Site-to-site VPN between ASA 5500 and PIX 501

jasonmcreynolds · ‎07-03-2008

I admit that I'm rather new to Cisco gear and I'm trying to setup a VPN between a PIX 501 (version 6.3(3)) and an ASA 5500 (version 7.0(7)) but am unable to get the VPN tunnel up.

Originally, there were multiple remote sites with 501s connecting back to the main site's 501. The main site's 501 is being replaced by the ASA so basicallly, all I did was change the IP the remote was using to point to the new IP of the host ASA and then setup the VPN config on the ASA using the VPN Wizard. To me it all looks like it should work. It's late and I'd appreciate any help, direction and/or suggestions to what I'm doing wrong.

I've attached a doc with both configs (IP changed from actual but you should still be able to figure it out).

ASA IP 172.16.2.56/27

PIX IP 172.16.1.250/29

Thanks!

michelcaissie · ‎07-03-2008

You can start by adjusting the acls on the asa

instead of

"

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list outside_cryptomap_20 extended permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0"

you need

"

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.8.0 255.255.255.0

access-list outside_cryptomap_20 extended permit ip 10.0.0.0 255.255.255.0 10.0.8.0 255.255.255.0

jasonmcreynolds · ‎07-03-2008

Oops, actually what I have in the config is correct, or what you have. I think I messed it up trying to fix the line break when I copied it from my console session. Sorry, but still doesn't seem to work.

jasonmcreynolds · ‎07-07-2008

Figured it out.