Can't initiate 2nd site-to-site VPN tunnel on outside interface

[Triplejolt]

Hiya.

I've looked all over Cisco's site and searched this forum for answers, but I don't seem to find any that can explain why my PIX515e fails to initiate and establish a 2nd Site-2-Site VPN tunnel. I've even gone as far as copying the previous s2s config, but still the PIX doesn't seem to initiate. Calling up and asking the other end to initiate the tunnel seems to be the way to go about it. The negotiations work as intended and the VPN tunnel gets established. Seeing as our PIX is the one who should initiate this, I can't really rely on calling up the other end each time the VPN tunnels times out and disconnects.... I'm stuck and really need a second opinion here. I'm gonna turn to Tek-tips for help
Here's the config:

access-list cryptomap1 permit ip 192.168.100.0 255.255.255.0 [working s2s]
access-list cryptomap2 permit ip 192.168.100.0 255.255.255.0 [non-working s2s]

global (outside) 3 [public IP]
global (outside) 2 [public IP]
nat (inside) 3 access-list cryptomap1 0 0
nat (inside) 2 access-list cryptomap2 0 0 

crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac

crypto map VPN 1 ipsec-isakmp
crypto map VPN 1 match address cryptomap1
crypto map VPN 1 set peer [working s2s]
crypto map VPN 1 set transform-set 3des-md5
crypto map VPN 2 ipsec-isakmp
crypto map VPN 2 match address cryptomap2
crypto map VPN 2 set peer [non-working s2s]
crypto map VPN 2 set transform-set 3des-md5

crypto map VPN interface outside
isakmp enable outside

isakmp key ******** address [working s2s] netmask 255.255.255.255 no-xauth 
isakmp key ******** address [non-working s2s] netmask 255.255.255.255 no-xauth 
isakmp identity address
isakmp keepalive 30 30
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400

A firm beleiver of "Keep it Simple" philosophy
Cheers
/T

 

[NetworkGhost]

Try this:

access-list nonat permit ip 192.168.100.0 255.255.255.0 [working s2s]
access-list nonat permit ip 192.168.100.0 255.255.255.0 [non-working s2s]

nat (inside) 0 access-list nonat

 

[Triplejolt]

Thanks for your reply NetworkGhost.
The statements are already in my "nonat" ACL, so this is really starting to bug me....

It's 6.3(4) by the way. Maybe I should upgrade?

A firm beleiver of "Keep it Simple" philosophy
Cheers
/T

 

[NetworkGhost]

So just to confirm.

you have this specific command in your config:

nat (inside) 0 access-list nonat



It may be helpful to post your full config. Just do a find and replace on the things you dont want us to see.

 

[Triplejolt]

Sorry for the late reply NetworkGhost.
But to answer your question, yes I have the:
nat (inside) 0 access-list nonat

And only one of the two ACL statement above, as I need to mask my address and use NAT towards one of the endpoints.

But to make a long story short, I rebooted and it solved the problem Could be a problem with the xlate tables.



A firm beleiver of "Keep it Simple" philosophy
Cheers
/T

 

[NetworkGhost]

Make sure your access maps are the same on both sides. Sometime that can cause issues.

 

[NetworkGhost]

Or post them both and we can check.

 

[Triplejolt]

Well, this isn't a problem anymore. I'm gonna blame my faulty xlate tables for now
I do have another concern though, which I need help with. It is posted here as Site2Site VPN (my nemesis). Any comments here would be appreciated.

A firm beleiver of "Keep it Simple" philosophy
Cheers
/T