Can't get site-to-site VPN to work between 501 and 5505

mcpcinc11 · ‎04-09-2008

My customer has a PIX 501 at the HQ. The remote users use the Cisco VPN client to establish the VPN which has been up for almost 2 years. Now they want to setup a site-to-site vpn for one of their remote sites. The new firewall for the remote site is an ASA-5505 but I just can't get it to work.

I've successfully ping both sides (not with this config). I've issued the show ipsec sa and show isakmp but no tunnels are established. I've also used debug crypto ipsec 7, debug crypto isakmp 7 and ping w.x.y.z and ping 1.2.3.4... but the tunnel won't even establish (debug has no output). The remote users can still use the vpn client to connect to the pix without any issues. Please help.

The configs are attached.

andrew.prince · ‎04-10-2008

Firstly - you have so many config errors, it may just be easier for you to start again.

In the pix config:-

1) You have no configured transform set for the peer

2) you are not matching on the correct ACL

In the asa config:-

1) You do not need to enable isakmp in the inside interface

2) you are missing tunnel group identifcation

3) you are missing tunnel group peer IP address

4) you are missing the PSK for the remote peer

5) you are not matching on a configured ACL

6) You are not allowing IPSEC traffic in

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html

for the PIX side.

http://www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5505/quick/guide/sitesite.html

for the ASA.

HTH