Re: Site-to-Site VPN ASA(8.3)static to PIX(6.3)dynamic - Page 2

Dustin Harrig · ‎11-14-2011

I am trying to set up a site to site vpn using pre-shared keys from an asa to a pix. I have read countless forums and cisco documents but nothing seems to be exactly what I need. I used the following as a baseline:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

There are commands on the 8.3 that didnt seem to match up, specifically when setting the authentication-server to none, it didnt allow it.

Can anyone point in the right direction? I can post configurations if needed.

Thank you in advance!!!!!!

vikz230884 · ‎11-28-2011

Hi,

Have you add the crypto ACL at ASA ?

What I am seeing is on the nat exemption ACL is traffic from outside to inside is exempt from natting, which the use of nat exempt is for traffic from inside to outside. So you need to exempt traffic from inside to PIX segment from NAT.

HTH,

Vikram

Date: Mon, 28 Nov 2011 09:20:43 -0700

From: supportforums-donotreply@jivesoftware.com

To: pillai_vikram@hotmail.com

Subject: - Re: Site-to-Site VPN ASA(8.3)static to PIX(6.3)dynamic

Home

Re: Site-to-Site VPN ASA(8.3)static to PIX(6.3)dynamic

created by Dustin Harrig in VPN - View the full discussion

Here are the crypto debugs on the PIX(dynamic) side when trying to ping the inside address of ASA(static) from the PIX.

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:209.X.X.12, dest:10.1.1.74 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:209.X.X.12, dest:10.1.1.74 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0ISAKMP (0): processing NONCE payload. message ID = 0

10.10.100.1 NO respons

ISAKMP (0): processing vendor id payloadISAKMP (0): processing vendor id payloadISAKMP (0): received xauth v6 vendor idISAKMP (0): processing vendor id payloadISAKMP (0): speaking to another IOS box!ISAKMP (0): processing vendor id payloadISAKMP (0): speaking to a VPN3000 concentratorISAKMP (0): ID payload

next-payload : 8

type : 2

protocol : 17

port : 500

length : 28

ISAKMP (0): Total payload length: 32

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:209.X.X.12, dest:10.1.1.74 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing vendor id payloadISAKMP (0): remote peer supports dead peer detectionISAKMP (0): SA has been authenticatedISAKMP (0): beginning Quick Mode exchange, M-ID of -279469855:ef57a0e1IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x108e4865(277760101) for SA

from 209.X.X.12 to 10.1.1.74 for prot 3return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:209.X.X.12, dest:10.1.1.74 spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 18 protocol 1

spi 0, message ID = 833985755

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:209.X.X.12, dest:10.1.1.74 spt:500 dpt:500

ISAKMP (0): processing DELETE payload. message ID = 908447999, spi size = 16

ISAKMP (0): deleting SA: src 10.1.1.74, dst 209.X.X.12

return status is IKMP_NO_ERR_NO_TRANS

ISADB: reaper checking SA 0x51a499c, conn_id = 0 DELETE IT!VPN Peer:ISAKMP: Peer Info for 209.X.X.12/500 not found - peers:0

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 209.X.X.12

e received -- 1000ms

10.10.100.1 NO response received -- 1030ms

10.10.100.1 NO response received -- 1000msLauraLeePix# LauraLeePix# IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 10.1.1.74, remote= 209.X.X.12,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4)

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:209.X.X.12, dest:10.1.1.74 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payloadISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:209.X.X.12, dest:10.1.1.74 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0ISAKMP (0): processing NONCE payload. message ID = 0ISAKMP (0): processing vendor id payloadISAKMP (0): processing vendor id payloadISAKMP (0): received xauth v6 vendor idISAKMP (0): processing vendor id payloadISAKMP (0): speaking to another IOS box!ISAKMP (0): processing vendor id payloadISAKMP (0): speaking to a VPN3000 concentratorISAKMP (0): ID payload

next-payload : 8

type : 2

protocol : 17

port : 500

length : 28

ISAKMP (0): Total payload length: 32

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:209.X.X.12, dest:10.1.1.74 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing vendor id payloadISAKMP (0): remote peer supports dead peer detectionISAKMP (0): SA has been authenticatedISAKMP (0): beginning Quick Mode exchange, M-ID of 954026501:38dd4a05IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xf43c6127(4097597735) for SA

from 209.X.X.12 to 10.1.1.74 for prot 3return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:209.X.X.12, dest:10.1.1.74 spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 18 protocol 1

spi 0, message ID = 1425287916

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:209.X.X.12, dest:10.1.1.74 spt:500 dpt:500

ISAKMP (0): processing DELETE payload. message ID = 3080351175, spi size = 16

ISAKMP (0): deleting SA: src 10.1.1.74, dst 209.X.X.12

return status is IKMP_NO_ERR_NO_TRANS

ISADB: reaper checking SA 0x51a499c, conn_id = 0 DELETE IT!VPN Peer:ISAKMP: Peer Info for 209.X.X.12/500 not found - peers:0

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 209.X.X.12

Reply to this message by going to Home

Start a new discussion in VPN at Home

Dustin Harrig · ‎11-28-2011

Patrick ... do these look like they match as you stated they need to:

ASA (Static)

interface GigabitEthernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 209.X.X.12 255.255.255.0 standby 209.X.X.32

!

interface GigabitEthernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.10.100.1 255.255.255.0 standby 10.10.100.2

access-list inside_nat0_outbound extended permit ip any 10.10.100.240 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

group-policy LAURALEE internal

group-policy LAURALEE attributes

vpn-tunnel-protocol IPSec

pfs enable

default-domain value DOMAIN.us

tunnel-group DefaultL2LGroup general-attributes

default-group-policy LAURALEE

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key CISCO

peer-id-validate nocheck

PIX (dynamic)

access-list 111 permit ip any 10.10.0.0 255.255.0.0

ip address outside dhcp

ip address inside 192.168.1.2 255.255.255.0

nat (inside) 0 access-list 111

crypto ipsec transform-set Lauralee esp-3des esp-md5-hmac

crypto map LLMAP 10 ipsec-isakmp

crypto map LLMAP 10 match address 111

crypto map LLMAP 10 set pfs

crypto map LLMAP 10 set peer 209.X.X.12

crypto map LLMAP 10 set transform-set Lauralee

crypto map LLMAP interface outside

isakmp enable outside

isakmp key CISCO address 209.X.X.12 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

Patrick0711 · ‎11-28-2011

The NAT exempt access-list is backwards on the ASA but that isn't preventing the tunnel from establishing.

Can you provide the entire Phase 2 negotiation output using 'debug crypto isak 254' on the ASA? It sounds like the crypto map entry is not being matched for a reason other than the Phase 2 SA/KE proposals.

You shouldn't need 'PFS enable' in the group policy...in fact, you really don't need to reference that group policy at all.

Dustin Harrig · ‎11-28-2011

I had been pinging from the pix and not getting a return. It seems the VPN is actually working once I plugged my laptop into the inside interface. I can rdp to the inside address of a server on the main site.

On the NAT exemption, maybe i'm reading it wrong.

access-list inside_nat0_outbound extended permit ip any 10.10.100.240 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0

first one exempts any address going to 10.10.100.240/29 from being natted ... this the address pool of the remote access vpn

second exempts any address going to 192.168.1.0/24 from being natted ... this is the remote-site subnet for my site to site vpn

is that not correct?

Patrick0711 · ‎11-28-2011

My concern is that you've defined the remote network on the PIX as follows:

access-list 111 permit ip any 10.10.0.0 255.255.0.0

This leads me to believe that the network behind the ASA is 10.10.0.0/16. If this information is correct, the problem is that the remote network defined on the ASA falls within the internal subnet range:

access-list inside_nat0_outbound extended permit ip any 10.10.100.240 255.255.255.248

10.10.100.240/29 is a subset of 10.10.0.0/16 so IF your local network behind the ASA is indeed 10.10.0.0/16, traffic destined to 10.10.100.240/29 will never leave the firewall

Dustin Harrig · ‎11-28-2011

10.10.0.0/16 is interior of ASA

10.10.100.240 - 10.10.100.248 is remote access vpn client pool on ASA

192.168.1.0/24 is interior of PIX

remote access vpn users have had no problems in the past connecting to the main site to end points on the 10.10.0.0 network.