snootalope, You can get around that MSS exceeded error by creating a tcp map that allows MSS exceeded packets to be passed through instead of dropped at the interface. just make sure to apply the class map to a group policy.
It is a bug, and it wll be fixed in future releases. The decision to go to standard access lists makes sense, but the problem with the upgrade not converting extended to standard was un intended. But for now, the best I can do is get the word out.
Ixleplix
sorry to hear TAC didn't get back to you, I work on Cisco TAC's advanced security team (One of them anyhow). one thing that happens when you upgrade to 7.0 is that your split tunnel acl's don't get carried over correctly. In PIX 6.3 you can use extended acl's , but in 7.0, only...
Odds are , the access list for interesting traffic on your crypto map isn't set up correctly on the side that can't pass the traffic. Check to make sure both side agree on what exactly the interesting traffic should be.
Gungnir77
CCNP, Cisco TAC Security Team
You need to implement NAT-Traversal on both sides of the tunnel. This will allow IPSec over UDP, which is necessary for VPNs from behind NATed or PATed addresses.
Gungnir77
CCNP, Cisco TAC security team
It does, but you need to make sure the physical interface is assigned to a VLAN that is not the same as the native vlan the the switch on the other side uses. By default the traffic leaves the interface untagged, even if the logical interfaces are assigned to a specific vlan. The idea is to...
Nat-traversal is needed when they are making a VPN connection from inside a firewall (or router) that is tanslating their address to the outside. Your firewall sees their connection request as coming from their public address, not their inside address. nat-t allows IPSec over UDP allowing for...
Also be aware that if you need to implement a VPN tunnel using a NATed address you need to configure NAT-Traversal, (UDP over IPSec) to get traffic to work
Gungnir77
CCNP, Advanced Security team at Cisco TAC
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.