jaustinMDC
asked on
Cisco PIX 501 Site to Site VPN
Hello, I need to get some help troubleshooting a site to site vpn between two Cisco PIX 501 Routers. Neither Router has the web interface turned on and would like to perform all steps via the console access. I have attached two files showing the current running config of the routers. For security purposes I have changed some IP addresses.
Site 1 Public IP address = 69.29.??.??
Site 1 Internal IP Address = 192.168.0.1 255.255.255.0
Site 2 Public IP Address = 207.119.??.??
Site 2 Internal IP Address = 192.168.1.1 255.255.255.0
Please let me know if you need any more information or have any suggestions
Thank you
Site 1 Public IP address = 69.29.??.??
Site 1 Internal IP Address = 192.168.0.1 255.255.255.0
Site 2 Public IP Address = 207.119.??.??
Site 2 Internal IP Address = 192.168.1.1 255.255.255.0
Please let me know if you need any more information or have any suggestions
Thank you
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
My bad, I am a Cisca newby and trying to help out a client in a desperate situation. I ran "show crypto isakmp sa" from the PIX 501 and recieved the following:
FBC-HOST# show crypto isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
69.29.22.253 207.119.185.85 MM_KEY_EXCH 0 0
Does this mean the Preshared Key? If so how can i change?
FBC-HOST# show crypto isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
69.29.22.253 207.119.185.85 MM_KEY_EXCH 0 0
Does this mean the Preshared Key? If so how can i change?
ASKER
I also ran the following:
FBC-HOST(config)# show ipsec sa
interface: outside
Crypto map tag: mymap, local addr. 69.29.22.253
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0 /0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0 /0/0)
current_peer: 207.119.185.85:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 45, #recv errors 0
local crypto endpt.: 69.29.22.253, remote crypto endpt.: 207.119.185.85
path mtu 1492, ipsec overhead 0, media mtu 1492
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
FBC-HOST(config)# show ipsec sa
interface: outside
Crypto map tag: mymap, local addr. 69.29.22.253
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
current_peer: 207.119.185.85:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 45, #recv errors 0
local crypto endpt.: 69.29.22.253, remote crypto endpt.: 207.119.185.85
path mtu 1492, ipsec overhead 0, media mtu 1492
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Are both ends DHCP addresses? The ISAKMP error does indicate either the configured pre-shared key is not correct or the peer IP addresses are different. If both ends are DHCP addresses, you may get it working now but you're going to have difficulty in the long run. If that's the case, you really want a static IP address on the ASA side, have it act as an EasyVPN server, and have the PIX 501 keep it's DHCP address and act as an EasyVPN client. See http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805c5ad9.shtml for an example of how to set it up.
ASKER
No, both locations have Static Public IPs, However, I am told that Site2's internet curcuit was recently replaced, forcing an ip changed. This is at a customer's site I am working on so I am not sure of the full history since they dump their old provider for keeping poor documentation\being a lousy company.
on Site 2's config, would the VPN key be located in line "isakmp key ******** address 207.119.185.85"? I changed this line from what it use to be because it had the old ip address from the old internet circuit in it. So I removed and then replaced with what I thought was the VPN preshared key. Was that the right thing to do? I had also updated line "crypto map mymap 10 set peer 207.119.185.85" after the internet change.
I am thinking at this point that I definatly have key\preshared key issue. In the line "isakmp key" the correct place to use for the vpn preshared key on the Cisco PIX? Also, how do I change the preshared key on site2's ASA device? I would like to reset both to see if that is the issue.
on Site 2's config, would the VPN key be located in line "isakmp key ******** address 207.119.185.85"? I changed this line from what it use to be because it had the old ip address from the old internet circuit in it. So I removed and then replaced with what I thought was the VPN preshared key. Was that the right thing to do? I had also updated line "crypto map mymap 10 set peer 207.119.185.85" after the internet change.
I am thinking at this point that I definatly have key\preshared key issue. In the line "isakmp key" the correct place to use for the vpn preshared key on the Cisco PIX? Also, how do I change the preshared key on site2's ASA device? I would like to reset both to see if that is the issue.
try changing the pre-shared-key to something simple for testing: for example: test1234
ASKER
Site-1.txt
Site-2.txt