Pix LAN-To-LAN Problem

[cs 2004 <cskb2004 () yahoo com>]

Hi wizards,

I have a typical problem negotiating LAN-To-LAN VPN
tunnels from my pix. I myself have worked on various
IPSEC supportive devices including the PIX, but for
some reason, this is really troubling me now.

Here is the scenario:

I have PIX on my side and a Cisco concentrator on the
customer end.

The tunnel can successfully be established when
initiated by the customer (Concentrator 3030); all
traffic then passes normally. When initiated from our
side (PIX 535) we immediately receive
"IPSEC(sa_initiate): ACL = deny; no sa created" while
running "debug crypto ipsec" and "debug crypto
isakmp". We have other VPN tunnels that function
correctly both from the trusted and untrusted
networks.

I have a border router above my firewall and no
filtering on that device.

This problem "IPSEC(sa_initiate): ACL = deny; no sa
created" happens everytime , i create a new tunnel,
and dont know what happens, but with every customer i
see this error, I tell them to make sure the proxy
configurations match and UDP 500 traffic allowed on
their border routers, they do some change and it goes
through. But for this particular tunnel, I just keep
getting the same error. Its entirely possible that 
remote end is the problem, however I want to rule out
possible misconfiguration on my end.

Any clue? suggestions.

Best
Chandan



                
__________________________________
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
http://mobile.yahoo.com/maildemo 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards