01-22-2009 06:48 PM
Hi,
I am facing a quite interesting problem between a PIX 515 and an ASA 5510.
The PIX is in the HQ and has multiple dynamic VPN connections (aroung 130) and IPsec remote vpn working just fine. I needed to add one Static PIX-to-ASA L2L VPN and it is not working as supposed to be. The ASA 5510, at the remote end, connects and stays up for a small amount of time, however, all other VPN connections stop working.
The most interesting thing is that the ASA is associated with the Dynamic MAP and not the static map which I created (check through sh crypto ipsec sa peer x.x.x.x). However, if I make any change on the ACL "ACL-Remote" it affects the tunnel between the PIX and ASA.
Has anyone seen anything like this?
Here are more detailed info:
PIX 515 - IOS 8.0(3) - HQ
ASA 5510 - IOS 7.2(3) - Remote Supplier
Several Huawei and Cisco routers dynamically connected through ADSL
Several IPsec remote access users
One static site-to-site VPN between PIX and ASA - not working.
Here is the config at the PIX:
crypto ipsec transform-set ESP-3DES-ESP-SHA-HMAC-IPSec esp-3des esp-sha-hmac
crypto dynamic-map Dyn-VPN 100 set transform-set ESP-3DES-ESP-SHA-HMAC-IPSec
crypto dynamic-map Dyn-VPN 100 set reverse-route
crypto map VPN-Map 30 match address ACL-Remote
crypto map VPN-Map 30 set peer 20X.XX.XX.XX
crypto map VPN-Map 30 set transform-set ESP-3DES-ESP-SHA-HMAC-IPSec
crypto map VPN-Map 100 ipsec-isakmp dynamic Dyn-VPN
crypto map VPN-Map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
access-list ACL-Remote ext permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
Thank you.
Marcelo Pinheiro
Solved! Go to Solution.
01-23-2009 11:03 AM
The problem is that the ASA has a crypto acl defined from host to network whereas the remote end has network to network.
Make sure the acl's are mirrored.
01-23-2009 09:52 AM
Hi Marcelo, Yes I have seen that before, and it usually happens when some settings do not match, can you paste the asa config here?
01-23-2009 10:57 AM
Hi Ivan,
Here is the conf at the ASA side. This is the suppliers conf.
object-group network Test
network-object host 192.168.1.88
object-group network Remote_NET
network-object 10.0.0.0 255.255.255.0
crypto map SPEEDY_map 2 match address SPEEDY_2_cryptomap
crypto map SPEEDY_map 2 set peer X.x.x.x (PIX External IP Address)
crypto map SPEEDY_map 2 set transform-set ESP-3DES-SHA
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
access-list nat0_outbound extended permit ip object-group Test object-group Remote_NET
access-list SPEEDY_2_cryptomap extended permit ip object-group Test object-group Remote_NET
crypto isakmp enable SPEEDY
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Thank you.
Marcelo
01-23-2009 11:03 AM
The problem is that the ASA has a crypto acl defined from host to network whereas the remote end has network to network.
Make sure the acl's are mirrored.
01-29-2009 03:56 AM
Thanks Ivan for your helpful hint.
After a long discussion, now I understood why it suddenly stopped working. The supplier was simply changing his configuration without telling me anything.
Sorry for the long delay.
Best regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide