Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
620
Views
4
Helpful
7
Replies

VPN connection issues between two pix firewalls

Go to solution
handley88
Level 1
Level 1

‎04-19-2007 11:24 AM - edited ‎02-21-2020 02:59 PM

hi, am trying to create a vpn connection between two pix firewalls a 501 and a 506e.

currently on the 506e the pdm shows 1 IKE tunnel in stats but then it flashes back to zero. Both pix hosts can access the web and ping each others gateways.

i have posted the 506e config but the 501 config is the same.

outside ip for pix 506e = a.a.a.a

outside ip for pix 501 = b.b.b.b

isp gateway ip for 506e = x.x.x.x

thanks

Alex

Labels:
Preview file
4 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
mj11
Level 3
Level 3

‎04-19-2007 12:07 PM

Hi Alex

Without seeing the configuration from the other side (PIX501) this is going to be hard to troubleshoot, you will need to be sure at what stage this is failing phase 1 or phase 2.

Please note IPSec negotiation between the two PIXs fails if the SAs on both of the IKE phases do not match on the peers.

Regards MJ

View solution in original post

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to handley88

‎04-26-2007 03:43 PM

You want the crypto acl's to be mirrors of each other.

506

access-list outside_cryptomap_20 permit ip 10.35.104.0 255.255.255.0 192.168.1.0 255.255.255.0

501

access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 10.35.104.0 255.255.255.0

View solution in original post

0 Helpful
7 Replies 7

Go to solution
mj11
Level 3
Level 3

‎04-19-2007 12:07 PM

Hi Alex

Without seeing the configuration from the other side (PIX501) this is going to be hard to troubleshoot, you will need to be sure at what stage this is failing phase 1 or phase 2.

Please note IPSec negotiation between the two PIXs fails if the SAs on both of the IKE phases do not match on the peers.

Regards MJ

0 Helpful

Go to solution
handley88
Level 1
Level 1
In response to mj11

‎04-20-2007 03:18 AM

hi, here is the config for the 501

pix isp gateway =y.y.y.y

thanks

Alex

0 Helpful

Go to solution
handley88
Level 1
Level 1
In response to handley88

‎04-20-2007 03:20 AM

sorry forgot to attach

Alex

Preview file
4 KB
0 Helpful

Go to solution
mj11
Level 3
Level 3
In response to handley88

‎04-23-2007 01:26 PM

Thanks for the info, could you try the following:

Remove (PIX501): using no access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 any

Also : no access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 any

To confirm use command "show crypto isakmp sa". if the output displays "MM_Key_exchange" ,it mean's that phase 1 is getting stuck at key exchange. Reasons might be because of mismatch in preshare keys or wrong ip address for peer in cryptomap entry (could you apply these again at both ends)

Also a show log may give you some info to where the problem lies.

Regards MJ

Go to solution
handley88
Level 1
Level 1
In response to mj11

‎04-26-2007 01:40 PM

hi,i removed the lines and sho command was blank

ive posted some of the syslog

thanks

Alex

Preview file
1 KB
0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to handley88

‎04-26-2007 03:43 PM

You want the crypto acl's to be mirrors of each other.

506

access-list outside_cryptomap_20 permit ip 10.35.104.0 255.255.255.0 192.168.1.0 255.255.255.0

501

access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 10.35.104.0 255.255.255.0

0 Helpful

Go to solution
handley88
Level 1
Level 1
In response to acomiskey

‎05-02-2007 02:42 AM

hi, i tested the two pix's in a lab and they ping through vpn fine but now ive put them in the real environment am not geting the same result.

ive posted the syslog.

thanks

Alex

Preview file
1 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents