Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN connection issues between two pix firewalls

hi, am trying to create a vpn connection between two pix firewalls a 501 and a 506e.

currently on the 506e the pdm shows 1 IKE tunnel in stats but then it flashes back to zero. Both pix hosts can access the web and ping each others gateways.

i have posted the 506e config but the 501 config is the same.

outside ip for pix 506e = a.a.a.a

outside ip for pix 501 = b.b.b.b

isp gateway ip for 506e = x.x.x.x

thanks

Alex

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: VPN connection issues between two pix firewalls

Hi Alex

Without seeing the configuration from the other side (PIX501) this is going to be hard to troubleshoot, you will need to be sure at what stage this is failing phase 1 or phase 2.

Please note IPSec negotiation between the two PIXs fails if the SAs on both of the IKE phases do not match on the peers.

Regards MJ

Green

Re: VPN connection issues between two pix firewalls

You want the crypto acl's to be mirrors of each other.

506

access-list outside_cryptomap_20 permit ip 10.35.104.0 255.255.255.0 192.168.1.0 255.255.255.0

501

access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 10.35.104.0 255.255.255.0

7 REPLIES
New Member

Re: VPN connection issues between two pix firewalls

Hi Alex

Without seeing the configuration from the other side (PIX501) this is going to be hard to troubleshoot, you will need to be sure at what stage this is failing phase 1 or phase 2.

Please note IPSec negotiation between the two PIXs fails if the SAs on both of the IKE phases do not match on the peers.

Regards MJ

New Member

Re: VPN connection issues between two pix firewalls

hi, here is the config for the 501

pix isp gateway =y.y.y.y

thanks

Alex

New Member

Re: VPN connection issues between two pix firewalls

sorry forgot to attach

Alex

New Member

Re: VPN connection issues between two pix firewalls

Thanks for the info, could you try the following:

Remove (PIX501): using no access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 any

Also : no access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 any

To confirm use command "show crypto isakmp sa". if the output displays "MM_Key_exchange" ,it mean's that phase 1 is getting stuck at key exchange. Reasons might be because of mismatch in preshare keys or wrong ip address for peer in cryptomap entry (could you apply these again at both ends)

Also a show log may give you some info to where the problem lies.

Regards MJ

New Member

Re: VPN connection issues between two pix firewalls

hi,i removed the lines and sho command was blank

ive posted some of the syslog

thanks

Alex

Green

Re: VPN connection issues between two pix firewalls

You want the crypto acl's to be mirrors of each other.

506

access-list outside_cryptomap_20 permit ip 10.35.104.0 255.255.255.0 192.168.1.0 255.255.255.0

501

access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 10.35.104.0 255.255.255.0

New Member

Re: VPN connection issues between two pix firewalls

hi, i tested the two pix's in a lab and they ping through vpn fine but now ive put them in the real environment am not geting the same result.

ive posted the syslog.

thanks

Alex

129
Views
4
Helpful
7
Replies
CreatePlease to create content