greenbeanx81
asked on
VPN tunnel not comming up on PIX and ASA. Any suggestions?
Hello All,
I am having trouble establishing a VPN tunnel between a ASA and PIX. Everything looks right on my configuration and I am at a lose to explain why the tunnel is not coming up. I have included my configurations. Any suggestions. Thank you.
Main-Branch-PIX.txt
Remote-Branch-ASA.txt
I am having trouble establishing a VPN tunnel between a ASA and PIX. Everything looks right on my configuration and I am at a lose to explain why the tunnel is not coming up. I have included my configurations. Any suggestions. Thank you.
Main-Branch-PIX.txt
Remote-Branch-ASA.txt
Agree that you need the syspot commands on both sides.
Also agree that you need to remove the PFS on the ASA
On the PIX, this line:
>isakmp key ******** address 24.x.x.x netmask 255.255.255.255
Should have added tags:
isakmp key ******** address 24.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
Also agree that you need to remove the PFS on the ASA
On the PIX, this line:
>isakmp key ******** address 24.x.x.x netmask 255.255.255.255
Should have added tags:
isakmp key ******** address 24.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
ASKER
Yes, the PIX subnet is 172.21.173.0/24 and the ASA is 172.21.174.0/24. I have added and removed the required lines but the tunnel is still not coming up. No output from the debug crypto isakmp 150 command either.
What about:
debug crypto isakmp 254
&
debug crypto ipsec 254
Please attach the debugs.
debug crypto isakmp 254
&
debug crypto ipsec 254
Please attach the debugs.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It could be anything.
Please we can start testing with:
Add "sysopt connection permit-ipsec" int the PIX and in the ASA is "sysopt connection permit-vpn"
And delete "crypto map VPNmap 10 set pfs" in ASA.
Just to double check the sub-net behind the PIX is 172.21.173.0/24
And the subnet behind the ASA is: 172.21.174.0/24
Right?
So I recommend you to update this case with a capture of the debug and the show, in console mode:
Please type show crypto isakmp sa to see if the issue is related to phase 1.
And type show crypto ipsec sa if is something with phase 2.
And
"debug crypto isakmp 128"
or "debug crypto isakmp 254"
Copy an paste the debug.
Then "un all" --> refers to undebug all.
Also if would be a great idea if check this link too!
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution12
Maybe I going to recreate this in my lab.
Bye!