[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Adding site-to-site VPN to my PIX that already has remote access VPN

Posted on 2010-03-25
8
Medium Priority
?
1,005 Views
Last Modified: 2012-05-09
I have a Cisco PIX 525 (IOS 7.0(4) + ASDM 5.0(4)) that is already set up as a Remote Access VPN and working quite well as far as I can tell. I would like to add a Cisco SA 520 Security Appliance to my network at home and create a site-to-site VPN between the two. I have a static IP on my home ADSL connection. I would like to know if I can simply run the VPN Wizard again from ASDM and it will add the necessary configuration lines, or will it simply overwrite what is currently in existence for the Remote Access VPN. If anyone can give me some guidance as to what lines are needed to facilitate the Site-to-Site alongside the Remote Access I'd be very grateful. I can supply configuration details if necessary.
0
Comment
Question by:Steve Gould
8 Comments
 
LVL 23

Accepted Solution

by:
Erik Bjers earned 400 total points
ID: 28540681
You can run the wizard again

eb
0
 
LVL 5

Assisted Solution

by:Alexey Komarov
Alexey Komarov earned 400 total points
ID: 28541461
God Day,
If you have a public address the Internet which you can establish on house PIX that site-to-site vpn will work.
Here an adjustment example site-to-site vpn.
http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml
0
 
LVL 2

Expert Comment

by:vreinaldo
ID: 28824210
Hi there,

Can you post your config, so i can give you a full detailed commands needed for this,


Thanks!
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
LVL 3

Author Comment

by:Steve Gould
ID: 28947469
I ran the VPN wizard again which seemed to go successfully. However I cannot test the result until the other side of my network is available - nudging my ISP along and will test in the next couple of days and see if I can link it up.
0
 
LVL 3

Author Comment

by:Steve Gould
ID: 29941190
I ran the wizard again on the PIX however when I try to connect up on the SA520 I get the following error:

2010-04-06 19:51:24: INFO:  accept a request to establish IKE-SA: xxx.xxx.xxx.xxx
2010-04-06 19:51:24: INFO:  Configuration found for xxx.xxx.xxx.xxx.
2010-04-06 19:51:24: INFO:  Initiating new phase 1 negotiation: yyy.yyy.yyy.yyy[500]<=>xxx.xxx.xxx.xxx[500]
2010-04-06 19:51:24: INFO:  Beginning Aggressive mode.
2010-04-06 19:51:24: INFO:  NAT-Traversal is Enabled
2010-04-06 19:51:24: INFO:   [agg_i1send:254]: XXX: NUMNATTVENDORIDS: 3
2010-04-06 19:51:24: INFO:   [agg_i1send:258]: XXX: setting vendorid: 4
2010-04-06 19:51:24: INFO:   [agg_i1send:258]: XXX: setting vendorid: 8
2010-04-06 19:51:24: INFO:   [agg_i1send:258]: XXX: setting vendorid: 9
2010-04-06 19:51:24: INFO:  Received Vendor ID: CISCO-UNITY
2010-04-06 19:51:24: INFO:  Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2010-04-06 19:51:24: INFO:  Received Vendor ID: DPD
2010-04-06 19:51:24: INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2010-04-06 19:51:24: INFO:  Received unknown Vendor ID
2010-04-06 19:51:24: INFO:  Received unknown Vendor ID
2010-04-06 19:51:24: INFO:  NAT-D payload matches for yyy.yyy.yyy.yyy[500]
2010-04-06 19:51:24: INFO:  NAT-D payload matches for xxx.xxx.xxx.xxx[500]
2010-04-06 19:51:24: INFO:  For xxx.xxx.xxx.xxx[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02

2010-04-06 19:51:24: INFO:  NAT not detected
2010-04-06 19:51:24: INFO:  ISAKMP-SA established for yyy.yyy.yyy.yyy[500]-xxx.xxx.xxx.xxx[500] with spi:f972bce827060e43:e1d3293152871694
2010-04-06 19:51:25: INFO:  Initiating new phase 2 negotiation: yyy.yyy.yyy.yyy[500]<=>xxx.xxx.xxx.xxx[0]
2010-04-06 19:51:25: ERROR:  Unknown notify message from xxx.xxx.xxx.xxx[500].No phase2 handle found.
2010-04-06 19:51:25: INFO:  Purged ISAKMP-SA with proto_id=ISAKMP and spi=f972bce827060e43:e1d3293152871694.
2010-04-06 19:51:34: ERROR:  Phase 2 negotiation failed due to time up. 8f4b04ceb9978080:5fdd8b3a5a246cc7:c6c2f1b6
2010-04-06 19:51:34: INFO:  an undead schedule has been deleted: 'quick_i1prep'.
2010-04-06 19:51:34: INFO:  ISAKMP-SA deleted for yyy.yyy.yyy.yyy[500]-xxx.xxx.xxx.xxx[500] with spi:8f4b04ceb9978080:5fdd8b3a5a246cc7
2010-04-06 19:52:25: ERROR:  Phase 2 negotiation failed due to time up. f972bce827060e43:e1d3293152871694:e83cd531
2010-04-06 19:52:25: INFO:  an undead schedule has been deleted: 'quick_i1prep'.
2010-04-06 19:52:25: INFO:  ISAKMP-SA deleted for yyy.yyy.yyy.yyy[500]-xxx.xxx.xxx.xxx[500] with spi:f972bce827060e43:e1d3293152871694

It is as if the wizard did not add any of the config to do the phase 2 negociation. I have a feeling i'm going to need to go to the command line to make this work so any further help with be much appreciated.
0
 
LVL 3

Author Comment

by:Steve Gould
ID: 29993316
I realise this has become more difficult so i'll increase the point value. Thanks to those that have helped so far.
0
 
LVL 2

Assisted Solution

by:vreinaldo
vreinaldo earned 200 total points
ID: 30024243
Hi there,

if you post the running config (without private info), i can give u the commands that you will need, but with ASDM.. sorry my friend, i really don't like it.!

:D
0
 
LVL 3

Author Comment

by:Steve Gould
ID: 30094627
Thanks vreinaldo but it turns out I had PFS turned on for the SA 520 but off for the PIX 525. As soon as I turned it off the link came straight up. So it seems it is problem solved.
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses
Course of the Month11 days, 3 hours left to enroll

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question