Problem at HeadOffice: IPSEC(sa_initiate): ACL = deny; no sa created.
I've read that this is caused by Proxy mismatches but I don't understand what that means. I have checked the access-lists and there are no deny rules.
Note: HeadOffice PIX needs to receive VPNClient connections (this currently works). PIX506E & PIX501 are both v6.3(5)
Any help appreciated. Nick
Internet / \\
111.111.111.111 222.222.222.222 ADSL Router ADSL Router 10.0.0.254 192.168.88.254 | | 10.0.0.1 192.168.88.1 PIX 506E PIX 501 192.168.10.254 192.168.1.1 | | HeadOffice RemoteOfficehostname HeadOffice ip address outside 10.0.0.1 255.255.255.0 ip address inside 192.168.10.254 255.255.255.0 name 192.168.1.0 RemoteOffice access-list inside_outbound_nat0_acl permit ip 192.168.10.0
255.255.255.0 RemoteOffice 255.255.255.0 access-list inside_outbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 172.17.1.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 192.168.10.0 255.255.255.0 RemoteOffice 255.255.255.0 access-list acl_MYVPN_splitTunnel permit ip 192.168.10.0 255.255.255.0 any access-list outside_cryptomap_dyn_20 permit ip any 172.17.1.0 255.255.255.0 ip local pool vpnusers 172.17.1.20-172.17.1.240 nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 sysopt connection permit-ipsec crypto ipsec transform-set STRONG esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set STRONG crypto map Outside_Map 20 ipsec-isakmp crypto map Outside_Map 20 match address outside_cryptomap_20 crypto map Outside_Map 20 set peer 222.222.222.222 crypto map Outside_Map 20 set transform-set STRONG crypto map Outside_Map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map Outside_Map client authentication LOCAL crypto map Outside_Map interface outside isakmp enable outside isakmp key ***** address 222.222.222.222 netmask 255.255.255.255 isakmp policy 9 authentication pre-share isakmp policy 9 encryption 3des isakmp policy 9 hash md5 isakmp policy 9 group 2 isakmp policy 9 lifetime 86400 vpngroup MYVPN address-pool vpnusers vpngroup MYVPN split-tunnel acl_MYVPN_splitTunnel vpngroup MYVPN idle-time 1800 vpngroup MYVPN password mypassword username vpnusers password rem0tenighT privilege 3hostname RemoteOffice ip address outside 192.168.88.1 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 name 192.168.10.0 HeadOffice access-list inside_outbound_nat0_acl permit ip 192.168.1.0
255.255.255.0 HeadOffice 255.255.255.0 access-list outside_cryptomap_21 permit ip 192.168.1.0 255.255.255.0 HeadOffice 255.255.255.0 nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 sysopt connection permit-ipsec crypto ipsec transform-set STRONG esp-3des esp-md5-hmac crypto map Outside_MapR 21 ipsec-isakmp crypto map Outside_MapR 21 match address outside_cryptomap_21 crypto map Outside_MapR 21 set peer 111.111.111.111 crypto map Outside_MapR 21 set transform-set STRONG crypto map Outside_MapR interface outside isakmp enable outside isakmp key ***** address 111.111.111.111 netmask 255.255.255.255 no-xauth no-config-mode isakmp policy 8 authentication pre-share isakmp policy 8 encryption 3des isakmp policy 8 hash md5 isakmp policy 8 group 2 isakmp policy 8 lifetime 86400HeadOffice# show crypto ipsec sa interface: outside Crypto map tag: Outside_Map, local addr. 10.0.0.1
HeadOffice# show crypto isakmp sa Total : 0 Embryonic : 0 dst src state pending created