Site To Site ... Down.... URGENT

IOS_support · ‎01-28-2014

We had 'someone' touch our FW w/o regard to it's current config. doing so; they overwrote a FW config that we (new to this particular configuration as we did not build it) in doing so. Below is the current config that we have modified to get VPN back up.

I've attached a document that has
1. Current aSA config

2. Current PIX Config

3. Logging Messages on ASA after changes to both

Could it be the crypto map??? What are we missing.

Jouni Forss · ‎01-28-2014

Hi,

Seems to me that Phase1 and Phase2 match on the ASA and PIX. Also seems that Crypto Maps are attached and ISAKMP enabled on the external interface.

Have you confirmed that there is no missmatch with the PSK/Pre Shared Key of the L2L VPN connection?

Also what is the network 10.10.10.0/24 configured on the ASA side? There is no "route" configured for that network on the ASA where its supposed to be located at.

Also the "access-list 101" doesnt seem to contain the line for 10.10.10.0/24 -> 192.168.14.0/24 network but contains one for the 192.168.11.0/24 -> 192.168.14.0/24

So I could only find missing NAT0 ACL rule and missing route for one L2L VPN source network in the configuration

Though the output at the bottom wold seem to indicate that the Phase1 MSG1 is sent but it doesnt get beoynd that. It keeps waiting for the MSG2 which would mean that the PIX is not replying to the negotiation or the MSG1 is not going through to the PIX?

Can you see anything in the PIX with the command

show crypto isakmp sa

When you are attempting to negotiate the tunnel up?

- Jouni