Prev: 802.11 b/g wireless lan pc card driver???
Next: 2960 Ethernet interfaces going down
From: Stephen Reese on 12 Nov 2008 09:33
On Nov 11, 6:50 pm, Stephen Reese <rsre...(a)gmail.com> wrote:
> > I have not looked in detail but I have done pix-router
> > VPNs with no issues that I can recall so
> > it does work without doing anything special.
>
> > Most likely a small error somewhere.
>
> > maybe worth checking the timeouts and
> > looking at a debug.
>
> > on router
> > deb crypto isakmp
> > deb cry ipsec
>
> > Pix similar.
> > You also need to arrange to view the debugs.
>

I'm assuming since the ASA side can initiate the connection that there
is a problem with the router side of things?
From: Brian V on 12 Nov 2008 13:26

"Stephen Reese" <rsreese(a)gmail.com> wrote in message
news:7404d986-0f5e-4a55-9159-2fd3f4b3e920(a)z28g2000prd.googlegroups.com...
On Nov 11, 6:50 pm, Stephen Reese <rsre...(a)gmail.com> wrote:
> > I have not looked in detail but I have done pix-router
> > VPNs with no issues that I can recall so
> > it does work without doing anything special.
>
> > Most likely a small error somewhere.
>
> > maybe worth checking the timeouts and
> > looking at a debug.
>
> > on router
> > deb crypto isakmp
> > deb cry ipsec
>
> > Pix similar.
> > You also need to arrange to view the debugs.
>

I didn't see the original configs but a lot of people tend to forget to put
the denies to the remote subnets in to a routers NAT ACL.


From: Jay on 12 Nov 2008 15:51
Check pfs group, encryption domain.

From: Stephen Reese on 12 Nov 2008 20:08
> I didn't see the original configs but a lot of people tend to forget to put
> the denies to the remote subnets in to a routers NAT ACL.

I believe I have added the correct deny statements for NAT

ip nat inside source list 150 interface FastEthernet0/0 overload

access-list 150 deny ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
access-list 150 permit ip 172.16.2.0 0.0.0.255 any
access-list 150 permit ip 172.16.3.0 0.0.0.255 any

172.31.12.0 being the remote site I would like to let into the network.
From: Stephen Reese on 12 Nov 2008 20:10
> I believe I have added the correct deny statements for NAT
>
> ip nat inside source list 150 interface FastEthernet0/0 overload
>
> access-list 150 deny   ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
> access-list 150 permit ip 172.16.2.0 0.0.0.255 any
> access-list 150 permit ip 172.16.3.0 0.0.0.255 any
>
> 172.31.12.0 being the remote site I would like to let into the network.

Do I need to do something similar to this for the ASA?
First  |  Prev  |  Next  |  Last
Pages: 1 2 3
Prev: 802.11 b/g wireless lan pc card driver???
Next: 2960 Ethernet interfaces going down