public

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  Crypto ipsec transform-set esp - esp-md5-hmac RIGHT

  Crypto-map dynamic dynmap 10 transform-set RIGHT

  map mymap 10-isakmp ipsec crypto dynamic dynmap

  mymap outside crypto map interface

  ISAKMP allows outside

  ISAKMP identity address

  part of pre authentication ISAKMP policy 10

  encryption of ISAKMP policy 10

  ISAKMP policy 10 md5 hash

  10 2 ISAKMP policy group

  ISAKMP life duration strategy 10 86400

  vpngroup vpn3000 ippool address pool

  vpngroup vpn3000 Server dns 68.87.72.130

  vpngroup vpn3000-wins 192.168.1.100 Server

  vpngroup vpn3000 split tunnel 101

  vpngroup vpn3000 downtime 1800

  password vpngroup vpn3000 *.

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  dhcpd address 192.168.1.2 - 192.168.1.33 inside

  dhcpd lease 3600

  dhcpd ping_timeout 750

  dhcpd outside auto_config

  dhcpd allow inside

  Terminal width 80

  Cryptochecksum:xxxx

  ****************

  The DNS server is the one assigned to me by my ISP.

  My internal network connected to the PIX is 192.168.1.1 - 192.168.1.33 and the VPN ip pool is 192.168.2.1 - 192.168.2.5

  "isakmp nat-traversal 20" can do the trick.

• The VPN client VPN connection behind other PIX PIX

  I have the following problem:

  I wanted to establish the VPN connection the client VPN to PIX on GPRS / 3G, but I didn t have a bit of luck with PIX IOS version 6.2 (2).

  So I upgraded PIX to 6.3 (4) to use NAT - T and VPN client to version 4.0.5

  I have configured PIX with NAT-T(isakmp nat-traversal 20), but I still had a chance, he would not go through the 1st phase. As soon as I took nat-traversal isakmp off he started working, and we can connect to our servers.

  Now, I want to connect to the VPN client behind PIX to our customer PIX network. VPN connection implements without problem, but we can not access the servers. If I configure NAT - T on the two PIX, or only on the customer PIX or only on our PIX, no VPN connection at all.

  If I have to connect VPN client behind PIX to the customer's network and you try to PING DNS server for example, on our PIX, I have following error:

  305006: failed to create of portmap for domestic 50 CBC protocol translation: dst outside:194.x.x.x 10.10.1.x

  194.x.x.x is our customer s address IP PIX

  I understand that somewhere access list is missing, but I can not understand.

  Of course, I can configure VPN site to site, but we have few customers and take us over their servers, so it'd just connect behind PIX VPN and client connection s server, instead of the first dial-in and then establish a VPN connection.

  Can you please help me?

  Thank you in advan

  The following is extracted from ASK THE DISCUSSION FORUM of EXPERTS with Glenn Fullage of Cisco.

  I've cut and pasted here for you to read, I think that the problem mentioned below:

  Question:

  Hi Glenn,.

  Following is possible?

  I have the vpn client on my PC, my LAN is protected by a pix. I can launch the vpn client to connect to remote pix. Authenticates the vpn client and the remote pix makes my PC with the assigned ip appropriate to its pool of ip address.

  The problem that I am facing is that I can not anything across the pix remote ping from my PC which is behind my pix. Can you please guide me what I have to do to make this work, if it is possible?

  My PC has a static ip address assigned with the default gateway appropriate pointing to my s pix inside interface.

  Thank you very much for any help provided in advance.

  Response from Glenn:

  First of all, make sure that the VPN connection works correctly when the remote PC is NOT behind a PIX. If that works fine, but then breaks when put behind a PIX, it is probably that the PIX is PAT, which usually breaks IPSec. Add the following command on your PIX VPN client is behind:

  fixup protocol esp-ike

  See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1067379 for more details.

  If it still has issues, you can turn on NAT - T on the remote PIX that ends the VPN, the client and the remote PIX must encapsulate then all IPSec in UDP packets that your PIX will be able to PA correctly. Add the following command on the remote PIX:

  ISAKMP nat-traversal

  See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312 for more details.

  NAT - T is a standard for the encapsulation of the UDP packets inot IETF IPSec packets.

  ESP IPSec (Protocol that use your encrypted data packets) is an IP Protocol, it is located just above IP, rather than being a TCP or UDP protocol. For this reason, it has no TCP/UDP port number.

  A lot of features that make the translation of address of Port (PAT) rely on a single to PAT TCP/UDP source port number ' ing. Because all traffic is PAT would be at the same source address, must be certain uniqueness to each of its sessions, and most devices use the port number TCP/UDP source for this. Because IPSec doesn't have one, many features PAT fail to PAT it properly or at all, and the data transfer fails.

  NAT - T is enabled on both devices of the range, they will determine during the construction of the tunnel there is a PAT/NAT device between them, and if they detect that there is, they automatically encapsulate every IPSec packets in UDP packets with a port number of 4500. Because there is now a port number, PAT devices are able to PAT it correctly and the traffic goes normally.

  Hope that helps.

• Several outbound VPN connections behind PIX-515E

  I will take a PIX-515E off-site for a provision of access internet location. I have several people behind this PIX, who will have to return to the same Office VPN. One person can VPN through the PIX very well, but if someone else tries to VPN they cannot. Once the first person has disconnected for 10 minutes, then the next person can connect. I activated the NAT - T and added fixup protocol esp-ike. What can I do it wrong? Thank you.

  fixup protocol esp-ike - allows PAT to (ESP), one tunnel.

  Please remove this correction.

  If the remote site has NAT - T enabled, then you should be able to use NAT - T and more than 1 user should be able to use behind the PIX VPN client.

  See you soon

  Gilbert

• Cisco VPN Client Authentication - PIX 515E-UR

  Hi all

  I need your expert help on the following issues I have:

  1. I would like to create more than 1 client VPN on my PIX-515E groups. This is so that I can give a different part of the internal network access to different type of VPN connection. For example, I want a group to have no XAUTH, while the other group must use RADIUS XAUTH. Is it possible for me to do this? I see the PIX automatically enable RADIUS on both groups of VPN clients.

  2. the RADIUS server is a Microsoft ISA with IAS server and it is located on the PIX inside interface. The VPN endpoint is external interface of the PIX. Is there a problem with this Setup? Do I need to have the RADIUS server that is located on the external interface?

  3 can. what command I use to debug RADIUS authentication?

  Thanks in advance for your help.

  Hi vincent,.

  (1) you can use the vpngroup *-authentication server ipaddress to specify the IP address of the Radius Server on a particular group... If you do not specify this, the authentication of the user is made locally... also check for vpngroup * order of user authentication

  (2) there should be no problem with the installation of your... should work fine... If the RADIUS is outdoors, it is subject to many attacks... so have it inside...

  (3) use the "RADIUS session debug" or "debug aaa authentication..."

  I hope this helps... all the best... the rate of responses if found useful

  REDA

• PIX 515E for VPN remote site

  Hello

  7.0 (1) version pix

  ASDM version 5.0 (1)

  I have a situation where you go paas-thanks to the VPN feature goes on our PIX 515E. I tried to put this on the pix using a VPN Wizard Site to site

  who is enabled. I was unable to connect to the pix from the remote site. Witch's journal replied negotiate the pix is OK and the success

  The problem is when I try to set up the tunnel to the top of the remote site. I fall without failure.

  where can I see the vpn pix for error log?

  is there a manual for the solution of site to site VPN using the wizard

  Help, please.

  Thanks in advance

  http://www.Cisco.com/en/us/partner/products/HW/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml#ASDM

  the section 'use adsm' (step 14) gives an example on how to set up vpn lan - lan via adsm

  Newspaper to go to the section "check".

• PIX 515E and remote access VPN

  I use a PIX 515E with: ASDM Version: 5,0000 51 PIX Version: 8.0 (4) and configure it with remote access VPN.

  I would like to get an email every time that a user login (and or disconnection) to the VPN. Remote clients use the Cisco VPN Client.

  Any help is appreciated,

  Hello

  Here is a link to the email configuration when you log in to the ASA/PIX: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc7

  Then you can create a list of message to send the logs only for the connection/disconnection of the VPN user: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc18

  There is a wire that is linked here: https://supportforums.cisco.com/discussion/10798976/asa-email-logging-issue

• IPSEC VPN between Pix 515E and 1841 router

  Hi all

  BACKGROUND

  We have implemented a site to site VPN IPSEC between a Pix 515E 8.0 operation (4) and an 1841 using static IP addresses at both ends. We used CCP on the router and the ASDM the pix to build initial tunnels. Now the site with the router is evolving into a dynamic IP address from the ISP so we have implemented dynamic DNS to update dynamic IP address.

  PROBLEM

  The problem is that ASDM will not allow us to set a domain as the address of peers, it will not accept an IP address. We believe that the solution will be to remove the static Crypto map and replace it with a dynamic Crypto map on the side of Pix. Our questions are simply; is this the best solution? can change us the original static list or is it better to delete and make a new dynamic encryption card? Y at - it a shortcut to change the config command-line? This is a real network, so just check it out before make us any changes on the live kit.

  Any help much appreciated.

  You don't have to change anything when the peer-address changes. The dynamic crypto map aims to take dynamic peer connections. The only thing to remember, is that only the dynamic peer can initiate the connection. And you reduce your security if you use Pre-Shared key that now you can use a generic-PSK character.

  As I remember, the PIX / ASA does not support the dynamic use of FQDNs for peer-resolution. This feature is supported in IOS.

  For a feature, it would be preferable to static IP addresses on both sides.

• PIX: Cisco VPN Client connects but no routing

  Hello

  We have a Cisco PIX 515 with software 7.1 (2). He accepts Cisco VPN Client connections with no problems, but no routing does to internal networks directly connected to the PIX. For example, my PC is affected by the IP 172.16.2.57 and then ping does not respond to internal Windows server 172.16.0.12 or trying to RDP. The most irritating thing is that these attempts are recorded in the system log, but always ended with "SYN timeout", as follows:

  2009-01-06 23:23:01 Local4.Info 217.15.42.214% 302013-6-PIX: built 3315917 for incoming TCP connections (172.16.2.57/1283) outside:172.16.2.57/1283 inside: ALAI2 / 3389 (ALAI2/3389)

  2009-01-06 23:23:31 Local4.Info 217.15.42.214% 302014-6-PIX: TCP connection disassembly 3315917 for outside:172.16.2.57/1283 inside: ALAI2 / 3389 duration 0:00:30 bytes 0 SYN Timeout

  2009-01-06 23:23:31 Local4.Debug 217.15.42.214% 7-PIX-609002: duration of disassembly-outside local host: 172.16.2.57 0:00:30

  We tried to activate and deactivate "nat-control", "permit same-security-traffic inter-interface" and "permit same-security-traffic intra-interface", but the results are the same: the VPN connection is successfully established, but remote clients cannot reach the internal servers.

  I enclose the training concerned in order to understand the problem:

  interface Ethernet0

  Speed 100

  full duplex

  nameif outside

  security-level 0

  IP address xx.yy.zz.tt 255.255.255.240

  !

  interface Ethernet1

  nameif inside

  security-level 100

  172.16.0.1 IP address 255.255.255.0

  !

  access extensive list ip 172.16.0.0 inside_nat0_outbound allow 255.255.255.0 172.16.2.56 255.255.255.248

  !

  access extensive list ip 172.16.0.0 outside_cryptomap_dyn_20 allow 255.255.255.0 172.16.2.56 255.255.255.248

  !

  VPN_client_group_splitTunnelAcl list standard access allowed 172.16.0.0 255.255.255.0

  !

  IP local pool pool_vpn_clientes 172.16.2.57 - 172.16.2.62 mask 255.255.255.248

  !

  NAT-control

  Global xx.yy.zz.tt 12 (outside)

  NAT (inside) 0-list of access inside_nat0_outbound

  NAT (inside) 12 172.16.0.12 255.255.255.255

  !

  internal VPN_clientes group strategy

  attributes of Group Policy VPN_clientes

  xxyyzz.NET value by default-field

  internal VPN_client_group group strategy

  attributes of Group Policy VPN_client_group

  Split-tunnel-policy tunnelspecified

  value of Split-tunnel-network-list VPN_client_group_splitTunnelAcl

  xxyyzz.local value by default-field

  !

  I join all the details of the cryptographic algorithms because the VPN is successfully completed, as I said at the beginning. In addition, routing tables are irrelevant in my opinion, because the inaccessible hosts are directly connected to the internal LAN of the PIX 515.

  Thank you very much.

  can you confirm asa have NAT traversal allow otherwise, activate it in asa and vpn clients try again.

  PIX / ASA 7.1 and earlier versions

  PIX (config) #isakmp nat-traversal 20

  PIX / ASA 7.2 (1) and later versions

  PIX (config) #crypto isakmp nat-traversal 20

• VPN with ASA 5500 VPN with PIX 515E vs

  I wonder what are the differences between the use of an exisitng PIX 515E for VPN remote users as appossed to acquire an ASA 5500 VPN remote users? Information or advice are appreciated to help me lean toward one or the other.

  Craig

  According to the version of the code that you run on the PIX on the PIX or ASA VPN features must be the same. So if the choice is not based on differences in features, what else would help guide the choice? You can consider if the existing PIX has sufficient resources to add the extra processing VPN load or if you should put that on another box. You might consider that the PIX is an older product range, and his end is near, while the ASA is the product that is the strategic replacement for the PIX. Given a choice I probably prefer to use a technology newer than the old technology. I also believe that the ASA will give you more choice of technology to go forward (a way of better growth) while the PIX provides current capacity but no path of growth.

  On the other hand, there is the aspect of consider that using the existing PIX does not need not to buy something new and ASA would be an expense you have to cover in the budget. And for some people the budget constraint is an important consideration.

  HTH

  Rick

• PIX 515e - Web VPN

  Hello

  Just a quick question, am I right to think that a PIX 515e would not support Web VPN?

  Concerning

  J Mac

  You are right!

• PIX 515E v7 VPN config help

  Hello

  I have a PIX 515E current of execution to 7.

  Is it possible to use VPN with only 1 static IP address from the ISP (no gateway or the ip address of the ISP router is provided).

  I can set up routing on the ADSL modem, but then the PIX does not have a valid Internet IP address?

  I think that v7 does not support PPPOE? so I can't set the mode on the bridged adsl modem?

  Is there a way to fix this?

  Any help appreciated gratefully.

  apply the commands below:

  ISAKMP identity address

  ISAKMP nat-traversal 20

  If the problem persists, then please post the entire config with ip hidden public.

• VPN - Pix 515e for Cisco router

  I have the following Setup and I can't seem to get the next tunnel. My end is a PIX 515e race 7.2 (4). The other end is a Cisco router-not sure of the model or version of the IOS.

  PIX:

  90 extended access-list allow ip host a.a.a.a host b.b.b.b

  NAT (inside) - 0-90 access list

  correspondence address card crypto mymap 20 90
  card crypto mymap 20 peers set x.x.x.x
  map mymap 20 set transformation-strong crypto
  mymap outside crypto map interface
  ISAKMP crypto identity hostname
  crypto ISAKMP allow outside
  crypto ISAKMP policy 8
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400

  tunnel-group x.x.x.x type ipsec-l2l
  tunnel-group ipsec-attributes x.x.x.x
  pre-shared key 12345

  Router:

  / * Style definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;} / * Définitions de style * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}

  SDM_5 extended IP access list

  permit ip host b.b.b.b host a.a.a.a

  ISAKMP crypto key 12345 address y.y.y.y no.-xauth

  map SDM_CMAP_1 5 ipsec-isakmp crypto

  Description vpn for laboratory

  defined peer y.y.y.y

  game of transformation-ESP-3DES-SHA

  match address SDM_5

  I'm running him debugs following:

  Debug crypto ipsec enabled at level 1
  ISAKMP crypto debugging enabled at level 1

  I get the following debug output:

  August 16-04:16:10 [IKEv1]: IP = x.x.x.x, counterpart of drop table counterpart, didn't match!
  August 16-04:16:10 [IKEv1]: IP = x.x.x.x, error: cannot delete PeerTblEntry

  Isa HS her

  IKE Peer: x.x.x.x
  Type: user role: initiator
  Generate a new key: no State: MM_WAIT_MSG2

  Any ideas?

  Thank you

  Dave

  If you see the MM_WAIT_MSG2, which means that her counterpart (the other side) does not answer and this side where you can see the status MM_WAIT_MSG2 sent the first message IKE, however, did not hear of the peer.

  You can check if UDP/500 is stuck on the way between the 2 sites.

  Try running traffic on the other side and see if you also get the same status of MM_WAIT_MSG2. If you do, that confirms 100% 500/UDP is blocked on the way between the 2 sites.