cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4379
Views
0
Helpful
20
Replies

Site-to-Site VPN ASA(8.3)static to PIX(6.3)dynamic

Dustin Harrig
Level 1
Level 1

I am trying to set up a site to site vpn using pre-shared keys from an asa to a pix.  I have read countless forums and cisco documents but nothing seems to be exactly what I need.  I used the following as a baseline: 

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

There are commands on the 8.3 that didnt seem to match up, specifically when setting the authentication-server to none, it didnt allow it.

Can anyone point in the right direction?  I can post configurations if needed. 

Thank you in advance!!!!!!

20 Replies 20

Patrick0711
Level 3
Level 3

Pretty simple...

Dynamic crypto map on the PIX and an ISAKMP key line that specifies a host and mask of 0.0.0.0 with your PSK

crypto dynamic-map dynmap set transform-set AES-SHA

crypto map outside_map 65000 ipsec-isakmp dynamic dynmap

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

Define an ISAKMP policy, a NAT exemption access-list entry (if necessary), apply
ISAKMP and the crypto map to the outside interface and you're done.

Hi Dustin,

As far I know you don't need to specify authentication-server-group..the VPN should get completed.

So are you failing the VPN setup or the setup did actually work ?

Maybe you can post your configs here ?

HTH,

Vikram

ASA Version 8.2(1)  ----- Has static address!!!!!

!

hostname DHS-V54-ASA5520

domain-name DOMAIN.us

enable password PASSWORD

passwd PASSWORD

names

name 24.177.128.131 Renaissance_Learning description RenLearn support IP

name 10.10.8.65 IEP-FS

name 10.10.8.50 MessagingPlus description Spam Filter

name 10.10.8.45 TTC description Lightspeed Web Filter

name 10.10.8.102 GroupWiseInside

name X.X.X.20 GroupWiseOutside

name 10.20.1.13 HomeConnectDMZ

name X.X.X.33 HomeConnectOutside description Home Connect via portal

name 10.20.1.20 StonewareOutsideDMZ

name X.X.X.27 StonewareOutsideOutside

name 10.20.1.12 WebserverDMZ

name X.X.X.11 WebserverOutside

name 10.10.54.230 SolarPanelInside

name X.X.X.34 SolarPanelOutside

!

interface GigabitEthernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address X.X.X.12 255.255.255.0 standby X.X.X.32

!

interface GigabitEthernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.10.100.1 255.255.255.0 standby 10.10.100.2

!

interface GigabitEthernet0/2

speed 100

duplex full

nameif DMZ

security-level 50

ip address 10.20.1.1 255.255.255.0 standby 10.20.1.2

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name DOMAIN.us

object-group network ZIS

description ZIS Access - Alert Now

network-object host 216.27.91.70

network-object host 216.27.91.71

network-object host 216.27.91.72

network-object host 216.27.91.73

network-object host 216.27.91.74

network-object host 66.162.199.178

network-object host 66.162.199.180

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_SERVICE_1

service-object tcp eq 10000

service-object tcp eq 50000

service-object tcp eq www

service-object tcp eq https

service-object udp range 50000 65535

object-group service DM_INLINE_TCP_1 tcp

port-object eq 8443

port-object eq https

access-list Internet extended permit icmp any any

access-list Internet extended permit tcp any host X.X.X.13 eq smtp inactive

access-list Internet extended permit tcp any host X.X.X.19 eq www

access-list Internet extended permit tcp any host WebserverOutside eq www inactive

access-list Internet extended permit tcp any host WebserverOutside eq ftp inactive

access-list Internet extended permit tcp any host WebserverOutside eq https inactive

access-list Internet extended permit tcp any host GroupWiseOutside eq 1677 inactive

access-list Internet extended permit tcp any any eq 3101

access-list Internet extended permit tcp any any eq 4054

access-list Internet extended permit tcp any host X.X.X.9 eq 3389 inactive

access-list Internet extended permit tcp any host X.X.X.23 eq 4054

access-list Internet remark Used by Customized Technology to remote in for support.

access-list Internet extended permit tcp any host X.X.X.21 eq 3389 inactive

access-list Internet remark Used by RenLearn to remote in for support.

access-list Internet extended permit tcp host Renaissance_Learning host X.X.X.24 eq 3389

access-list Internet remark Used to remote and support Destiny.

access-list Internet extended permit tcp any host X.X.X.25 eq 3389 inactive

access-list Internet extended permit tcp any host X.X.X.26 eq www

access-list Internet extended permit tcp any host X.X.X.26 eq https

access-list Internet extended permit tcp any host GroupWiseOutside eq www inactive

access-list Internet extended permit tcp any host X.X.X.26 eq ssh

access-list Internet extended permit tcp any host X.X.X.26 eq telnet

access-list Internet extended permit tcp any host X.X.X.26 eq 17988

access-list Internet extended permit udp any host X.X.X.18 range 35000 40000

access-list Internet extended permit tcp any host X.X.X.22 eq www

access-list Internet extended permit tcp any host X.X.X.22 eq 1677

access-list Internet extended permit tcp any host X.X.X.21 eq 5721

access-list Internet extended permit tcp any host X.X.X.28 eq 8200

access-list Internet extended permit tcp any host X.X.X.29 eq 8200

access-list Internet extended permit tcp host 64.78.235.8 any eq 83

access-list Internet extended permit tcp host 64.78.235.8 any eq 85

access-list Internet extended permit tcp any host X.X.X.30 eq 8080

access-list Internet extended permit tcp host 74.63.134.38 any eq 83

access-list Internet extended permit tcp host 74.63.134.38 any eq 85

access-list Internet extended permit tcp host 74.63.134.39 any eq 83

access-list Internet extended permit tcp host 74.63.134.39 any eq 85

access-list Internet extended permit tcp any host X.X.X.9 eq www

access-list Internet extended permit tcp host 209.232.116.90 any eq 1533

access-list Internet extended permit tcp any host X.X.X.16 eq www

access-list Internet remark Remote Access to Install Gwava

access-list Internet extended permit tcp any host X.X.X.15 eq 3389

access-list Internet extended permit tcp any host X.X.X.15 eq pptp

access-list Internet extended permit tcp any host X.X.X.15 eq 1701

access-list Internet extended permit gre any host X.X.X.15

access-list Internet extended permit tcp any host StonewareOutsideOutside eq www inactive

access-list Internet extended permit tcp any host StonewareOutsideOutside eq https inactive

access-list Internet extended permit tcp any host X.X.X.31 eq ssh

access-list Internet extended permit tcp object-group ZIS host X.X.X.40 eq 7443

access-list Internet extended permit tcp object-group ZIS host X.X.X.40 eq 7080 log debugging

access-list Internet extended permit tcp any host X.X.X.41 eq www

access-list Internet extended permit tcp any host X.X.X.41 eq 8080

access-list Internet extended permit tcp any host X.X.X.32 eq ssh

access-list Internet remark Test connectivity to skyward 1/6/11

access-list Internet extended permit tcp host 71.87.22.131 any inactive

access-list Internet remark Solar Panel Access

access-list Internet extended permit object-group TCPUDP any host SolarPanelOutside eq www

access-list Internet extended permit tcp any host HomeConnectOutside eq www inactive

access-list Internet extended permit tcp any host HomeConnectOutside eq https inactive

access-list Internet remark Used by Follett for TitlePeek

access-list Internet extended permit tcp host 12.171.92.157 host 10.10.8.115

access-list Internet extended permit tcp host 209.175.170.11 host 10.10.8.181

access-list Internet extended permit tcp host 209.175.170.10 host 10.10.8.181

access-list Internet remark DOMAIN Public Library Access to Ren Place

access-list Internet extended permit tcp host 98.212.249.68 host X.X.X.24 eq www

access-list Internet remark Sam's House to Test Ren Learn

access-list Internet extended permit tcp host 66.213.171.66 host X.X.X.24 eq www

access-list Internet remark Migration Wizard

access-list Internet extended permit tcp any host GroupWiseOutside eq 7191 inactive

access-list Internet remark Acces For Viyo for NewTech Use

access-list Internet extended permit object-group DM_INLINE_SERVICE_1 host 207.250.187.254 any

access-list Internet extended permit tcp any host X.X.X.43 eq www

access-list Internet extended permit tcp any host X.X.X.43 eq https

access-list Internet extended permit tcp any host X.X.X.44 eq www

access-list Internet extended permit tcp host 74.208.213.109 host X.X.X.45 eq ldaps

access-list DMZ extended permit udp any any eq ntp

access-list DMZ extended permit icmp any any

access-list DMZ extended permit tcp any any eq www

access-list DMZ extended permit tcp any any eq ftp

access-list DMZ extended permit tcp any any eq https

access-list DMZ extended permit tcp any any eq domain

access-list DMZ extended permit udp any any eq domain

access-list DMZ extended permit udp any any eq isakmp

access-list DMZ extended permit tcp any any eq 4500

access-list DMZ extended permit tcp any any eq 1099

access-list DMZ extended permit tcp any any eq 4501

access-list DMZ extended permit tcp any any eq 5001

access-list DMZ extended permit tcp any any eq 24000

access-list inside_access_in remark Email Relay

access-list inside_access_in extended permit tcp host 10.10.8.52 any eq smtp

access-list inside_access_in extended deny tcp any any eq smtp

access-list inside_access_in extended permit ip any any

access-list inside_access_in remark NewTech Reporting server

access-list inside_access_in extended permit tcp any host 50.17.224.125 object-group DM_INLINE_TCP_1

access-list inside_nat0_outbound extended permit ip any 10.10.100.240 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging emblem

logging list default level informational

logging buffer-size 60000

logging buffered informational

logging trap informational

logging asdm informational

logging host inside 10.10.8.211

logging debug-trace

logging permit-hostdown

logging class auth asdm emergencies

logging class ip asdm alerts

logging message 106023 level informational

flow-export destination inside 10.10.8.211 514

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip local pool VPN-Pool 10.10.100.240-10.10.100.246 mask 255.255.255.248

failover

failover lan unit primary

failover lan interface FAILOVER GigabitEthernet0/3

failover link FAILOVER GigabitEthernet0/3

failover interface ip FAILOVER 172.16.16.1 255.255.255.0 standby 172.16.16.2

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 X.X.X.13

global (outside) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 MessagingPlus 255.255.255.255

nat (inside) 1 GroupWiseInside 255.255.255.255

nat (inside) 2 10.10.0.0 255.255.0.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp X.X.X.13 smtp MessagingPlus smtp netmask 255.255.255.255

static (inside,outside) tcp GroupWiseOutside 1677 GroupWiseInside 1677 netmask 255.255.255.255

static (inside,outside) tcp GroupWiseOutside www GroupWiseInside www netmask 255.255.255.255

static (outside,inside) tcp GroupWiseInside smtp X.X.X.13 smtp netmask 255.255.255.255

static (inside,outside) tcp GroupWiseOutside 7191 GroupWiseInside 7191 netmask 255.255.255.255

static (inside,outside) tcp X.X.X.42 smtp 10.10.8.52 smtp netmask 255.255.255.255

static (inside,outside) tcp X.X.X.45 ldaps 10.10.8.7 ldaps netmask 255.255.255.255

static (DMZ,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

static (DMZ,outside) WebserverOutside WebserverDMZ netmask 255.255.255.255

static (DMZ,outside) StonewareOutsideOutside StonewareOutsideDMZ netmask 255.255.255.255

static (DMZ,outside) HomeConnectOutside HomeConnectDMZ netmask 255.255.255.255

static (DMZ,outside) X.X.X.43 10.20.1.21 netmask 255.255.255.255

static (inside,outside) X.X.X.14 10.10.100.2 netmask 255.255.255.255

static (inside,outside) X.X.X.19 10.10.8.170 netmask 255.255.255.255

static (inside,outside) X.X.X.3 10.10.100.4 netmask 255.255.255.255

static (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

static (inside,outside) X.X.X.23 10.10.8.70 netmask 255.255.255.255

static (inside,outside) X.X.X.21 IEP-FS netmask 255.255.255.255

static (inside,outside) X.X.X.24 10.10.8.180 netmask 255.255.255.255

static (inside,outside) X.X.X.25 10.10.8.115 netmask 255.255.255.255

static (inside,outside) X.X.X.26 10.10.8.101 netmask 255.255.255.255

static (inside,outside) X.X.X.9 TTC netmask 255.255.255.255

static (inside,outside) X.X.X.22 10.10.8.196 netmask 255.255.255.255

static (inside,outside) X.X.X.28 10.10.8.160 netmask 255.255.255.255

static (inside,outside) X.X.X.29 10.10.8.165 netmask 255.255.255.255

static (inside,outside) X.X.X.30 10.10.8.103 netmask 255.255.255.255

static (inside,outside) X.X.X.16 10.10.8.200 netmask 255.255.255.255

static (inside,outside) X.X.X.15 10.10.8.182 netmask 255.255.255.255

static (inside,outside) X.X.X.40 10.10.8.130 netmask 255.255.255.255

static (inside,outside) X.X.X.41 10.10.8.212 netmask 255.255.255.255

static (inside,outside) SolarPanelOutside SolarPanelInside netmask 255.255.255.255

static (inside,outside) X.X.X.44 10.10.8.47 netmask 255.255.255.255

access-group Internet in interface outside

access-group inside_access_in in interface inside

access-group DMZ in interface DMZ

route outside 0.0.0.0 0.0.0.0 X.X.X.1 1

route inside 10.10.0.0 255.255.0.0 10.10.100.4 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 10.10.54.19 255.255.255.255 inside

http 10.10.54.0 255.255.254.0 inside

http 10.10.58.10 255.255.255.255 inside

http 10.10.58.0 255.255.254.0 inside

snmp-server group Authentication_Only v3 auth

snmp-server user Spice Authentication_Only v3 encrypted auth md5 e4:89:36:89:9c:e8:a1:f1:0b:7a:17:4c:7d:e0:27:4e

snmp-server host inside TTC version 3 Spice

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

service resetoutside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 10.10.54.0 255.255.254.0 inside

telnet 10.10.58.0 255.255.255.0 inside

telnet 10.10.100.0 255.255.255.0 inside

telnet 10.10.52.0 255.255.255.0 inside

telnet timeout 5

ssh X.X.X.X 255.255.255.248 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.10.8.105 source inside

webvpn

group-policy DOMAIN-RA internal

group-policy DOMAIN-RA attributes

vpn-tunnel-protocol IPSec

pfs enable

default-domain value DOMAIN.us

group-policy LAURALEE internal

group-policy LAURALEE attributes

vpn-tunnel-protocol IPSec

pfs disable

default-domain value DOMAIN.us

username onecom password PASSWORD encrypted privilege y

username onecom attributes

vpn-group-policy DOMAIN-RA

username admin password PASSWORD encrypted privilege 15

username netadmin password PASSWORD encrypted privilege 7

username netadmin attributes

vpn-group-policy DOMAIN-RA

username netech password PASSWORD encrypted privilege 15

username netech attributes

vpn-group-policy DOMAIN-RA

username fivestar password PASSWORD encrypted privilege 15

username fivestar attributes

vpn-group-policy DOMAIN-RA

tunnel-group DOMAIN-RA type remote-access

tunnel-group DOMAIN-RA general-attributes

address-pool VPN-Pool

default-group-policy DOMAIN-RA

tunnel-group DOMAIN-RA ipsec-attributes

pre-shared-key *

tunnel-group LAURALEE type ipsec-l2l

tunnel-group LAURALEE general-attributes

default-group-policy LAURALEE

tunnel-group LAURALEE ipsec-attributes

pre-shared-key CISCO

peer-id-validate nocheck

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect dns preset_dns_map

inspect http

inspect ils

!

service-policy global_policy global

prompt hostname context

ASA - dynamic

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface gb-ethernet0 1000auto shutdown

interface gb-ethernet1 1000auto shutdown

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif gb-ethernet0 intf2 security4

nameif gb-ethernet1 intf3 security6

nameif ethernet2 intf4 security8

nameif ethernet3 intf5 security10

nameif ethernet4 intf6 security12

nameif ethernet5 intf7 security14

enable password PASSWORD

passwd PASSWORD

hostname LauraLeePix

domain-name DOMAIN.NET

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 111 permit ip any 10.10.0.0 255.255.0.0

pager lines 24

logging monitor debugging

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

mtu intf6 1500

mtu intf7 1500

ip address outside dhcp

ip address inside 192.168.1.2 255.255.255.0

no ip address intf2

no ip address intf3

no ip address intf4

no ip address intf5

no ip address intf6

no ip address intf7

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

no failover ip address intf6

no failover ip address intf7

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 111

route outside 0.0.0.0 0.0.0.0 10.1.1.14 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

crypto ipsec transform-set LAURALEE esp-3des

crypto map LLMAP 10 ipsec-isakmp

crypto map LLMAP 10 match address 111

crypto map LLMAP 10 set pfs

crypto map LLMAP 10 set peer X.X.X.12

crypto map LLMAP 10 set transform-set LAURALEE

crypto map LLMAP interface outside

isakmp enable outside

isakmp key CISCO address X.X.X.12 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Use the DefaultL2LGroup in conjunction with the dynamic crypto map on the ASA with the static IP.  You don't need an authentication group...just define your pre-shared key in the tunnel group and ensure you have a matching transform set, isakmp policy, and NAT exempt configuration in place (if necessary).

Hi,

Yep, what Patrick stated is right..One thing I want to add here, I don't see the tunnel-group config portion at the ASA (dynamic IP) one...

HTH,

Vikram

Patrick/Vikz ... Thank you both for taking time to look at this!!!!!  I am very much a NOOBIE when it comes to VPN and barely cutting my teeth on the ASA/PIX appliances.  Can you tell me what specifically I need to change?  Vikz, I tried using the tunnel-group command on the PIX but it is not an option.  What sort of dynamic crypto map should I use?  there's one in there already, is that not sufficient?

ASA (Static)

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

group-policy LAURALEE internal

group-policy LAURALEE attributes

vpn-tunnel-protocol IPSec

pfs disable      (should this be pfs 2?)

tunnel-group LAURALEE type ipsec-l2l

tunnel-group LAURALEE general-attributes

default-group-policy LAURALEE

tunnel-group LAURALEE ipsec-attributes

pre-shared-key CISCO

peer-id-validate nocheck

PIX (dynamic)

crypto ipsec transform-set LAURALEE esp-3des esp-md5-hmac       (I added the esp-md5-hmac to match the ASA)

crypto map LLMAP 10 ipsec-isakmp

crypto map LLMAP 10 match address 111

crypto map LLMAP 10 set pfs

crypto map LLMAP 10 set peer X.X.X.12

crypto map LLMAP 10 set transform-set LAURALEE

crypto map LLMAP interface outside

isakmp enable outside

isakmp key CISCO address X.X.X.12 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Hi Dustin,

Try change :

group-policy LAURALEE attributesvpn-tunnel-protocol IPSec pfs disable (should this be pfs 2?)tunnel-group LAURALEE type ipsec-l2ltunnel-group LAURALEE general-attributesdefault-group-policy LAURALEEtunnel-group LAURALEE ipsec-attributespre-shared-key CISCOpeer-id-validate nocheck

to

group-policy LAURALEE attributes

vpn-tunnel-protocol IPSec

pfs enable

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

default-group-policy LAURALEE

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key CISCO

peer-id-validate nocheck

And I do see the PIX doesn't need tunnel-group as per cisco doc (http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml)

Let me know the result after changing this, if it still doesn't work, Could you please post the debug crypto isakmp on the ASA side ?

HTH,

Vikram

Date: Fri, 18 Nov 2011 07:15:19 -0700

From: supportforums-donotreply@jivesoftware.com

To: pillai_vikram@hotmail.com

Subject: - Re: Site-to-Site VPN ASA(8.3)static to PIX(6.3)dynamic

Home

Re: Site-to-Site VPN ASA(8.3)static to PIX(6.3)dynamic

created by Dustin Harrig in VPN - View the full discussion

Patrick/Vikz ... Thank you both for taking time to look at this!!!!! I am very much a NOOBIE when it comes to VPN and barely cutting my teeth on the ASA/PIX appliances. Can you tell me what specifically I need to change? Vikz, I tried using the tunnel-group command on the PIX but it is not an option. What sort of dynamic crypto map should I use? there's one in there already, is that not sufficient? ASA (Static)crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmaccrypto isakmp enable outsidecrypto isakmp policy 10authentication pre-shareencryption 3deshash md5group 2lifetime 86400group-policy LAURALEE internalgroup-policy LAURALEE attributesvpn-tunnel-protocol IPSec pfs disable (should this be pfs 2?)tunnel-group LAURALEE type ipsec-l2ltunnel-group LAURALEE general-attributesdefault-group-policy LAURALEEtunnel-group LAURALEE ipsec-attributespre-shared-key CISCOpeer-id-validate nocheck PIX (dynamic)crypto ipsec transform-set LAURALEE esp-3des esp-md5-hmac (I added the esp-md5-hmac to match the ASA)crypto map LLMAP 10 ipsec-isakmpcrypto map LLMAP 10 match address 111crypto map LLMAP 10 set pfs crypto map LLMAP 10 set peer X.X.X.12crypto map LLMAP 10 set transform-set LAURALEEcrypto map LLMAP interface outsideisakmp enable outsideisakmp key CISCO address X.X.X.12 netmask 255.255.255.255 isakmp policy 10 authentication pre-shareisakmp policy 10 encryption 3desisakmp policy 10 hash md5isakmp policy 10 group 2isakmp policy 10 lifetime 86400

Reply to this message by going to Home

Start a new discussion in VPN at Home

This is the exerpt from the syslog server on what I see correlating to the VPN connection, this is on the ASA with the static address:

2011-11-27 21:06:52 Local4.Info 10.10.100.1 Nov 27 2011 21:06:42: %ASA-6-113009: AAA retrieved default group policy (LAURALEE) for user = DefaultL2LGroup

2011-11-27 21:06:52 Local4.Notice 10.10.100.1 Nov 27 2011 21:06:42: %ASA-5-713119: Group = DefaultL2LGroup, IP = 74.X.X.28, PHASE 1 COMPLETED

2011-11-27 21:06:52 Local4.Error 10.10.100.1 Nov 27 2011 21:06:42: %ASA-3-713061: Group = DefaultL2LGroup, IP = 74.X.X.28, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 10.10.0.0/255.255.0.0/0/0 on interface outside

2011-11-27 21:06:52 Local4.Error 10.10.100.1 Nov 27 2011 21:06:42: %ASA-3-713902: Group = DefaultL2LGroup, IP = 74.X.X.28, QM FSM error (P2 struct &0xcf250b98, mess id 0xd20674fa)!

2011-11-27 21:06:52 Local4.Error 10.10.100.1 Nov 27 2011 21:06:42: %ASA-3-713902: Group = DefaultL2LGroup, IP = 74.X.X.28, Removing peer from correlator table failed, no match!

2011-11-27 21:06:52 Local4.Warning 10.10.100.1 Nov 27 2011 21:06:42: %ASA-4-113019: Group = DefaultL2LGroup, Username = DefaultL2LGroup, IP = 74.X.X.28, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found

Hi,

This is the ACL issue, your acl is mismatched between 2 peers, could you post your ACL entry for the IPSec creation ?

Thanks,

Date: Sun, 27 Nov 2011 20:31:13 -0700

From: supportforums-donotreply@jivesoftware.com

To: pillai_vikram@hotmail.com

Subject: - Re: Site-to-Site VPN ASA(8.3)static to PIX(6.3)dynamic

Home

Re: Site-to-Site VPN ASA(8.3)static to PIX(6.3)dynamic

created by Dustin Harrig in VPN - View the full discussion

This is the exerpt from the syslog server on what I see correlating to the VPN connection, this is on the ASA with the static address: 2011-11-27 21:06:52 Local4.Info 10.10.100.1 Nov 27 2011 21:06:42: %ASA-6-113009: AAA retrieved default group policy (LAURALEE) for user = DefaultL2LGroup2011-11-27 21:06:52 Local4.Notice 10.10.100.1 Nov 27 2011 21:06:42: %ASA-5-713119: Group = DefaultL2LGroup, IP = 74.X.X.28, PHASE 1 COMPLETED2011-11-27 21:06:52 Local4.Error 10.10.100.1 Nov 27 2011 21:06:42: %ASA-3-713061: Group = DefaultL2LGroup, IP = 74.X.X.28, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 10.10.0.0/255.255.0.0/0/0 on interface outside2011-11-27 21:06:52 Local4.Error 10.10.100.1 Nov 27 2011 21:06:42: %ASA-3-713902: Group = DefaultL2LGroup, IP = 74.X.X.28, QM FSM error (P2 struct &0xcf250b98, mess id 0xd20674fa)!2011-11-27 21:06:52 Local4.Error 10.10.100.1 Nov 27 2011 21:06:42: %ASA-3-713902: Group = DefaultL2LGroup, IP = 74.X.X.28, Removing peer from correlator table failed, no match!2011-11-27 21:06:52 Local4.Warning 10.10.100.1 Nov 27 2011 21:06:42: %ASA-4-113019: Group = DefaultL2LGroup, Username = DefaultL2LGroup, IP = 74.X.X.28, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found

Reply to this message by going to Home

Start a new discussion in VPN at Home

For the dynamic pix side I have :

access-list 111 permit ip any 10.10.0.0 255.255.0.0

my confusion is on the ASA side.  Not sure how to configure the crypto maps or dynamic-maps

The addresses will be 192.168.x.x on the inside of the PIX (dynamic)

the addressses will be 10.10.x.x on the inside of the ASA (static)

for the static ASA side I have:

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0

just not sure how to apply it

you can use crypto dynamic-map match address

that acl looks like for exempt nat, which you should add line for 10.10.0.0 255.255.0.0 to .

Date: Sun, 27 Nov 2011 21:08:21 -0700

From: supportforums-donotreply@jivesoftware.com

To: pillai_vikram@hotmail.com

Subject: - Re: Site-to-Site VPN ASA(8.3)static to PIX(6.3)dynamic

Home

Re: Site-to-Site VPN ASA(8.3)static to PIX(6.3)dynamic

created by Dustin Harrig in VPN - View the full discussion

for the static ASA side I have: access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0 just not sure how to apply it

Reply to this message by going to Home

Start a new discussion in VPN at Home

Are you saying that my NAT Exemption ACL's are mismatched or my inbound/outbound ACL's are mismatched?

Here are the crypto debugs on the PIX(dynamic) side when trying to ping the inside address of ASA(static) from the PIX.


ISAKMP (0): beginning Main Mode exchange


crypto_isakmp_process_block:src:209.X.X.12, dest:10.1.1.74 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:209.X.X.12, dest:10.1.1.74 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0
10.10.100.1 NO respons
ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0): ID payload
next-payload : 8
type         : 2
protocol     : 17
port         : 500
length       : 28
ISAKMP (0): Total payload length: 32
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:209.X.X.12, dest:10.1.1.74 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of -279469855:ef57a0e1IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x108e4865(277760101) for SA
from  209.X.X.12 to       10.1.1.74 for prot 3

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:209.X.X.12, dest:10.1.1.74 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 18 protocol 1
spi 0, message ID = 833985755
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:209.X.X.12, dest:10.1.1.74 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 908447999, spi size = 16
ISAKMP (0): deleting SA: src 10.1.1.74, dst 209.X.X.12
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0x51a499c, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 209.X.X.12/500 not found - peers:0
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with  209.X.X.12
e received -- 1000ms
10.10.100.1 NO response received -- 1030ms
10.10.100.1 NO response received -- 1000ms

LauraLeePix#

LauraLeePix# IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 10.1.1.74, remote= 209.X.X.12,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4)


ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:209.X.X.12, dest:10.1.1.74 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:209.X.X.12, dest:10.1.1.74 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0): ID payload
next-payload : 8
type         : 2
protocol     : 17
port         : 500
length       : 28
ISAKMP (0): Total payload length: 32
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:209.X.X.12, dest:10.1.1.74 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of 954026501:38dd4a05IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xf43c6127(4097597735) for SA
from  209.X.X.12 to       10.1.1.74 for prot 3

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:209.X.X.12, dest:10.1.1.74 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 18 protocol 1
spi 0, message ID = 1425287916
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:209.X.X.12, dest:10.1.1.74 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 3080351175, spi size = 16
ISAKMP (0): deleting SA: src 10.1.1.74, dst 209.X.X.12
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0x51a499c, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 209.X.X.12/500 not found - peers:0
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with  209.X.X.12