I've had that error before. It was between 2 PIX's though. The fix ( on
both sides ) was to do a "clear crypto ipsec sa" and "clear crypto isakmp
sa". And then it worked. It was like the SA's got outa sync or something.
Or one side had a valid SA and the other didn't. On a side note - have you
tried to use 'pl-compatable' instead of NAT 0? Pl-compat bypasses all
translation and conduit requirements, effectivly terminating the tunnel on
the inside interface or whichever interface the traffic is destined for.
Kenny
"Ben Hockenhull" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Has anyone sucessfully set up an IPSec tunnel between a Windows 2000
> client running the native Win2k IPSec stack and a PIX? If so, do you
> have a sample config?
>
> I'm able to establish an SA between the PIX and the Win2k box, but I'm
> unable to pass traffic. For instance, a ping from inside the PIX to the
> Win2k box outside the PIX results in an SA being established, but the
> packets are not passed, and a debug shows a "check crypto map deny".
>
> The access lists for nat 0 and for the encrypted traffic are identical and
> applied.
>
> Pix code 5.2.x.
>
> Thanks
>
> Ben
>
>
> --
> Ben Hockenhull
> [EMAIL PROTECTED]
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
