Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1027
Views
0
Helpful
4
Replies

VPN Between Cisco ASA 520 and PIX 515E

Mahendra Patil
Level 1
Level 1

‎02-10-2011 12:59 AM

Hello All,

          We have setup site-to-site VPN between Cisco ASA 520 and PIX 515E.All was working perfectly but from last few day we are experencing frequently vpn disconnection issues and every time we have to reboot one of our pix device to start the vpn again..

  i have checked in PIX 515E debuging logs i found the following error

710003:ESP access is denied by the ACL from the host x.x.x.x/45645 to outside y.y.y.y/36535

where x.x.x.x is the public ip of cisco ASA 520 and y.y.y.y is public ip of PIX 515E

        If you need more detailed information please ask me

Thanks in advance for your help

Regards

Mahendra.

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎02-10-2011 02:06 AM

I assume that the PIX is the firewall that is passing through the VPN tunnel, not the actual VPN termination point. If it is, then you would need to configure access-list on both interfaces of the PIX that passes through the ESP traffic because ESP is not a stateful connection. So depending on whether the ASA or the PIX515E that terminates the VPN initiate the connection first, then the access-list on that PIX who passes through the ESP traffic needs to allow ESP on both direction.

Hope that helps.

0 Helpful

Mahendra Patil
Level 1
Level 1
In response to Jennifer Halim

‎02-10-2011 02:39 AM

All the access list are already configured.

I have attached runing-config of pix 515E device so please check and let me know if any changes are require..

80222-pix.txt.zip
0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Mahendra Patil

‎02-10-2011 07:02 PM

Sorry, can you please advise how many PIX do you actually have in your VPN topology?

I understand that you have VPN between ASA and PIX515E that terminates the VPN, but do you have another PIX firewall in between that generates the following error message:

710003:ESP access is denied by the ACL from the host x.x.x.x/45645 to outside y.y.y.y/36535

Where do you actually get the above error message from? which device? and can you pls share the configuration from that particular device. Thanks.

0 Helpful

Mahendra Patil
Level 1
Level 1
In response to Jennifer Halim

‎02-10-2011 08:20 PM

There are only two devices as i mentioned above (ASA520 and PIX515E).

When the vpn was disconnected i checked the error logs on PIX 515E and found that error and i have given the configuration of the PIX 515E in my last reply .

          Please let me know if anythings else is require..

0 Helpful
Customers Also Viewed These Support Documents