01-28-2014 05:49 PM
We had 'someone' touch our FW w/o regard to it's current config. doing so; they overwrote a FW config that we (new to this particular configuration as we did not build it) in doing so. Below is the current config that we have modified to get VPN back up.
I've attached a document that has
1. Current aSA config
2. Current PIX Config
3. Logging Messages on ASA after changes to both
Could it be the crypto map??? What are we missing.
01-28-2014 11:35 PM
Hi,
Seems to me that Phase1 and Phase2 match on the ASA and PIX. Also seems that Crypto Maps are attached and ISAKMP enabled on the external interface.
Have you confirmed that there is no missmatch with the PSK/Pre Shared Key of the L2L VPN connection?
Also what is the network 10.10.10.0/24 configured on the ASA side? There is no "route" configured for that network on the ASA where its supposed to be located at.
Also the "access-list 101" doesnt seem to contain the line for 10.10.10.0/24 -> 192.168.14.0/24 network but contains one for the 192.168.11.0/24 -> 192.168.14.0/24
So I could only find missing NAT0 ACL rule and missing route for one L2L VPN source network in the configuration
Though the output at the bottom wold seem to indicate that the Phase1 MSG1 is sent but it doesnt get beoynd that. It keeps waiting for the MSG2 which would mean that the PIX is not replying to the negotiation or the MSG1 is not going through to the PIX?
Can you see anything in the PIX with the command
show crypto isakmp sa
When you are attempting to negotiate the tunnel up?
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide