Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

problem with replacing a peer

I have a functional ipsec tunnel between a PIX 515 and an ASA 5510 with version 7.0(7). I'm trying to replace that PIX 515 with an ASA 5510 with version 7.0(8). The configuration seems consistent to me, with the exception of the security-association lines which I don't see on the 7.0(7) ASA. I've compared other parts of the configuration on these three devices and I just don't understand why the ASA 7.0(8) isn't working where the PIX 515 is. At many steps along the way I have turned the crypto map to the interface off and on again. Here are what I figure are the relevant parts of the configurations on the three devices. Thanks in advance for your help.

Cisco Employee

Re: problem with replacing a peer

There is a reason why Cisco asks to make the Crypto ACL's to be specific on regards to traffic definition, your setup will simply will not match, on your 515 you had the advantage of defining specific source and destination of your crypto acls on your ASA 7.0(8) you are not causing this security association never to match. Go ahead and try to change the ASA 7.0(8) crypto acls to look as how the pix 515 is and try again or make both the 7.0(7) and 7.0(8) specific.