I have an ASA and a PIX site-to-site VPN tunnel set up. The tunnel only establishes when I ping from the ASA, and not vice versa.
Is there a setting or command that will allow either side to establish the tunnel?
PIX:
access-list inside_outbound_nat0_acl permit ip 10.100.103.0 255.255.255.0 any
access-list outside_cryptomap_20 permit ip 10.100.103.0 255.255.255.0 any
ASA:
access-list Inside_nat0_outbound extended permit ip 172.17.X.0 255.255.255.0 10.100.103.0 255.255.255.0
access-list Outside_cryptomap_60 extended permit ip any 10.100.103.0 255.255.255.0
This has also been applied to a 2nd site-to-site tunnel with a different PIX and its tunnels can be established from either side. Configurations are virtually the same between the pixes, besides the IPs and preshared keys.
A cisco person gave me the above access-lists and they seem to be working as they should. Though the method you presented is how I originally learned to do access lists in the PIX. What's the benefit of doing it this way?
Anyways, the behavior of not being able to initiate the tunnels from a particular end is happening randomly.
Sometimes happens on the PIX side, sometimes the ASA side.
There are actually 3 tunnels set up from the ASA going to 3 different PIXes.
When I power on the PIXes and ASA (this is in a lab setup), the issue with not being able to initiate the tunnel comes up again and then later (minutes to hours later) will start acting normally without any config changes.
you need to run version 7.1(2) on both the Cisco Pix and
ASA device. Furthermore, you need to setup both the Phase
I and II timeout identical on both end.
I have the same setup as yours in my lab and it is working
great.
How do you manage to get the Pix to crash with "inspect http" command? I am running version 7.1(2) on the Cisco Pix 525 and when I do this, the Pix did NOT crash:
class-map test
match any
policy-map test
class test
inspect http
service-policy test interface EXTERNAL
Can you provide a sample where you can crash the pix firewall with enabling "inspect http". Thanks.
If the load through the http inspect is large it causes a buffer overload. I don't have the threshold that it blows, but for us it would crash after less than a minute after a reboot.
There is a bug report at Cisco on this. If you can find it.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.