Have you created an "outside_cryptomap_21"? After created it have you applied the command "crypto map outside_cryptomap interface outside" After all do in config mode
clear crypto isakmp sa clear crypto ipsec sa
Alex.
PLS, let us know! :-)
Hello to all NG (my 1st post :),
I have PIX 515E to configure. On bouth there are already the functioning IPSEC tunnels. I tried to create another one to another PIX but i receve these message while debuging:: IPSEC(sa_initiate): ACL = deny; no sa created
I found this on a cisco website but i don't have idea on how apply this workaround: Do not configure two crypto map entries with the same name but different priorities, peers, and access lists.
this is a piece of my configuration (the 20 is funcioning perfectly, 21 is the "wrong one")
crypto ipsec transform-set IDUMA esp-des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer xxx.xxx.xxx.xxx crypto map outside_map 20 set transform-set IDUMA crypto map outside_map 21 ipsec-isakmp crypto map outside_map 21 match address outside_cryptomap_21 crypto map outside_map 21 set peer xxx.xxx.xxx.xxx crypto map outside_map 21 set transform-set IDUMA crypto map outside_map interface outside isakmp enable outside isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp keepalive 360 10 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 86400
Where i'm making a mistake???
Thanks
yes i created it-> access-list outside_cryptomap_21 permit ip 192.168.144.0
255.255.255.0 10.10.9.0 255.255.255.0no i didn't. What this command do?
no
no
now i will try them and i will let you know
tnx
sorry i've made this comand "crypto map
but not this others
i have my head blowing up sorry i'm 12 hours behind a screen and i have my brain blowing up (too work her - italy)
thx
"MaiO" ha scritto nel messaggio news:dc8ba9$nbo$ snipped-for-privacy@balena.cs.interbusiness.it...
how shold i tel to PIX: get up this ipsec conn ????
i made clear crypto isakmp sa clear crypto ipsec sa and even other ipsec gone down.
now? thx
"MaiO" ha scritto nel messaggio news:dc8bhd$eh7$ snipped-for-privacy@carabinieri.cs.interbusiness.it...
Perfect i resolved a problem. Sincerli i used PDM VPN wizard whitch inaltered configuration but miracolosly everitin is OK. Now i have 2 ike and ipsec tunnels.
but i still canot ping a host behind on second tunnel (first OK)
What can i check?
thanks
"MaiO" ha scritto nel messaggio news:dc893t$l1e$ snipped-for-privacy@balena.cs.interbusiness.it...
possibly a routing issue on the other side. check with sh creypto ipsec sa in the second ipsec sa for 10 network do you see any encaps, if yes then do you see any decaps, if no then there is a routing issue on the other side.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.