Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1864
Views
0
Helpful
0
Comments

How to configure a VPN tunnel between a PIX 500 series Firewall with software version 6.x and Symantec Enterprise Firewall ?

TCC_2
Level 10
Level 10

‎06-22-2009 05:31 PM - edited ‎03-08-2019 06:25 PM

Resolution

Complete these steps to set up an IPsec VPN tunnel between a PIX Firewall and a Symantec Enterprise Firewall:

1.  Configure the Internet Key Exchange (IKE) proposal on both devices.

2.  Configure the IPsec parameters on both devices.

3.  Specify network ranges on both devices for the passage of traffic across the proposed tunnel.

Note: For assistance with the configuration settings, information on how to resolve an IPsec tunnel between a PIX and a Checkpoint Firewall, and secific debug setting information, refer to VPN tunnel between PIX and Symantec Enterprise Firewall.

Once the tunnel is configured, attempt to pass traffic from a workstation on one side of the connection to a workstation on the other side of the connection. If a ping is successful, the tunnel functions properly. If an attempt to ping is not successful, issue the show crypto isakmp sa and show crypto ipsec sa commands on the PIX to determine the state of the connection.

This is the desired command output:

cisco_endpoint#show crypto isakmp sa

dst src state pending created

172.18.124.157 172.18.124.35 QM_IDLE 0 2

If the show crypto isakmp sa command output shows anything other than a state of QM_IDLE, phase 1 (Internet Security Association and Key Management Protocol [ISAKMP]) is not properly negotiated and must be examined.

The show crypto ipsec sa command identifies information about phase 2 of the connection (IPsec). The proper peer and local endpoint for the tunnel must be identified.

If traffic is passed across the tunnel, the counters for both pkts encaps and pkts decaps should increment. If either value does not increment, a determination can usually be made as to which side of the tunnel has a problem.

This is a portion of the show crypto ipsec sa command output:

cisco_endpoint#show crypto ipsec sa

interface: outside

Crypto map tag: rtpmap, local addr. 172.18.124.158

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer: 172.18.124.157

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

For more information about how to resolve the passage of traffic from a PIX on an established IPsec tunnel, refer to Troubleshooting the PIX to Pass Data Traffic on an Established IPsec Tunnel.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents