ASA5505 - PIX-515E VPN Cofig Help

mikebeltran · ‎02-28-2013

Hello , Im having a Issue getting my VPN up from out remote site . We have a ASA5505 at the remote site and the Main office we have a PIX-515E.. I followed this temp config I found on line but Im still not able to get the VPN UP.. Anysuggestion???

Thanks Mike

This script can be used to get you started on a site to site vpn using the older Cisco PIX code.

PIX running 6.3

! ^^^^ Set ISAKMP (phase 1) parameters ^^^^^ !
-----------------------------------------------

isakmp enable outside
isakmp key XXXXXXXX address 72.36.1.64 netmask 255.255.255.252
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption 3des
isakmp policy 15 hash md5
isakmp policy 15 group 2
isakmp policy 15 lifetime 86400

!^^^^ take care of interesting traffic ^^^^!
--------------------------------------------

access-list nonat permit ip 172.16.1.0 255.255.255.0 172.16.15.0 255.255.255.0
access-list ipsec_Colo2 permit ip 172.16.1.0 255.255.255.0 172.16.15.0 255.255.255.0
nat (inside) 0 access-list ACL-VPN

!^^^^ Set IPSEC (Phase 2) parameters ^^^^!
---------------------------------------------
crypto ipsec transform-set afp-ts-1 esp-des esp-md5-hmac
crypto map pix_cmap 36 ipsec-isakmp
crypto map pix_cmap 36 match address ipsec_Colo2
crypto map pix_cmap 36 set peer 72.36.1.64
crypto map pix_cmap 36 set transform-set pix_ts
crypto map pix_cmap 36 interface outside

ASA
!^^^^^^^ ISAKMP (Phase 1) ^^^^^^^!
-----------------------------------

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp enable OUTSIDE tunnel-group 12.161.73.254 type ipsec-l2l
tunnel-group 12.161.73.254 ipsec-attributes
pre-shared-key XXXXXXX address 12.161.73.254 netmask 255.255.255.255

!^^^^^^^ IPSEC (Phase 2) ^^^^^^^!
-----------------------------------

access-list Colo2-to-Pville extended permit ip 172.16.15.0 255.255.255.0 172.16.1.0 255.255.255.0
crypto ipsec transform-set afp-ts-1 esp-des esp-md5-hmac
crypto map afppolicy-14 1 match address Colo2-to-Pville
crypto map afppolicy-14 1 set peer 12.161.73.254
crypto map afppolicy-14 1 set transform-set afp-ts-1
crypto map afppolicy-14 set security-association lifetime kilobytes 10000
crypto map afppolicy-14 interface outside

!^^^^^^^ Routes and No-NATS ^^^^^^^!
--------------------------------------

route OUTSIDE 192.168.100.0 255.255.255.0 22.22.22.1
access-list Colo2-to-Pville extended permit ip 172.16.15.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (INSIDE) 0 access-list ACL-INSIDE-NONAT

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

When I log into the ASA and run these commands This what I get

Colort2# sh run crypto isakmp

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

Colort2# sh run crypto ipsec

crypto ipsec transform-set afp-ts-1 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

Colort2#

Colort2# Sh run cry map

crypto map afppolicy-14 1 set peer 12.161.73.254

crypto map afppolicy-14 1 set transform-set afp-ts-1

crypto map afppolicy-14 interface outside

Colort2# sh crypto ipsec sa

There are no ipsec sas

Colort2# sh isakmp sa

There are no isakmp sas

Colort2# sh isakmp ?

ipsec-over-tcp Show IPSec over TCP data

sa Show ISAKMP sas

stats Show ISAKMP statistics

| Output modifiers

<cr>

Colort2# sh isakmp

There are no isakmp sas

Global IKE Statistics

Active Tunnels: 0

Previous Tunnels: 0

In Octets: 0

In Packets: 0

In Drop Packets: 0

In Notifys: 0

In P2 Exchanges: 0

In P2 Exchange Invalids: 0

In P2 Exchange Rejects: 0

In P2 Sa Delete Requests: 0

Out Octets: 0

Out Packets: 0

Out Drop Packets: 0

Out Notifys: 0

Out P2 Exchanges: 0

Out P2 Exchange Invalids: 0

Out P2 Exchange Rejects: 0

Out P2 Sa Delete Requests: 0

Initiator Tunnels: 0

Initiator Fails: 0

Responder Fails: 0

System Capacity Fails: 0

Auth Fails: 0

Decrypt Fails: 0

Hash Valid Fails: 0

No Sa Fails: 0

Global IPSec over TCP Statistics

--------------------------------

Embryonic connections: 0

Active connections: 0

Previous connections: 0

Inbound packets: 0

Inbound dropped packets: 0

Outbound packets: 0

Outbound dropped packets: 0

RST packets: 0

Recevied ACK heart-beat packets: 0

Bad headers: 0

Bad trailers: 0

Timer failures: 0

Checksum errors: 0

Internal errors: 0

Colort2#

tamoorlatif · ‎03-06-2013

Hi,

I believe ACL in pix for NAT exemption is named incorrectly.

Existing Config:

nat (inside) 0 access-list ACL-VPN

access-list nonat permit ip 172.16.1.0 255.255.255.0 172.16.15.0 255.255.255.0

Correct Config

nat (inside) 0 access-list ACL-VPN

access-list ACL-VPN permit ip 172.16.1.0 255.255.255.0 172.16.15.0 255.255.255.0