I have a functional ipsec tunnel between a PIX 515 and an ASA 5510 with version 7.0(7). I'm trying to replace that PIX 515 with an ASA 5510 with version 7.0(8). The configuration seems consistent to me, with the exception of the security-association lines which I don't see on the 7.0(7) ASA. I've compared other parts of the configuration on these three devices and I just don't understand why the ASA 7.0(8) isn't working where the PIX 515 is. At many steps along the way I have turned the crypto map to the interface off and on again. Here are what I figure are the relevant parts of the configurations on the three devices. Thanks in advance for your help.
There is a reason why Cisco asks to make the Crypto ACL's to be specific on regards to traffic definition, your setup will simply will not match, on your 515 you had the advantage of defining specific source and destination of your crypto acls on your ASA 7.0(8) you are not causing this security association never to match. Go ahead and try to change the ASA 7.0(8) crypto acls to look as how the pix 515 is and try again or make both the 7.0(7) and 7.0(8) specific.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...