Avatar of vburshteyn
 asked on

IPSEC between PIX 6.3 and asa 5520

Hi folks,
A pix 6.3 failed at a remote site so we placed a new one there.  It had a IPSEC to our main data center.

I rebuilt the pix but cant get the ipsec to come up, everything else works in terms of access to the internet:

access-list inside_nat0_outbound extended permit ip
access-list outside_cryptomap_20 extended permit ip
nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set slcSet esp-3des esp-md5-hmac

sysopt connection permit-IPSec
crypto map outside_map 1 IPSec-isakmp
crypto map outside_map 1 match address outside_cryptomap_20
crypto map outside_map 1 set peer aa.aa.aa.aa
crypto map outside map 1 set transform-set slcSet
crypto map slcSet interface outside
isakmp enable outside
isakmp key something address aa.aa.aa.aa netmask

isakmp identity address

isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400

any help would be appreciated.
CiscoInternet Protocol Security

Avatar of undefined
Last Comment
Ernie Beek

8/22/2022 - Mon
Ernie Beek

Anything showing in the logs when trying to establish the tunnel?
Could you also post the config from the other firewall?

logs are clean, debug command dont bring anything up

the ASA config:

kbe-hou-asa01# sh run isakmp
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30

crypto ipsec transform-set baaSet esp-3des esp-md5-hmac

access-list saltlake extended permit ip aa.aa.aa.aa
access-list saltlake extended permit ip
access-list saltlake extended permit ip

crypto map BAAmap 80 match address saltlake
crypto map BAAmap 80 set peer aa.aa.aa.aa
crypto map BAAmap 80 set transform-set baaSet

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key <removed>
Ernie Beek

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Ernie Beek

Oh, and don't use the public address (aa.aa.aa.aa) in those ACL's.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.