Solved: Re: Site-to-Site VPN between ASA & PIX

sasha.hill · ‎10-15-2013

Hi everyone,

If this has been posted before, which it probably has, I apologize in advance.

Basically, I have to configure a VPN between our NY ASA and a PIX we shipped to our LA office. The PIX is replacing an old Cisco router. The ASA is our main device which is configured for multiple VPN connections (and I have not touched this) and still has the old VPN config from that old Cisco router.

On my part, I configured the PIX with the same pre-share key, and security protocols as the old router. When I checked the log files of the ASA I see the error message: "tunnel manager has failed to establish an l2l sa all configured ike versions failed to establish the tunnel."

Since this is my first time setting up a PIX, I'm thinking there might be something the matter with my config, though I'm not exactly sure. The PIX config is as follows:

interface Ethernet0
nameif Outside
security-level 0
ip address 173.xxx.xxx.xxx 255.255.255.224
!
interface Ethernet1
nameif Inside
security-level 100
ip address 192.168.xxx.xxx 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxxx.xxxxx.org
access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.5.0 255.255.255.0
access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.6.0 255.255.255.0
access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.7.0 255.255.255.0
access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.8.0 255.255.255.0
access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 10.12.40.0 255.255.255.0
pager lines 24
mtu Outside 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
no asdm history enable
arp timeout 14400
global (Outside) 1 173.xxx.xxx.xxx netmask 255.255.255.224
nat (Inside) 2 192.168.0.0 255.0.0.0
nat (Inside) 1 0.0.0.0 0.0.0.0
route Outside 0.0.0.0 0.0.0.0 173.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df Outside
crypto map mymap 1 match address acl_vpn
crypto map mymap 1 set pfs
crypto map mymap 1 set peer 69.18.xxx.xxx
crypto map mymap 1 set transform-set myset
crypto map mymap 1 set security-association lifetime seconds 28800
crypto map mymap 1 set security-association lifetime kilobytes 4608000
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 5000
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 10000
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 69.18.xxx.xxx type ipsec-l2l
tunnel-group 69.18.xxx.xxx ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
parameters
policy-map global_policy
class inspection_default
   inspect dns preset_dns_map
   inspect ftp
   inspect h323 h225
   inspect h323 ras
   inspect netbios
   inspect rsh
   inspect rtsp
   inspect skinny
   inspect esmtp
   inspect sqlnet
   inspect sunrpc
   inspect tftp
   inspect sip
   inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ff5fe6ea51385f0d3f6580a5fdd73d40
: end

If you need further information, please let me know. Also any feedback would be greatly appreciated.

Thanks,

-Sasha

Jouni Forss · ‎10-15-2013

Also,

It would seem to me that you have not configured NAT0 for the VPN traffic

This in most cases matches exactly the ACL used in the Crypto Map configurations.

I suggest that you use another ACL for this purpose though to avoid any future problems

access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.5.0 255.255.255.0

access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.6.0 255.255.255.0

access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.7.0 255.255.255.0

access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.8.0 255.255.255.0

access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 10.12.40.0 255.255.255.0

nat (inside) 0 access-list NAT0

The below command seems to be useless since it doesnt have a match "global" configuration for ID 2

nat (Inside) 2 192.168.0.0 255.0.0.0

- Jouni

View solution in original post

Jouni Forss · ‎10-15-2013

Hi,

I think the problem is atleast that you have not attached the configured Crypto Map to any interface

Try adding this and then testing again

crypto map mymap interface Outside

Naturally also whether the above configurations are correct otherwise depends what is configured on the other site which we dont know.

Hope this helps

- Jouni

Jouni Forss · ‎10-15-2013