Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Site To Site ... Down.... URGENT

We had 'someone' touch our FW w/o regard to it's current config. doing so; they overwrote a FW config that we (new to this particular configuration as we did not build it) in doing so. Below is the current config that we have modified to get VPN back up.

I've attached a document that has
1. Current aSA config

2. Current PIX Config

3. Logging Messages on ASA after changes to both

Could it be the crypto map??? What are we missing.

Everyone's tags (4)
1 REPLY
Super Bronze

Site To Site ... Down.... URGENT

Hi,

Seems to me that Phase1 and Phase2 match on the ASA and PIX. Also seems that Crypto Maps are attached and ISAKMP enabled on the external interface.

Have you confirmed that there is no missmatch with the PSK/Pre Shared Key of the L2L VPN connection?

Also what is the network 10.10.10.0/24 configured on the ASA side? There is no "route" configured for that network on the ASA where its supposed to be located at.

Also the "access-list 101" doesnt seem to contain the line for 10.10.10.0/24 -> 192.168.14.0/24 network but contains one for the 192.168.11.0/24 -> 192.168.14.0/24

So I could only find missing NAT0 ACL rule and missing route for one L2L VPN source network in the configuration

Though the output at the bottom wold seem to indicate that the Phase1 MSG1 is sent but it doesnt get beoynd that. It keeps waiting for the MSG2 which would mean that the PIX is not replying to the negotiation or the MSG1 is not going through to the PIX?

Can you see anything in the PIX with the command

show crypto isakmp sa

When you are attempting to negotiate the tunnel up?

- Jouni

149
Views
0
Helpful
1
Replies
CreatePlease to create content