Hi Scott: They will set to the lowest, but it's always a good idea for everything to match.
Mike -- Michael K. Smith - CISSP, GISP Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) > -----Original Message----- > From: Scott Granados [mailto:gsgrana...@comcast.net] > Sent: Thursday, September 03, 2009 12:09 PM > To: Michael K. Smith - Adhost > Cc: cisco-nsp@puck.nether.net > Subject: Re: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel > > Ah interesting. So the lifetimes have to be the same, I thought it > negotiated to the lowest value. I will go through and check these. > > Thank you again! > > > ----- Original Message ----- > From: "Michael K. Smith - Adhost" <mksm...@adhost.com> > To: "Scott Granados" <gsgrana...@comcast.net> > Cc: <cisco-nsp@puck.nether.net> > Sent: Thursday, September 03, 2009 10:57 AM > Subject: RE: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel > > > Hello Scott: > > That error is something not matching up in the Phase 1 portion. You > should look at the ISAKMP values on both sides to make sure they match. > Including, but not limited to, proposals, session key, lifetime values, > DH Group, etc. > > Regards, > > Mike > > -- > Michael K. Smith - CISSP, GISP > Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com > w: +1 (206) 404-9500 f: +1 (206) 404-9050 > PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) > > > > -----Original Message----- > > From: Scott Granados [mailto:gsgrana...@comcast.net] > > Sent: Thursday, September 03, 2009 10:41 AM > > To: Michael K. Smith - Adhost > > Cc: cisco-nsp@puck.nether.net > > Subject: Re: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel > > > > Hi Mike and others, still no love. I wanted to confirm I made the > NAT > > entries properly. I used the example on Cisco.com for the ASA and > l2l > > + > > clients as an example. > > > > > > Here are the important bits > > > > global (outside) 1 206.x.x.234 > > nat (inside) 0 access-list nonat > > nat (inside) 1 0.0.0.0 0.0.0.0 > > > > And nonat acl > > > > access-list nonat extended permit ip 10.1.0.0 255.255.0.0 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.11.0.0 255.255.0.0 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.64.0.0 255.255.0.0 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.66.0.0 255.255.0.0 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 141.11.0.0 255.255.0.0 > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 192.168.122.0 255.255.255.192 > > 10.18.14.0 255.255.255.0 > > access-list nonat extended permit ip 157.254.0.0 255.255.0.0 > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip host 216.x.x.196 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.18.0.0 255.255.255.0 > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.18.1.0 255.255.255.0 > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.18.2.0 255.255.255.0 > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.18.3.0 255.255.255.0 > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.18.4.0 255.255.255.0 > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.18.5.0 255.255.255.0 > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.18.6.0 255.255.255.0 > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.18.7.0 255.255.255.0 > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.18.8.0 255.255.255.0 > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.18.9.0 255.255.255.0 > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.18.10.0 255.255.255.0 > > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.18.15.0 255.255.255.0 > > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.15.0.0 255.255.0.0 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.32.0.0 255.240.0.0 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 192.168.255.0 255.255.255.0 > > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 172.30.0.0 255.255.0.0 > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.18.11.0 255.255.255.0 > > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.18.12.0 255.255.255.0 > > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.18.13.0 255.255.255.0 > > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.18.16.0 255.255.255.0 > > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.1.192.0 255.255.255.0 > > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.1.224.0 255.255.255.0 > > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.1.225.0 255.255.255.0 > > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.1.226.0 255.255.255.0 > > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.1.227.0 255.255.255.0 > > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.1.228.0 255.255.255.0 > > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.1.229.0 255.255.255.0 > > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.1.230.0 255.255.255.0 > > 10.18.14.0 > > 255.255.255.0 > > access-list nonat extended permit ip 10.1.0.0 255.255.0.0 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.11.0.0 255.255.0.0 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.64.0.0 255.255.0.0 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.66.0.0 255.255.0.0 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 141.11.0.0 255.255.0.0 > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 192.168.122.0 255.255.255.192 > > 10.18.15.0 255.255.255.192 > > access-list nonat extended permit ip 157.254.0.0 255.255.0.0 > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip host 216.x.x.196 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.18.0.0 255.255.255.0 > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.18.1.0 255.255.255.0 > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.18.2.0 255.255.255.0 > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.18.3.0 255.255.255.0 > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.18.4.0 255.255.255.0 > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.18.5.0 255.255.255.0 > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.18.6.0 255.255.255.0 > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.18.7.0 255.255.255.0 > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.18.8.0 255.255.255.0 > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.18.9.0 255.255.255.0 > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.18.10.0 255.255.255.0 > > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.18.15.0 255.255.255.0 > > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.15.0.0 255.255.0.0 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.32.0.0 255.240.0.0 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 192.168.255.0 255.255.255.0 > > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 172.30.0.0 255.255.0.0 > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.18.11.0 255.255.255.0 > > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.18.12.0 255.255.255.0 > > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.18.13.0 255.255.255.0 > > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.18.16.0 255.255.255.0 > > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.1.192.0 255.255.255.0 > > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.1.224.0 255.255.255.0 > > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.1.225.0 255.255.255.0 > > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.1.226.0 255.255.255.0 > > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.1.227.0 255.255.255.0 > > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.1.228.0 255.255.255.0 > > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.1.229.0 255.255.255.0 > > 10.18.15.0 > > 255.255.255.192 > > access-list nonat extended permit ip 10.1.230.0 255.255.255.0 > > 10.18.15.0 > > 255.255.255.192 > > > > > > Two points here. I defined each as individual /24's to prevent the > > inclusion of the 10.18.14.0/24 range and so we can add or delete > easily > > because we're presently migrating a bit from one 10.x range to > another. > > Also, I doubled up the listings 1 for the destination of > 10.18.14.0/24 > > which > > is the clients and 10.18.15.0/26 which is a far end site. Not sure > if > > I'm > > heading in the other direction. The error I received while trying to > > bring > > up the tunnel is unchanged. "removing peer failed, no match!" > > > > I did grab some debug output from the Pix side here's the important > bit > > > > crypto_isakmp_process_block:src:vpnc, dest:208.x.x.98 spt:500 dpt:500 > > ISAKMP: reserved not zero on payload 5! > > ISAKMP: malformed payload > > > > I assume malformed payload means I have something set incorrectly > > during the > > negotiation phase. > > > > Any pointers would be appreciated. I will grab more debug data per > the > > other post but this is what I've tried so far. > > > > Thanks > > Scott > > > > ----- Original Message ----- > > From: "Michael K. Smith - Adhost" <mksm...@adhost.com> > > To: "Scott Granados" <gsgrana...@comcast.net> > > Sent: Wednesday, September 02, 2009 11:03 AM > > Subject: RE: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel > > > > > > Correct. But you can have multiple statements in your ACL. > > > > Access-list nonat permit ip 10.18.0.0 255.255.255.0 10.18.15.0 > > 255.255.255.192 > > Access-list nonat permit ip 10.18.0.0 255.255.255.0 10.18.15.192 > > 255.255.255.192 > > Access-list nonat permit ip 10.18.0.0 255.255.255.0 10.18.14.0 > > 255.255.255.0 > > > > And so on. > > > > Mike > > > > -- > > Michael K. Smith - CISSP, GISP > > Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com > > w: +1 (206) 404-9500 f: +1 (206) 404-9050 > > PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) > > > > > > -----Original Message----- > > From: Scott Granados [mailto:gsgrana...@comcast.net] > > Sent: Wednesday, September 02, 2009 11:02 AM > > To: Michael K. Smith - Adhost; Ryan West; cisco-nsp@puck.nether.net > > Subject: Re: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel > > > > Hi Michael, thanks but one thing I'm not clear on. > > > > Suppose I have destinations of > > 10.18.15.0/26 10.18.15.192/26 10.18.14.0/24 etc. > > In other words my possible destinations can be different. If I use > > your > > > > example what happens if traffic has the proper source but a > destination > > of > > 10.18.15.192/26 or if traffic is destined to a client on > 10.18.14.0/24? > > It > > won't match the ACL correct? > > > > > > ----- Original Message ----- > > From: "Michael K. Smith - Adhost" <mksm...@adhost.com> > > To: "Scott Granados" <gsgrana...@comcast.net>; "Ryan West" > > <rw...@zyedge.com>; <cisco-nsp@puck.nether.net> > > Sent: Wednesday, September 02, 2009 10:47 AM > > Subject: RE: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel > > > > > > Hi Scott: > > > > No, if you use the no-nat below, *all* traffic from 10.18.0.0/24 will > > not be NAT'd, regardless of the destination. What you want is: > > > > Access-list nonat permit ip 10.18.0.0 255.255.255.0 <remote subnet> > > <remote mask> > > > > In looking at your post below, I think that would be: > > > > Access-list nonat permit ip 10.18.0.0 255.255.255.0 10.18.15.0 > > 255.255.255.192 > > > > I should note that the mask on the remote side for the 10.18.0.0 > subnet > > is a /20, not a /24. > > > > Regards, > > > > Mike > > > > -- > > Michael K. Smith - CISSP, GISP > > Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com > > w: +1 (206) 404-9500 f: +1 (206) 404-9050 > > PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) > > > > > > -----Original Message----- > > From: Scott Granados [mailto:gsgrana...@comcast.net] > > Sent: Wednesday, September 02, 2009 10:44 AM > > To: Michael K. Smith - Adhost; Ryan West; cisco-nsp@puck.nether.net > > Subject: Re: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel > > > > Hi Mike, to follow up on this, I do have existing clients working > now. > > For > > the nonat rule would I create a sepperate ACL for each target or > would > > a > > > > basic acl like I use for the split tunneling do the trick? > > > > either > > access-list ny-vpn extended permit ip 10.18.0.0 255.255.255.0 > > 10.18.15.0 > > > > 255.255.255.192 > > or would > > access-list nonat standard permit 10.18.0.0 255.255.255.0 > > > > I have several different targets so how would one define that or is > the > > standard ACL enough? > > > > Thanks for the pointers! > > Scott > > > > ----- Original Message ----- > > From: "Michael K. Smith - Adhost" <mksm...@adhost.com> > > To: "Scott Granados" <gsgrana...@comcast.net>; "Ryan West" > > <rw...@zyedge.com>; <cisco-nsp@puck.nether.net> > > Sent: Wednesday, September 02, 2009 10:33 AM > > Subject: RE: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel > > > > > > Hello Ryan: > > > > Without the no-nat on the ASA side it will try to NAT the traffic > > before > > putting it down the tunnel. So, you're remove side is looking for > the > > 10. Addresses, but it's going to see traffic coming from the static > > outside, NAT'd address. Thus, the tunnel won't come up because your > > proposals don't match. > > > > Mike > > > > -- > > Michael K. Smith - CISSP, GISP > > Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com > > w: +1 (206) 404-9500 f: +1 (206) 404-9050 > > PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) > > > > > > -----Original Message----- > > From: cisco-nsp-boun...@puck.nether.net > > [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott > Granados > > Sent: Wednesday, September 02, 2009 9:45 AM > > To: Ryan West; cisco-nsp@puck.nether.net > > Subject: Re: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel > > > > Hi, so right now my Pix in the field is pointing at a VPN 3000 so I > > can't > > take that path down until after hours but I will to capture the debug > > data. > > > > A show ver on the asa shows device manager V5.0.7 > > > > The field pix shows V6.3 > > I have access to both ends so updating the firmware is definitely an > > option. > > Any suggested version? > > > > On the ASA side I do not have a no nat statement at all. I never > > configured > > NAT because this device isn't beingused for any features other than a > > VPN > > access device with split tunneling enabled for the clients. > > On the NY pix side the nat config and acl are as follows. > > > > global (outside) 1 208.x.x.100-208.x.x.115 netmask 255.255.255.224 > > global (outside) 1 208.x.x.99 netmask 255.255.255.224 > > nat (inside) 0 access-list vpn-1 > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0 > > > > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.1.0.0 > > 255.255.0.0 > > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.18.0.0 > > 255.255.240.0 > > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.14.0.0 > > 255.254.0.0 > > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 157.254.0.0 > > 255.255.0.0 > > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 141.11.0.0 > > 255.255.0.0 > > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.11.0.0 > > 255.255.0.0 > > > > Thanks > > Scott > > > > ----- Original Message ----- > > From: "Ryan West" <rw...@zyedge.com> > > To: "Scott Granados" <gsgrana...@comcast.net>; > > <cisco-nsp@puck.nether.net> > > Sent: Wednesday, September 02, 2009 6:15 AM > > Subject: RE: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel > > > > > > Scott, > > > > Can you provide debugs from the ASA, code versions on both devices > and > > your > > associated no-nat ACLs? > > > > Assuming you have nothing else logging to monitor, you can enable > > 'logging > > class vpn monitor debug' and throw up a term mon to gather inbound > > messages > > to the ASA from the PIX side. You can gather the information on the > > PIX > > > > with a debug cry isa 2 and then initiate interesting traffic from the > > ASA > > using the following, the more valuable information will be on the > > receiving > > end. It really doesn't matter which side you enable as the receiver, > > but I > > try to stay away from pre 7.x code on the PIXes. > > > > packet-tracer input inside icmp 10.1.0.10 8 0 10.18.15.10 detailed > > > > Phase: 10 or 11 should be subtype encrypt. If it fails the first > time, > > run > > it again, the negotiation process causes the first packet to fail as > > the > > > > tunnel is being brought. This type of traffic will also give you > your > > debug > > information and help you figure out where the failure is. > > > > -ryan > > > > -----Original Message----- > > From: cisco-nsp-boun...@puck.nether.net > > [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Scott > Granados > > Sent: Tuesday, September 01, 2009 8:29 PM > > To: cisco-nsp@puck.nether.net > > Subject: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel > > > > Hi, I have a Pix out in the field and an ASA5520 that I'm trying to > > configure to pass L2L traffic. I keep getting an error that says > > IKEV1 IP=a.b.c.d removing peer from peer table failed, no match > > ip=a.b.c.d unable to remove peer table entry > > > > What am I doing wrong? > > > > Here are the important config bits > > > > asa-5520 > > crypto map > > crypto ipsec transform-set vpn-transform1 esp-aes-256 esp-sha-hmac > > crypto ipsec transform-set vpn-transform2 esp-aes-192 esp-md5-hmac > > crypto ipsec transform-set vpn-transform3 esp-3des esp-sha-hmac > > crypto dynamic-map dynmap 10 set transform-set vpn-transform1 > > vpn-transform2 > > vpn-transform3 > > crypto dynamic-map dynmap 10 set reverse-route > > crypto map vpn-ra-map 10 match address ny-vpn-acl > > crypto map vpn-ra-map 10 set peer ny-fw-outside > > crypto map vpn-ra-map 10 set transform-set vpn-transform2 > > crypto map vpn-ra-map 10 set reverse-route > > crypto map vpn-ra-map 65535 ipsec-isakmp dynamic dynmap > > crypto map vpn-ra-map interface outside > > > > ISAKMP > > > > isakmp enable outside > > isakmp policy 5 authentication pre-share > > isakmp policy 5 encryption aes-256 > > isakmp policy 5 hash sha > > isakmp policy 5 group 7 > > isakmp policy 5 lifetime 3600 > > isakmp policy 10 authentication pre-share > > isakmp policy 10 encryption aes-256 > > isakmp policy 10 hash sha > > isakmp policy 10 group 5 > > isakmp policy 10 lifetime 3600 > > isakmp policy 20 authentication pre-share > > isakmp policy 20 encryption 3des > > isakmp policy 20 hash sha > > isakmp policy 20 group 2 > > isakmp policy 20 lifetime 3600 > > isakmp policy 30 authentication pre-share > > isakmp policy 30 encryption aes-192 > > isakmp policy 30 hash md5 > > isakmp policy 30 group 2 > > isakmp policy 30 lifetime 28800 > > isakmp nat-traversal 20 > > isakmp reload-wait > > > > and the acl > > access-list ny-vpn-acl extended permit ip 10.1.0.0 255.255.0.0 > > 10.18.15.0 > > 255.255.255.192 > > access-list ny-vpn-acl extended permit ip 10.18.0.0 255.255.254.0 > > 10.18.15.0 > > 255.255.255.192 > > access-list ny-vpn-acl extended permit ip 10.14.0.0 255.254.0.0 > > 10.18.15.0 > > 255.255.255.192 > > access-list ny-vpn-acl extended permit ip 157.254.0.0 255.255.0.0 > > 10.18.15.0 > > 255.255.255.192 > > access-list ny-vpn-acl extended permit ip 141.11.0.0 255.255.0.0 > > 10.18.15.0 > > 255.255.255.192 > > access-list ny-vpn-acl extended permit ip 10.11.0.0 255.255.0.0 > > 10.18.15.0 > > 255.255.255.192 > > > > TUNNEL GROUP > > > > tunnel-group 208.37.161.98 type ipsec-l2l > > tunnel-group 208.37.161.98 general-attributes > > tunnel-group 208.37.161.98 ipsec-attributes > > pre-shared-key * > > peer-id-validate nocheck > > > > PIX > > > > CRYPTO MAP and ISAKMP > > > > crypto ipsec transform-set set1 esp-aes-192 esp-md5-hmac > > crypto map map1 10 ipsec-isakmp > > crypto map map1 10 match address vpn-1 > > crypto map map1 10 set peer vpnc > > crypto map map1 10 set transform-set set1 > > crypto map map1 interface outside > > isakmp enable outside > > isakmp key * > > address vpnc netmask 255.255.255.255 > > isakmp policy 20 authentication pre-share > > isakmp policy 20 encryption aes > > isakmp policy 20 hash sha > > isakmp policy 20 group 2 > > isakmp policy 20 lifetime 28800 > > > > ACL > > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.1.0.0 > > 255.255.0.0 > > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.18.0.0 > > 255.255.240.0 > > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.14.0.0 > > 255.254.0.0 > > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 157.254.0.0 > > 255.255.0.0 > > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 141.11.0.0 > > 255.255.0.0 > > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.11.0.0 > > 255.255.0.0 > > > > )note on the ASA I use individual /24's and shortened the ACL for > ease > > of > > reasing. I do this to exclued 10.18.14.0/24 from the tunnels since > > that > > houses the ASA's inside interface and client access) > > > > Any pointers would be appreciated. > > > > Thanks > > Scott > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/