«

[professorguy]

I have a isakmp shared secret:

isakmp key ******* address 27.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode

I have a 1 line access list:

access-list outside_cryptomap_20 permit ip host 192.168.111.111 host 27.2.2.2

I have this crypto map:

crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address outside_cryptomap_20
crypto map mymap 20 set peer 207.1.1.1
crypto map transform-set BLAHBLAH

I then go to my local system 192.168.111.111 and try to telnet 27.2.2.2. It doesn't work. The hitcount of outside_cryptomap_20 sits at 0.

I understand that mismatches with the map or the isakmp stuff (e.g., wrong key) will result in the debug crypto stuff dumping all kinds of bad negotiation stuff. BUT I GET NOTHING. Obviously, the PIX doesn't see my telnet as 'interesting' and doesn't even attempt to setup the VPN. But why not?

Here are some other interesting nuggets of info:
This PIX has many site-to-site VPNs set up on it, several which use my local 192.168.111.111 system as a source.
This PIX has client (remote session) VPNs set up (with several dozen up at any given moment).
This PIX is at the internet edge, it routes one hop inside to an edge router.


Any ideas?

[swapnendu]

u'll also have to add an entry "permit ip host 192.168.111.111 host 27.2.2.2" in the NO NAT access-list...tht'll do the job for u....acoording to the current config, your traffic to 27.2.2.2 would be undergoing a NAT translation and hence PIX is not finding this traffic interesting......

[professorguy]

Sorry. Forgot to mention these 2 lines:

access-list 101 permit ip host 192.168.111.111 host 27.2.2.2

and

nat (inside) 0 access-list 101

And, of course, I have

access-list acl_egress permit ip host 192.168.111.111 host 27.2.2.2

which is applied on the inside in.

However, the PIX doesn't seem to see this traffic. In fact the hitcounts on the access-lists above stay at 0 after the telnet attempt.

[swapnendu]

your route to 27.2.2.2 from 192.168.111.111 should be pointed to PIX...hope this is configured properly...since 27.2.2.2 is a public ip address, chk ur routing is ok and points to PIX ...

crypto map mymap interface outside command configured ?? ...can u post us the config... debug crypto isakmp has no output ?? and wht does show crypto isakmp sa detail say ? can u reach 207.1.1.1 from the PIX ?