04-19-2007 11:24 AM - edited 02-21-2020 02:59 PM
hi, am trying to create a vpn connection between two pix firewalls a 501 and a 506e.
currently on the 506e the pdm shows 1 IKE tunnel in stats but then it flashes back to zero. Both pix hosts can access the web and ping each others gateways.
i have posted the 506e config but the 501 config is the same.
outside ip for pix 506e = a.a.a.a
outside ip for pix 501 = b.b.b.b
isp gateway ip for 506e = x.x.x.x
thanks
Alex
Solved! Go to Solution.
04-19-2007 12:07 PM
Hi Alex
Without seeing the configuration from the other side (PIX501) this is going to be hard to troubleshoot, you will need to be sure at what stage this is failing phase 1 or phase 2.
Please note IPSec negotiation between the two PIXs fails if the SAs on both of the IKE phases do not match on the peers.
Regards MJ
04-26-2007 03:43 PM
You want the crypto acl's to be mirrors of each other.
506
access-list outside_cryptomap_20 permit ip 10.35.104.0 255.255.255.0 192.168.1.0 255.255.255.0
501
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 10.35.104.0 255.255.255.0
04-19-2007 12:07 PM
Hi Alex
Without seeing the configuration from the other side (PIX501) this is going to be hard to troubleshoot, you will need to be sure at what stage this is failing phase 1 or phase 2.
Please note IPSec negotiation between the two PIXs fails if the SAs on both of the IKE phases do not match on the peers.
Regards MJ
04-20-2007 03:18 AM
hi, here is the config for the 501
pix isp gateway =y.y.y.y
thanks
Alex
04-20-2007 03:20 AM
04-23-2007 01:26 PM
Thanks for the info, could you try the following:
Remove (PIX501): using no access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 any
Also : no access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 any
To confirm use command "show crypto isakmp sa". if the output displays "MM_Key_exchange" ,it mean's that phase 1 is getting stuck at key exchange. Reasons might be because of mismatch in preshare keys or wrong ip address for peer in cryptomap entry (could you apply these again at both ends)
Also a show log may give you some info to where the problem lies.
Regards MJ
04-26-2007 01:40 PM
04-26-2007 03:43 PM
You want the crypto acl's to be mirrors of each other.
506
access-list outside_cryptomap_20 permit ip 10.35.104.0 255.255.255.0 192.168.1.0 255.255.255.0
501
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 10.35.104.0 255.255.255.0
05-02-2007 02:42 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide