Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1088
Views
0
Helpful
5
Replies

PIX 501 6.3(5) VPN to ASA 5505 9.1(2)

chris.lantz
Level 1
Level 1

‎09-13-2013 11:04 AM

I installed software version 9.1(2) on my ASA 5505, but I cannot establish a L2L VPN to a PIX 501 6.3(5). I'm wondering if those software versions are compatible for what I am trying to do. Before I upgraded to 9.1(2), my ASA had version 8.2(1) and the VPN's were working fine. Thank you.

Labels:
0 Helpful
5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

‎09-13-2013 11:07 AM

Hi,

Its not about the different software levels.

There is probably some problem with the VPN configurations or NAT. Probably on the ASA5505 since it was the device for which the software upgrade was done.

Naturally if you can provide the configurations we could go through them.

- Jouni

0 Helpful

chris.lantz
Level 1
Level 1
In response to Jouni Forss

‎09-13-2013 12:19 PM

Thank you for looking at it.  Here are the configs:

User Access Verification

Password:
Type help or '?' for a list of available commands.
sillspix> ena
Password:
sillspix# sh conf
: Saved
: Written by enable_15 at 18:22:59.005 UTC Thu Sep 12 2013
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password  encrypted
passwd  encrypted
hostname sillspix
domain-name x.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name x.x.x.5 silicon-asa-outside
access-list internet-traffic permit ip 192.168.51.0 255.255.255.0 any
access-list pix-to-sills-vpn permit ip 192.168.51.0 255.255.255.0 10.10.51.0 255.255.255.0
access-list pix-to-sills-vpn permit ip 192.168.51.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list pix-to-sills-vpn permit ip 192.168.51.0 255.255.255.0 192.168.26.0 255.255.255.0
access-list acl-in permit icmp any any
access-list 101 permit ip 192.168.51.0 255.255.255.0 10.10.51.0 255.255.255.0
access-list sills-to-silicon-vpn permit ip 192.168.51.0 255.255.255.0 192.168.26.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.51.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.10.51.1-10.10.51.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list pix-to-sills-vpn
nat (inside) 1 access-list internet-traffic 0 0
access-group acl-in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set SillsPix256-set esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set SillsPix256-set
crypto map toSillsPix 10 ipsec-isakmp dynamic dynmap
crypto map toSillsPix interface outside
crypto map toGvnPix 26 ipsec-isakmp
crypto map toGvnPix 26 match address sills-to-silicon-vpn
crypto map toGvnPix 26 set peer silicon-asa-outside
crypto map toGvnPix 26 set transform-set SillsPix256-set
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp keepalive 60
isakmp nat-traversal 20
isakmp policy 18 authentication pre-share
isakmp policy 18 encryption aes-256
isakmp policy 18 hash sha
isakmp policy 18 group 2
isakmp policy 18 lifetime 86400
vpngroup xclient address-pool ippool
vpngroup xclient default-domain x.com
vpngroup xclient split-tunnel 101
vpngroup xlient idle-time 1800
vpngroup xclient password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
management-access inside
console timeout 0
dhcpd address 192.168.51.2-192.168.51.33 inside
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 86400
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:
sillspix#


User Access Verification

Password:
Type help or '?' for a list of available commands.
silicon-asa> ena
Password:
silicon-asa# sh conf
: Saved
: Written by enable_15 at 17:50:41.222 UTC Thu Sep 12 2013
!
ASA Version 9.1(2)
!
hostname silicon-asa
domain-name x.com
enable password  encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd  encrypted
names
ip local pool ippool 10.10.26.1-10.10.26.254
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.26.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.5 255.255.255.0
!
boot system disk0:/asa912-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name x.com
object network obj-192.168.26.0
subnet 192.168.26.0 255.255.255.0
object network obj-10.10.26.0
subnet 10.10.26.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network obj-192.168.51.0
subnet 192.168.51.0 255.255.255.0
object network obj-192.168.26.200
host 192.168.26.200
object service obj-tcp-source-eq-53
service tcp source eq domain
object service obj-tcp-source-eq-80
service tcp source eq www
access-list internet-traffic extended permit ip 192.168.26.0 255.255.255.0 any4
access-list silicon-to-allGvnPix-vpn extended permit ip 192.168.26.0 255.255.255.0 10.10.26.0 255.25
5.255.0
access-list silicon-to-allGvnPix-vpn extended permit ip 192.168.26.0 255.255.255.0 192.168.3.0 255.2
55.255.0
access-list silicon-to-allGvnPix-vpn extended permit ip 192.168.26.0 255.255.255.0 192.168.51.0 255.
255.255.0
access-list Split-Tunnel-List extended permit ip 192.168.26.0 255.255.255.0 10.10.26.0 255.255.255.0

access-list acl-in extended permit icmp any4 any4
access-list acl-in extended permit tcp any4 host 192.168.26.200 eq domain
access-list acl-in extended permit tcp any4 host 192.168.26.200 eq www
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static obj-192.168.26.0 obj-192.168.26.0 destination static obj-10.10.26.0 o
bj-10.10.26.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-192.168.26.0 obj-192.168.26.0 destination static obj-192.168.3.0
obj-192.168.3.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-192.168.26.0 obj-192.168.26.0 destination static obj-192.168.51.0
obj-192.168.51.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-192.168.26.200 interface service obj-tcp-source-eq-53 obj-tcp
-source-eq-53
nat (inside,outside) source static obj-192.168.26.200 interface service obj-tcp-source-eq-80 obj-tcp
-source-eq-80
nat (inside,outside) source dynamic obj-192.168.26.0 interface
access-group acl-in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set GvnPix256-set esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dynmap 10000 set ikev1 transform-set GvnPix256-set
crypto map toGvnPix 10000 ipsec-isakmp dynamic dynmap
crypto map toGvnPix interface outside
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 18
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd dns 8.8.8.8 8.8.4.4
!
dhcpd address 192.168.26.2-192.168.26.33 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy C3Internal internal
group-policy C3Internal attributes
vpn-tunnel-protocol ikev1
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel-List
default-domain value x.com
username xclient password  encrypted
username xclient attributes
vpn-group-policy C3Internal
username xpix password  encrypted
username xxclient password  encrypted
username xxclient attributes
vpn-group-policy C3Internal
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
isakmp keepalive threshold 60 retry 2
tunnel-group DefaultRAGroup general-attributes
address-pool ippool
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 60 retry 2
tunnel-group xclient type remote-access
tunnel-group xclient general-attributes
address-pool ippool
default-group-policy C3Internal
tunnel-group xclient ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 60 retry 2
tunnel-group xxclient type remote-access
tunnel-group xxclient general-attributes
address-pool ippool
default-group-policy C3Internal
tunnel-group xxclient ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 60 retry 2
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:
silicon-asa#

0 Helpful

Peter Koltl
Level 7
Level 7
In response to chris.lantz

‎09-14-2013 02:20 PM

L2L part is missing from silicon-asa crypto map

set peer

match address

etc.

0 Helpful

chris.lantz
Level 1
Level 1
In response to Peter Koltl

‎09-14-2013 10:09 PM

The PIX has a dynamic IP address, and I have another ASA5505 that also has a dynamic IP address which can successfully connect to the silicon-asa.

0 Helpful

clantz
Level 1
Level 1
In response to Jouni Forss

‎09-20-2013 08:34 AM

Any ideas on why this doesn't work?

Thanks.

0 Helpful
Customers Also Viewed These Support Documents