problem with replacing a peer

Unanswered Question
Feb 11th, 2009

I have a functional ipsec tunnel between a PIX 515 and an ASA 5510 with version 7.0(7). I'm trying to replace that PIX 515 with an ASA 5510 with version 7.0(8). The configuration seems consistent to me, with the exception of the security-association lines which I don't see on the 7.0(7) ASA. I've compared other parts of the configuration on these three devices and I just don't understand why the ASA 7.0(8) isn't working where the PIX 515 is. At many steps along the way I have turned the crypto map to the interface off and on again. Here are what I figure are the relevant parts of the configurations on the three devices. Thanks in advance for your help.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Wed, 02/11/2009 - 12:50

There is a reason why Cisco asks to make the Crypto ACL's to be specific on regards to traffic definition, your setup will simply will not match, on your 515 you had the advantage of defining specific source and destination of your crypto acls on your ASA 7.0(8) you are not causing this security association never to match. Go ahead and try to change the ASA 7.0(8) crypto acls to look as how the pix 515 is and try again or make both the 7.0(7) and 7.0(8) specific.

Actions

This Discussion