Firewall Wizards mailing list archives

Re: asa 5505 vpn ipsec l2l problem

From: "Christopher J. Wargaski" <wargo1 () gmail com>
Date: Fri, 2 Oct 2009 09:06:06 -0500

Hello--

  Is the SA established? If so, try starting with a much simpler ACL
for the crypto map match. For example:

access-list acl extended permit ip host 192.168.11.11 host 10.1.100.13
access-list acl extended permit ip host 192.168.11.11 host 10.1.100.250
access-list acl extended permit ip host 192.168.11.11 host 10.1.100.105
access-list acl extended permit ip host 192.168.11.12 host 10.1.100.13
access-list acl extended permit ip host 192.168.11.12 host 10.1.100.250
access-list acl extended permit ip host 192.168.11.12 host 10.1.100.105

Make sure that the same ACL is on the other peer. If this works, begin
restricting the traffic, say starting with all TCP. Continue
restricting the ACL until it it is how you want it, or it no longer
works.

cjw



On Fri, Oct 2, 2009 at 7:09 AM, Hrvoje Popovski <hrvoje () srce hr> wrote:

hello eveyone,

i have asa 5505 with Base license and 7.2.4 sofware.

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs                       : 3, DMZ Restricted
Inside Hosts                : 10
Failover                    : Disabled
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
VPN Peers                   : 10
WebVPN Peers                : 2
Dual ISPs                   : Disabled
VLAN Trunk Ports            : 0


i'm trying to create l2l ipsec tunnel reading manual on
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/site2sit.html

and when i'm applying acl in crypto map
crypto map abcMap 1 match address acl
i'm getting this log:
Ignoring msg to mark SA with specified coordinates <abcMap, 1> dead

i don't have any debug messages (debug crypto ipsec 100)
google it but haven't found any answer.

thank you for your answers!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

asa 5505 vpn ipsec l2l problem Hrvoje Popovski (Oct 02)
- Re: asa 5505 vpn ipsec l2l problem Christopher J. Wargaski (Oct 02)
- Re: asa 5505 vpn ipsec l2l problem Paul Melson (Oct 02)
- Re: asa 5505 vpn ipsec l2l problem Farrukh Haroon (Oct 02)
- Re: asa 5505 vpn ipsec l2l problem Eric Gearhart (Oct 02)
  - Re: asa 5505 vpn ipsec l2l problem Hrvoje Popovski (Oct 04)
    - Re: asa 5505 vpn ipsec l2l problem Eric Gearhart (Oct 08)
    - Re: asa 5505 vpn ipsec l2l problem craig . wilson (Oct 08)
    - Re: asa 5505 vpn ipsec l2l problem Farrukh Haroon (Oct 08)