troubleshooting Question

Cisco VPN Site-to-Site Tunnel Configuration Issue

Avatar of sscottinandrews
sscottinandrews asked on
VPNHardware FirewallsInternet Protocol Security
3 Comments1 Solution526 ViewsLast Modified:
Here is a snippet from my Pix firewall that has everything configure on it to accept a tunnel connection from my ASA.
Can someone tell me how my ASA needs to be setup to connect to this PIX please? I have used the wizzrd, selected des-md5 for both IKE and ISAKMP with Group 1. But I just can't get it to come up??? The shared key is the same on both ends.


crypto ipsec transform-set myset esp-des esp-md5-hmac


crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 100
crypto map mymap 10 set peer X.X.X.X                different ip
crypto map mymap 10 set peer X.X.X.X                different ip
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside


isakmp enable outside
isakmp key ******** address X.X.X.X netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp key ******** address X.X.X.X netmask 255.255.255.255 no-xauth no-
config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 28800

I can't change the PIX side, it is the way it is, but I can the ASA. I had to rebuild that ASA and the tunnel was working great until the rebuild with a new IP Address.

If I do:
show crypto isakmp sa
I get the two tunnels I have created ACTIVE
If I do:
show crypto ipsec sa
I get only the tunnel I have created between my ASA and another ASA I do not get any results from the PIX.
Does this indicate ISAKMP is working but IPSEC is not? What do I do to resolve this? It would also indicate that both preshared keys are correct ??

Let me know what else you would need and I can provide it.

Thank you!!!!
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 3 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros