Adding site-to-site VPN to my PIX that already has remote access VPN

I have a Cisco PIX 525 (IOS 7.0(4) + ASDM 5.0(4)) that is already set up as a Remote Access VPN and working quite well as far as I can tell. I would like to add a Cisco SA 520 Security Appliance to my network at home and create a site-to-site VPN between the two. I have a static IP on my home ADSL connection. I would like to know if I can simply run the VPN Wizard again from ASDM and it will add the necessary configuration lines, or will it simply overwrite what is currently in existence for the Remote Access VPN. If anyone can give me some guidance as to what lines are needed to facilitate the Site-to-Site alongside the Remote Access I'd be very grateful. I can supply configuration details if necessary.
LVL 3
Steve GouldAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Erik BjersPrincipal Systems AdministratorCommented:
You can run the wizard again

eb
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alexey KomarovChief Project EngineerCommented:
God Day,
If you have a public address the Internet which you can establish on house PIX that site-to-site vpn will work.
Here an adjustment example site-to-site vpn.
http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml
0
vreinaldoCommented:
Hi there,

Can you post your config, so i can give you a full detailed commands needed for this,


Thanks!
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

Steve GouldAuthor Commented:
I ran the VPN wizard again which seemed to go successfully. However I cannot test the result until the other side of my network is available - nudging my ISP along and will test in the next couple of days and see if I can link it up.
0
Steve GouldAuthor Commented:
I ran the wizard again on the PIX however when I try to connect up on the SA520 I get the following error:

2010-04-06 19:51:24: INFO:  accept a request to establish IKE-SA: xxx.xxx.xxx.xxx
2010-04-06 19:51:24: INFO:  Configuration found for xxx.xxx.xxx.xxx.
2010-04-06 19:51:24: INFO:  Initiating new phase 1 negotiation: yyy.yyy.yyy.yyy[500]<=>xxx.xxx.xxx.xxx[500]
2010-04-06 19:51:24: INFO:  Beginning Aggressive mode.
2010-04-06 19:51:24: INFO:  NAT-Traversal is Enabled
2010-04-06 19:51:24: INFO:   [agg_i1send:254]: XXX: NUMNATTVENDORIDS: 3
2010-04-06 19:51:24: INFO:   [agg_i1send:258]: XXX: setting vendorid: 4
2010-04-06 19:51:24: INFO:   [agg_i1send:258]: XXX: setting vendorid: 8
2010-04-06 19:51:24: INFO:   [agg_i1send:258]: XXX: setting vendorid: 9
2010-04-06 19:51:24: INFO:  Received Vendor ID: CISCO-UNITY
2010-04-06 19:51:24: INFO:  Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2010-04-06 19:51:24: INFO:  Received Vendor ID: DPD
2010-04-06 19:51:24: INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2010-04-06 19:51:24: INFO:  Received unknown Vendor ID
2010-04-06 19:51:24: INFO:  Received unknown Vendor ID
2010-04-06 19:51:24: INFO:  NAT-D payload matches for yyy.yyy.yyy.yyy[500]
2010-04-06 19:51:24: INFO:  NAT-D payload matches for xxx.xxx.xxx.xxx[500]
2010-04-06 19:51:24: INFO:  For xxx.xxx.xxx.xxx[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02

2010-04-06 19:51:24: INFO:  NAT not detected
2010-04-06 19:51:24: INFO:  ISAKMP-SA established for yyy.yyy.yyy.yyy[500]-xxx.xxx.xxx.xxx[500] with spi:f972bce827060e43:e1d3293152871694
2010-04-06 19:51:25: INFO:  Initiating new phase 2 negotiation: yyy.yyy.yyy.yyy[500]<=>xxx.xxx.xxx.xxx[0]
2010-04-06 19:51:25: ERROR:  Unknown notify message from xxx.xxx.xxx.xxx[500].No phase2 handle found.
2010-04-06 19:51:25: INFO:  Purged ISAKMP-SA with proto_id=ISAKMP and spi=f972bce827060e43:e1d3293152871694.
2010-04-06 19:51:34: ERROR:  Phase 2 negotiation failed due to time up. 8f4b04ceb9978080:5fdd8b3a5a246cc7:c6c2f1b6
2010-04-06 19:51:34: INFO:  an undead schedule has been deleted: 'quick_i1prep'.
2010-04-06 19:51:34: INFO:  ISAKMP-SA deleted for yyy.yyy.yyy.yyy[500]-xxx.xxx.xxx.xxx[500] with spi:8f4b04ceb9978080:5fdd8b3a5a246cc7
2010-04-06 19:52:25: ERROR:  Phase 2 negotiation failed due to time up. f972bce827060e43:e1d3293152871694:e83cd531
2010-04-06 19:52:25: INFO:  an undead schedule has been deleted: 'quick_i1prep'.
2010-04-06 19:52:25: INFO:  ISAKMP-SA deleted for yyy.yyy.yyy.yyy[500]-xxx.xxx.xxx.xxx[500] with spi:f972bce827060e43:e1d3293152871694

It is as if the wizard did not add any of the config to do the phase 2 negociation. I have a feeling i'm going to need to go to the command line to make this work so any further help with be much appreciated.
0
Steve GouldAuthor Commented:
I realise this has become more difficult so i'll increase the point value. Thanks to those that have helped so far.
0
vreinaldoCommented:
Hi there,

if you post the running config (without private info), i can give u the commands that you will need, but with ASDM.. sorry my friend, i really don't like it.!

:D
0
Steve GouldAuthor Commented:
Thanks vreinaldo but it turns out I had PFS turned on for the SA 520 but off for the PIX 525. As soon as I turned it off the link came straight up. So it seems it is problem solved.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.