04-04-2014 07:56 AM - edited 03-04-2019 10:43 PM
I am trying to setup a VPN between a customer's PIX and our ASA. I am new to both of these firewalls and just acquired access to both of them yesterday.
WSI-PAR-ASA# sh cryp is sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 173.15.202.145
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
WSI-PAR-ASA# sh run
: Saved
:
ASA Version 8.3(2)
!
hostname WSI-PAR-ASA
domain-name wsilc.local
enable password pD8LU0HnzGcOsuME encrypted
passwd rVeeEKq7K7syKusK encrypted
names
name 10.0.0.253 NTPDC
name 10.0.0.252 NOCSERVER1
!
interface GigabitEthernet0/0
description outside interface to comcast gateway
nameif outside
security-level 0
ip address 173.167.50.213 255.255.255.248
!
interface GigabitEthernet0/1
description uplink to inside router
nameif inside
security-level 100
ip address 10.1.255.1 255.255.255.252
!
interface GigabitEthernet0/2
description B&B Exchange Environmnet (Hosting)
shutdown
nameif B&B_Exchange
security-level 50
ip address 192.168.33.1 255.255.255.252
!
interface GigabitEthernet0/3
shutdown
nameif Guest_wireless
security-level 50
ip address 10.0.240.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name wsilc.local
object network wheat_hii_nat
subnet 10.1.0.0 255.255.255.0
object network wheat_hii_vpn
subnet 10.0.0.0 255.255.255.0
object network ME_WEB
host 10.1.0.8
object network Wireless
subnet 10.0.10.0 255.255.255.0
object network wheat_new_ips
subnet 10.0.250.0 255.255.255.0
object network guest_wireless
subnet 10.0.240.0 255.255.255.0
object network NTPDC
host 10.0.0.253
object network Mac_Chad_VNC
host 10.1.0.19
description Remote Access to Chad's system
object service VNC
service tcp source eq 5900 destination eq 5900
object network HyperV_Host1
host 10.0.0.2
description Remote Access to HyperV Host 1
object network 173.167.50.212
host 173.167.50.212
object network IT360SRV
host 10.1.0.7
description IT 360 Central Server
object network CoH_Test
subnet 192.168.99.0 255.255.255.0
object network NEC_VoiceServer
host 10.0.48.247
description NEC Phone System
object network wheat_hii_voice
subnet 10.0.48.0 255.255.255.0
description Voice Servers
object network NEC_VoiceMailServer
host 10.0.48.249
description Voicemail Web Interface
object service RDP
service tcp destination eq 3389
object network RedCloud_Appliance
host 10.1.0.20
description RedCloud_Appliance
object service RedCloud_Panel
service tcp source eq 3001 destination eq 3001
object network HyperV_Host2
host 10.0.0.3
description Remote Access to HyperV Host 2
object network RedCloud_WebAccess
host 10.1.0.20
description HTTPS to RedCloud Appliance
object service RedCloud_SSL
service tcp destination eq 9443
object network Imac_RDP1
host 10.1.0.220
description Imac RDP for Chad
object network Imac_RDP2
host 10.1.0.220
description Imac RDP for Chad
object network Imac_RDP3
host 10.1.0.220
description Imac RDP for Chad
object network Wiki
host 10.1.0.220
object network Wiki2
host 10.1.0.220
object network RedCloud_6050
host 10.1.0.20
description RedCloud Flash Player
object network RedCloud_843
host 10.1.0.20
description RedCloud Appliance Access
object network 173.167.50.211
host 173.167.50.211
object network B&B_Exchange_Server
host 192.168.33.2
description B&B Exchange Server (Hosting)
object network MESandbox
host 10.0.0.10
description MESandbox Server
object network iCHRIE
subnet 10.4.5.0 255.255.255.0
object-group service SBS_services tcp-udp
port-object eq 4125
port-object eq 443
port-object eq 444
port-object eq 25
port-object eq 987
port-object eq 8080
port-object eq 1723
port-object eq 21
port-object eq 20
port-object range 65000 65500
port-object eq domain
port-object eq 143
port-object eq 110
port-object eq 993
port-object eq 995
object-group service ME_services tcp-udp
port-object eq 8100
port-object eq 8200
port-object eq 8300
port-object eq 8400
port-object eq 8443
object-group service Mac_Mini_Remote tcp-udp
port-object eq 3283
port-object eq 5900
port-object eq 443
port-object eq www
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network AMAZON_PROD_VPC
network-object 172.24.0.0 255.255.0.0
object-group service RedCloud_Service tcp
description RedCloud Appliance Services
port-object eq 3001
port-object eq 6050
port-object eq 843
port-object eq 9443
access-list outside_inbound extended permit ip any any inactive
access-list outside_inbound extended permit object RDP any object HyperV_Host1 inactive
access-list outside_inbound extended permit object RDP any object HyperV_Host2 inactive
access-list outside_inbound extended permit ip 10.0.0.0 255.255.255.0 10.1.0.0 255.255.255.0 inactive
access-list outside_inbound extended permit tcp any object NEC_VoiceServer eq www inactive
access-list outside_inbound extended permit tcp any host 10.0.0.253 object-group SBS_services
access-list outside_inbound extended permit gre any host 10.0.0.253
access-list outside_inbound extended permit object-group TCPUDP any host 10.1.0.8 object-group ME_services inactive
access-list outside_inbound extended permit object-group TCPUDP any object IT360SRV object-group ME_services
access-list outside_inbound extended permit tcp any object NEC_VoiceMailServer eq https
access-list outside_inbound extended permit tcp any object RedCloud_Appliance object-group RedCloud_Service
access-list outside_inbound extended permit tcp any object RedCloud_WebAccess eq https
access-list outside_inbound remark Customer Web Access to RedCloud
access-list outside_inbound extended permit object-group TCPUDP any object Imac_RDP1 object-group Mac_Mini_Remote inactive
access-list outside_inbound remark B&B Exchange Hosting
access-list outside_inbound extended permit object-group TCPUDP any object B&B_Exchange_Server object-group SBS_services inactive
access-list outside_inbound extended permit object RDP any object MESandbox
access-list outside_inbound remark B&B Exchange Hosting
access-list outside_inbound remark Customer Web Access to RedCloud
access-list 101 extended permit ip 10.1.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 101 extended permit ip 10.0.10.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list acl-amazon extended permit ip any 172.24.0.0 255.255.0.0
access-list inside_access_in extended permit tcp host 10.0.0.253 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list outside_1_cryptomap extended permit ip object wheat_hii_nat object iCHRIE
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging buffered warnings
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu B&B_Exchange 1500
mtu Guest_wireless 1500
ip local pool VPNIP 10.0.254.1-10.0.254.15
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static wheat_hii_nat wheat_hii_nat destination static wheat_hii_vpn wheat_hii_vpn
nat (inside,outside) source static wheat_hii_nat wheat_hii_nat destination static AMAZON_PROD_VPC AMAZON_PROD_VPC
nat (inside,outside) source static wheat_hii_nat wheat_hii_nat destination static iCHRIE iCHRIE
!
object network wheat_hii_nat
nat (inside,outside) dynamic interface
object network wheat_hii_vpn
nat (inside,outside) dynamic interface
object network Wireless
nat (inside,outside) dynamic interface
object network wheat_new_ips
nat (inside,outside) dynamic interface
object network guest_wireless
nat (inside,outside) dynamic interface
object network NTPDC
nat (inside,outside) static 173.167.50.209
object network HyperV_Host1
nat (inside,outside) static 173.167.50.210 service tcp 3389 3382
object network IT360SRV
nat (any,any) static 173.167.50.212
object network CoH_Test
nat (any,outside) dynamic interface
object network NEC_VoiceServer
nat (inside,outside) static 173.167.50.210 service tcp www www
object network wheat_hii_voice
nat (any,outside) dynamic interface
object network NEC_VoiceMailServer
nat (inside,outside) static 173.167.50.210 service tcp https https
object network RedCloud_Appliance
nat (inside,outside) static 173.167.50.210 service tcp 3001 3001
object network HyperV_Host2
nat (inside,outside) static 173.167.50.210 service tcp 3389 3383
object network RedCloud_WebAccess
nat (inside,outside) static 173.167.50.210 service tcp https 9443
object network Imac_RDP1
nat (any,any) static 173.167.50.210 service tcp 3283 3283
object network Imac_RDP2
nat (any,any) static 173.167.50.210 service tcp 5900 5900
object network Wiki
nat (inside,outside) static 173.167.50.210 service tcp https 2443
object network Wiki2
nat (inside,outside) static 173.167.50.210 service tcp www 280
object network RedCloud_6050
nat (inside,outside) static 173.167.50.210 service tcp 6050 6050
object network RedCloud_843
nat (inside,outside) static 173.167.50.210 service tcp 843 843
object network B&B_Exchange_Server
nat (B&B_Exchange,outside) static 173.167.50.211
object network MESandbox
nat (inside,outside) static 173.167.50.210 service tcp 3389 7177
!
nat (inside,outside) after-auto source static wheat_hii_voice interface unidirectional
access-group outside_inbound in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 173.167.50.214 1
route inside 10.0.0.0 255.255.255.0 10.1.255.2 1
route inside 10.0.10.0 255.255.255.0 10.1.255.2 1
route inside 10.0.48.0 255.255.255.0 10.1.255.2 1
route inside 10.0.240.0 255.255.255.0 10.1.255.2 1
route inside 10.0.250.0 255.255.255.0 10.1.255.2 1
route inside 10.1.0.0 255.255.0.0 10.1.255.2 1
route inside 10.1.100.0 255.255.255.0 10.1.255.2 1
route inside 192.168.99.0 255.255.255.0 10.1.255.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.1.0.0 255.255.255.0 inside
snmp-server host inside 10.1.0.5 community *****
no snmp-server location
snmp-server contact NOC
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 2147483647
crypto ipsec security-association replay window-size 128
crypto ipsec df-bit clear-df outside
crypto map WHEATHII 1 match address 101
crypto map WHEATHII 1 set pfs
crypto map WHEATHII 1 set peer 173.167.50.209
crypto map WHEATHII 1 set transform-set ESP-3DES-SHA
crypto map TO_AMAZON 1 match address outside_1_cryptomap
crypto map TO_AMAZON 1 set peer 173.15.202.145
crypto map TO_AMAZON 1 set transform-set ESP-3DES-SHA
crypto map TO_AMAZON 10 match address acl-amazon
crypto map TO_AMAZON 10 set pfs
crypto map TO_AMAZON 10 set peer 205.251.233.122 205.251.233.121
crypto map TO_AMAZON 10 set transform-set transform-amzn
crypto map TO_AMAZON interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 138.236.128.36 source outside
ntp server 72.26.198.233 source outside
ntp server 65.182.224.60 source outside
webvpn
username ssmith password SOgzNhPphuvZ3kQf encrypted privilege 15
username dmills password CohQOQ5Qubm4l8kx encrypted privilege 15
username Don password 9c3pIbTEkyTWNKsj encrypted privilege 15
username kdingwall password tZijbQGDZn4JdBm4 encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 10 retry 3
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 3
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 10 retry 3
tunnel-group 173.167.50.209 type ipsec-l2l
tunnel-group 173.167.50.209 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 10 retry 3
tunnel-group 205.251.233.122 type ipsec-l2l
tunnel-group 205.251.233.122 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 10 retry 3
tunnel-group 205.251.233.121 type ipsec-l2l
tunnel-group 205.251.233.121 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 10 retry 3
tunnel-group 173.15.202.145 type ipsec-l2l
tunnel-group 173.15.202.145 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
class-map default
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
inspect icmp
inspect pptp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1fd55a2281d0dedc46b0d4a6ac223027
: end
ICHRIEpix# show conf
: Saved
: Written by admin at 21:14:08.210 UTC Thu Feb 11 1993
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password BUBNK77GIFseOoUT encrypted
passwd eIax9fdkHD7dOu8M encrypted
hostname ICHRIEpix
domain-name Ichrie.local.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network ENGINEERS
description NDSE for Site to Site
network-object host 10.1.101.40
network-object host 10.1.101.41
network-object host 10.1.101.42
network-object host 10.1.101.20
network-object host 10.1.101.21
network-object host 10.1.101.22
network-object host 10.1.101.23
network-object host 10.1.101.24
network-object host 10.1.101.25
network-object host 10.1.101.26
network-object host 10.1.101.27
network-object host 10.1.101.28
network-object host 10.1.101.29
access-list 90 permit ip 10.5.4.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list OBX permit icmp any any echo-reply
access-list OBX permit icmp any any traceroute
access-list OBX permit icmp any any information-reply
access-list OBX permit icmp any any unreachable
access-list OBX permit icmp any any time-exceeded
access-list OBX permit udp any any eq 4500
access-list OBX permit tcp any any eq 16000
access-list OBX deny udp any any eq isakmp log
pager lines 24
logging on
logging timestamp
logging buffered errors
logging trap warnings
logging queue 5000
logging device-id hostname
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 173.15.202.145 255.255.255.248
ip address inside 10.5.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm drop reset
ip local pool RASVPNpool 10.255.255.40-10.255.255.50
pdm location 0.0.0.0 0.0.0.0 inside
pdm location 10.255.255.0 255.255.255.0 outside
pdm logging errors 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 90
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group OBX in interface outside
route outside 0.0.0.0 0.0.0.0 173.15.202.150 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication secure-http-client
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 137.167.50.213 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 inside
snmp-server host outside 192.168.188.93
snmp-server host outside 74.92.186.90
snmp-server host outside 74.92.186.93
snmp-server location Dr. Hazelgrove
snmp-server contact FE4 Consulting
snmp-server community fe4@!*^&%only
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
sysopt ipsec pl-compatible
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map INFIAN 1 ipsec-isakmp
crypto map INFIAN 1 match address 90
crypto map INFIAN 1 set peer 173.167.50.213
crypto map INFIAN 1 set transform-set strong
crypto map INFIAN interface outside
isakmp key ******** address 173.167.50.213 netmask 255.255.255.255
isakmp client configuration address-pool local RASVPNpool outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 28000
vpngroup iChR3_Kathy address-pool RASVPNpool
vpngroup iChR3_Kathy dns-server 10.4.5.100 64.83.1.10
vpngroup iChR3_Kathy default-domain Ichrie.local.com
vpngroup iChR3_Kathy split-tunnel NONAT
vpngroup iChR3_Kathy idle-time 1800
vpngroup iChR3_Kathy password ********
vpngroup NDSE address-pool RASVPNpool
vpngroup NDSE dns-server 10.4.5.100 64.83.1.10
vpngroup NDSE default-domain Ichrie.local.com
vpngroup NDSE split-tunnel NONAT
vpngroup NDSE idle-time 1800
vpngroup NDSE password ********
telnet timeout 5
ssh 137.167.50.213 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 137.167.50.213 255.255.255.255 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname vze7qrga
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username admin password y8ugfM8XdzxhKi4f encrypted privilege 15
terminal width 80
banner login monitoring to appropriate officials.
banner motd WARNING!!!
banner motd This system is solely for the use of authorized users for official purposes.
banner motd You have no expectation of privacy in its use and to ensure that the system
banner motd is functioning properly; individuals using this computer system are subject
banner motd to having all of their activities monitored and recorded by system personnel.
banner motd Use of this system evidences an express consent to such monitoring and
banner motd agreement that if such monitoring reveals evidence of possible abuse or
banner motd criminal activity, system personnel may provide the results of such
banner motd monitoring to appropriate officials.
Cryptochecksum:f275e46af056967683a137acf191b8b4
ICHRIEpix#
04-04-2014 08:44 AM
I figured it out
I needed
isakmp enable outside
on the PIX and change
object network iCHRIE
subnet 10.4.5.0 255.255.255.0
to
object network iCHRIE
subnet 10.5.4.0 255.255.255.0
on the ASA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide