IPSec Site-to-Site VPN between ASA 5540 and PIX 501

Unanswered Question
Oct 3rd, 2007
User Badges:

I am having problems setting up a site-to-site VPN. I used the VPN Wizard and the configuration matches an existing VPN that is working. The IKE Tunnel displays on the 501 home page but the IPSec Tunnel does not appear. As well, I do not see any encap/decap packets. Any help will be greatly appreciated..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
ajagadee Thu, 10/04/2007 - 05:36
User Badges:
  • Cisco Employee,


Its kind of hard to way without looking at the configuration. Couple of quick things to check is:

1. IPSEC Policy - encryption, hashing, SA lifetime

2. Crypto ACL's - Make sure the ACL's are mirror images of each other.

3. No Overlapping ACLs

4. NAT 0 - By Pass NAT for Crypto Traffic.

If possible, please do post the sanitize version of the configuration and debugs when bringing up the tunnel.

I hope it helps.



** Please rate all helpful posts **

jfgobin01 Thu, 10/04/2007 - 05:48
User Badges:

And if everything looks right in both configs, " debug crypto isakmp" or "debug crypto ipsec" may help determining where and why the tunnel fails.



This Discussion