sscottinandrews
asked on
Cisco VPN Site-to-Site Tunnel Configuration Issue
Here is a snippet from my Pix firewall that has everything configure on it to accept a tunnel connection from my ASA.
Can someone tell me how my ASA needs to be setup to connect to this PIX please? I have used the wizzrd, selected des-md5 for both IKE and ISAKMP with Group 1. But I just can't get it to come up??? The shared key is the same on both ends.
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 100
crypto map mymap 10 set peer X.X.X.X different ip
crypto map mymap 10 set peer X.X.X.X different ip
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address X.X.X.X netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp key ******** address X.X.X.X netmask 255.255.255.255 no-xauth no-
config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 28800
I can't change the PIX side, it is the way it is, but I can the ASA. I had to rebuild that ASA and the tunnel was working great until the rebuild with a new IP Address.
If I do:
show crypto isakmp sa
I get the two tunnels I have created ACTIVE
If I do:
show crypto ipsec sa
I get only the tunnel I have created between my ASA and another ASA I do not get any results from the PIX.
Does this indicate ISAKMP is working but IPSEC is not? What do I do to resolve this? It would also indicate that both preshared keys are correct ??
Let me know what else you would need and I can provide it.
Thank you!!!!
Can someone tell me how my ASA needs to be setup to connect to this PIX please? I have used the wizzrd, selected des-md5 for both IKE and ISAKMP with Group 1. But I just can't get it to come up??? The shared key is the same on both ends.
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 100
crypto map mymap 10 set peer X.X.X.X different ip
crypto map mymap 10 set peer X.X.X.X different ip
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address X.X.X.X netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp key ******** address X.X.X.X netmask 255.255.255.255 no-xauth no-
config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 28800
I can't change the PIX side, it is the way it is, but I can the ASA. I had to rebuild that ASA and the tunnel was working great until the rebuild with a new IP Address.
If I do:
show crypto isakmp sa
I get the two tunnels I have created ACTIVE
If I do:
show crypto ipsec sa
I get only the tunnel I have created between my ASA and another ASA I do not get any results from the PIX.
Does this indicate ISAKMP is working but IPSEC is not? What do I do to resolve this? It would also indicate that both preshared keys are correct ??
Let me know what else you would need and I can provide it.
Thank you!!!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thank you!
ASKER
Thank you!!!