Re: Win2k and PIX IPSec?

Sat, 10 Feb 2001 06:57:39 -0800 

I did try to clear the sas on both sides, and it didn't seem to have an effect.

I'm using nat 0 so that the client on the inside is not NATted at the
external interface of the PIX, which would break the IPSec tunnel.  I am
using sysopt connection permit-ipsec, which does what you describe.

Ben

At 8:27 AM -0800 2/9/01, Kenny Sallee wrote:
>I've had that error before.  It was between 2 PIX's though.  The fix ( on
>both sides ) was to do a "clear crypto ipsec sa" and "clear crypto isakmp
>sa".  And then it worked.  It was like the SA's got outa sync or something.
>Or one side had a valid SA and the other didn't.  On a side note - have you
>tried to use 'pl-compatable' instead of NAT 0?  Pl-compat bypasses all
>translation and conduit requirements, effectivly terminating the tunnel on
>the inside interface or whichever interface the traffic is destined for.
>
>Kenny
>
>"Ben Hockenhull" <[EMAIL PROTECTED]> wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>> Has anyone sucessfully set up an IPSec tunnel between a Windows 2000
>> client running the native Win2k IPSec stack and a PIX?  If so, do you
>> have a sample config?
>>
>> I'm able to establish an SA between the PIX and the Win2k box, but I'm
>> unable to pass traffic.  For instance, a ping from inside the PIX to the
>> Win2k box outside the PIX results in an SA being established, but the
>> packets are not passed, and a debug shows a "check crypto map deny".
>>
>> The access lists for nat 0 and for the encrypted traffic are identical and
>> applied.
>>
>> Pix code 5.2.x.
>>
>> Thanks
>>
>> Ben
>>
>>
>> --
>> Ben Hockenhull
>> [EMAIL PROTECTED]
>>
>> _________________________________
>> FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>>
>
>
>_________________________________
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to