Firewall Wizards mailing list archives
Re: PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN
From: "Glenn Crissman" <gwcrissman () gmail com>
Date: Wed, 12 Sep 2007 23:08:24 -0400
First guess is check your NAT 0 access lists on both sides. If you don't have an acl entry there matching your interesting traffic acl for the 515 / 501 L2L VPN it won't attempt to come up. The PIX will NAT the traffic (or at least attempt to) before it hits the crypto engine. On v6 do 'sh nat', on v7+ do 'sh run nat'. You're looking for the 'nat (interface) 0 access-list ...' statement(s). You might have already checked this but its a first guess. On 9/12/07, Jerry B. Altzman <jbaltz () altzman com> wrote:
Hi, I wonder if any of you have encountered this problem before with PIX<->PIX VPNs. A client of mine has 3 firewalls: a Fortigate, a 515 and a 501. The 515 and FG already have an IPSec lan-to-lan VPN between them that works fine. We'd like to set up a mesh of L2L VPNs, but first steps first: we need to connect the 515 to the new 501. I've gone through the configurations, followed the directions from cisco's website, cleared everything out and done everything *but* restarted the 515 (which is in production and might cause some consternation if it were rebooted willy-nilly) I've watched the logging output, and it doesn't seem that the 501/515 pair even attempt to do the phase 1 IPSec negotiations. It's just that NOTHING happens at all. Has anyone seen this? Any received wisdom on this? My search-engine-fu must be weak, I've not managed to tease out a solution to this from the all-seeing GoogleEye. Thanks! //jbaltz -- jerry b. altzman jbaltz () altzman com www.jbaltz.com thank you for contributing to the heat death of the universe. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN Jerry B. Altzman (Sep 12)
- Re: PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN Glenn Crissman (Sep 13)
- Re: PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN Julian M. Dragut (Sep 13)
- Re: PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN Christopher J. Wargaski (Sep 13)
- Re: PIX 501 to PIX 515 IPSec VPN failure, when the 515 already has a VPN Jerry B. Altzman (Sep 17)