Hi, in case someone else catches this gotcha. I finished testing a vpn between a pix 6.1(1) and a fw-1 (nokia ip71, 4.1). Followed the guide in the cisco site at http://www.cisco.com/warp/public/110/cp-p.html
Nothing worked initially when trying to open the vpn from the pix inside, some errors when opening from the ip71 outside. Then I noticed the ipsec and isakmp timeouts weren't aligned, fixed that. Still nothing if trying to open the vpn from the pix side, but correct initialization of the vpn if started from the ip71 side, encryption happening in fw-1, pix complaing for tcp address spoof for return packets. Appareantly the pix needed a explicit route to the next hop for the (private, 192.168) network sitting behind the fw-1, even if that next hop was the default router anyway. Without that he did not route correctly the packet to the outside address, did not use the crypto map applied on the outside interface, no 200$, packet went directly to jail. With the route for that 192.168 network to its default router everything worked, even if that network was correctly referenced in the acl used as crypto map mapname 10 match address acl. Bye Heiko -- -- PREVINET S.p.A. [EMAIL PROTECTED] -- Via Ferretto, 1 ph x39-041-5907073 -- I-31021 Mogliano V.to (TV) fax x39-041-5907472 -- ITALY Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46467&t=46467 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
