Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

How to configure a VPN tunnel between a PIX 500 series Firewall with software version 6.x and Symantec Enterprise Firewall ?


Complete these steps to set up an IPsec VPN tunnel between a PIX Firewall and a Symantec Enterprise Firewall:

1.  Configure the Internet Key Exchange (IKE) proposal on both devices.

2.  Configure the IPsec parameters on both devices.

3.  Specify network ranges on both devices for the passage of traffic across the proposed tunnel.

Note: For assistance with the configuration settings, information on how to resolve an IPsec tunnel between a PIX and a Checkpoint Firewall, and secific debug setting information, refer to VPN tunnel between PIX and Symantec Enterprise Firewall.

Once the tunnel is configured, attempt to pass traffic from a workstation on one side of the connection to a workstation on the other side of the connection. If a ping is successful, the tunnel functions properly. If an attempt to ping is not successful, issue the show crypto isakmp sa and show crypto ipsec sa commands on the PIX to determine the state of the connection.

This is the desired command output:

cisco_endpoint#show crypto isakmp sa

dst src state pending created QM_IDLE 0 2

If the show crypto isakmp sa command output shows anything other than a state of QM_IDLE, phase 1 (Internet Security Association and Key Management Protocol [ISAKMP]) is not properly negotiated and must be examined.

The show crypto ipsec sa command identifies information about phase 2 of the connection (IPsec). The proper peer and local endpoint for the tunnel must be identified.

If traffic is passed across the tunnel, the counters for both pkts encaps and pkts decaps should increment. If either value does not increment, a determination can usually be made as to which side of the tunnel has a problem.

This is a portion of the show crypto ipsec sa command output:

cisco_endpoint#show crypto ipsec sa

interface: outside

Crypto map tag: rtpmap, local addr.

local ident (addr/mask/prot/port): (

remote ident (addr/mask/prot/port): (


PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

For more information about how to resolve the passage of traffic from a PIX on an established IPsec tunnel, refer to Troubleshooting the PIX to Pass Data Traffic on an Established IPsec Tunnel.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 05:31 PM
Updated by:
Labels (1)