04-09-2008 03:34 PM - edited 02-21-2020 03:40 PM
My customer has a PIX 501 at the HQ. The remote users use the Cisco VPN client to establish the VPN which has been up for almost 2 years. Now they want to setup a site-to-site vpn for one of their remote sites. The new firewall for the remote site is an ASA-5505 but I just can't get it to work.
I've successfully ping both sides (not with this config). I've issued the show ipsec sa and show isakmp but no tunnels are established. I've also used debug crypto ipsec 7, debug crypto isakmp 7 and ping w.x.y.z and ping 1.2.3.4... but the tunnel won't even establish (debug has no output). The remote users can still use the vpn client to connect to the pix without any issues. Please help.
The configs are attached.
04-10-2008 12:44 AM
Firstly - you have so many config errors, it may just be easier for you to start again.
In the pix config:-
1) You have no configured transform set for the peer
2) you are not matching on the correct ACL
In the asa config:-
1) You do not need to enable isakmp in the inside interface
2) you are missing tunnel group identifcation
3) you are missing tunnel group peer IP address
4) you are missing the PSK for the remote peer
5) you are not matching on a configured ACL
6) You are not allowing IPSEC traffic in
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html
for the PIX side.
http://www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5505/quick/guide/sitesite.html
for the ASA.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide