Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.
Unable to establish VPN tunnel between ASA 5505 and PIX 515E
We have two offices in the same building. We have a cable run between the two offices. Security policy dictates that we encrypt the data that passes between the two offices. We have a Cisco PIX 515E in Office A and a Cisco ASA 5505 in Office B. They are directly connected with a cat5 cable.... so they're on the same subnet.
I've been unable to get a tunnel working between the two devices - all of the encryption and key exchange settings and PFS settings match - and I've tried several different combinations of DES, 3DES, AES, etc. but it makes no difference. I'm seeing nothing on the PIX when I run 'debug crypto isakmp'.
I have IPSEC rules at each end that match all ip and icmp traffic from the relevant inside networks to the remote side's inside network and visa versa.
I used the wizards to build the config.
Is it a problem that they're on the same subnet?
I've been unable to get a tunnel working between the two devices - all of the encryption and key exchange settings and PFS settings match - and I've tried several different combinations of DES, 3DES, AES, etc. but it makes no difference. I'm seeing nothing on the PIX when I run 'debug crypto isakmp'.
I have IPSEC rules at each end that match all ip and icmp traffic from the relevant inside networks to the remote side's inside network and visa versa.
I used the wizards to build the config.
Is it a problem that they're on the same subnet?
Asked:
-
2
1 Solution
Thanks for the link. I've done a bit of reading and I *think* the problem is down to the fact that the VPN tunnel it not going over the 'out' interface of the PIX, but a tertiary interface. I've not routed the traffic out of this interface, so it's probably attempting to go out of the 'out' interface as this is the default route.
Gonna give the routing and NAT a closer look in the morning.
Gonna give the routing and NAT a closer look in the morning.
okay, so it was routing. Basically, if the traffic doesn't flow properly before implementing the ipsec, the ipsec isn't going to establish.
Found this link quite useful:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Found this link quite useful:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Join & Write a Comment Already a member? Login.
Featured Post
Tackle projects and never again get stuck behind a technical roadblock.
Join Now
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef796.shtml
may give you an idea what you are up against.