cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1039
Views
0
Helpful
8
Replies

Site(Static)-To-Site(Dynamic) two pix 501 dont get connected

joakim.karlsson
Level 1
Level 1

I'm trying to get a site-to-site (dynamic ip-to-static ip) vpn tunnel between two pix 501 v6.3(5) to work but the tunnel dosent go live at all. I have tryed the debug crypto ipsec and debug crypto isakmp but none of them are showing any information as if the pix isnt even trying.

8 Replies 8

jmia
Level 7
Level 7

Hello Joakim,

Please take a look here:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

Hope it helps and please rate posts if it does.

I have folowed that guide already and i have tryed it 5 times in a row with that config but with no luck.

Hello,

You are missing Isakmp configurations on DynamicPiX !

isakmp enable outside

isakmp key ******** address netmask

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 3600

HTH

Saju

Please rate if it helps!

Humm.. didn't see that. But still no tunnel is alive, there is still something missing. The debug commands isnt showing anything.

Add following command on the DynamicPIX and generate traffic & try to capture debug cry isakmp and debug crypto ipsec on DynamicPix.

"isakmp identity hostname"

HTH

Saju

Pls rate if it helps

Sorry , the command should be : "isakmp identity address " in your case.

HTH

Saju

Thank you so mutch Saju for all your help! But i'm afraid it didn't help with your suggestion.

I have removed the config from both pix firewalls and then rebooted them and reconfigured them by folowing the guide that was recomended in the first replay but still there is nothing that works. I have tryed to create a vpn from a watchguard firebox III to the static pix and when i run the debugging command on the static pix i could se that the two devices where trying to establish a tunnel. It run trough phase 1 but stoped at phase 2 (a config error on the watchguard fixed that prob). But nothing happends when i try to get the dynamic pix to connect to the static pix. I have also tryed to make a static to static vpn just to see if the two devices are communicating with eatcother but nothing happends. For the record: For about a week ago i first tryed to establish a tunnel and on my first config the tunnel got established but no traffic could pass so i thougt that i had made a config error and then removed all vpn config and remade it and now i'm stuck not even getting the tunnel alive. I'm begining to think there is another problem then the vpn config. Maybe access-list / NAT policys or service groups or a conflict with PPTP config? Please help me!

Today i have configured a vpn tunnel to my firebox III from my dynamic pix and as soon as i entered the last value in order the pix-to-pix tunnel came alive and are now working like a charm?!? I'm cluless... I then removed the config for the dynamicpix-to-firebox tunnel and still the pix-to-pix tunnel works like a charm.

Another question...

If there is no traffic from dynamic site to static site the tunnel dosent go live, right? Isnt there an aggressive-mode option on a 501 pix? All other IPSEC compatible hardware can work in aggressive-mode cant the pix do that also?

Is there a way to alow icmp over the tunnel, i have tryied to add a rule for icmp but when i do so no traffic is allowed. How do i solve this?