Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
660
Views
0
Helpful
4
Replies

VPN to Cisco PIX from Cisco ASA

Tarran
Level 1
Level 1

‎06-26-2012 04:57 AM - edited ‎03-11-2019 04:23 PM

I'm replacing a PIX 501 with a new ASA. The 501 already has the VPN details and all works but when i try to replicate with the ASDM i'm having no joy. I'm having trouble configuring my Cisco ASA to do a site to site VPN to our Cisco PIX. Could someone suggest the ASA commands i should enter. Here is the current PIX 501 vpn information:

access-list outside_cryptomap_19 permit ip 192.168.40.0 255.255.255.0 192.168.200.0 255.255.255.0

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto map outside_map_1 19 ipsec-isakmp
crypto map outside_map_1 19 match address outside_cryptomap_19
crypto map outside_map_1 19 set peer 62.244.186.18
crypto map outside_map_1 19 set transform-set ESP-DES-MD5
crypto map outside_map_1 20 ipsec-isakmp

isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

What would be the equivelent for the ASA?

Any help is appreciated.

Thanks,

Tarran

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-26-2012 06:02 AM

What version of ASA are you running?

0 Helpful

Karsten Iwen
VIP
VIP

‎06-26-2012 06:26 AM

On the ASA you need to configure a tunnel-group. Inside the tunnel-group you specify the PSK which was configured previously in isakmp-config:

tunnel-group 1.2.3.4 type ipsec-l2l

tunnel-group 1.2.3.4 ipsec-attributes

pre-shared-key *****

OR for ASA v8.4:

ikev1 pre-shared-key *****

1.2.3.4 is the remote IP

AND: you also want to migrate away from DES/MD5.

0 Helpful

Tarran
Level 1
Level 1

‎06-29-2012 05:10 AM

I'm running ASA 8.4.

So i have tried this via the ASDM and the CLI and still no joy and am thinking is something todo with that the ASA has the outside address of "2.2.2.2" but actually "2.2.2.2" is Nat'd to 192.168.0.1 and this is the actual outside interface address... If that makes sense.

Remote Outside IP: 1.1.1.1

Local Outside IP: 2.2.2.2 (but Nat'd to 192.168.0.1)

The remote l2l pix515e is expecting from 2.2.2.2

0 Helpful

Karsten Iwen
VIP
VIP
In response to Tarran

‎06-29-2012 01:31 PM

whats your config now? crypto, tunnel-groups, nat, ACLs

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card