cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5054
Views
0
Helpful
26
Replies

Site to Site VPN with ASA 5505 and PIX 501

jerryfreeman
Level 1
Level 1

I am set up a site-to-site vpn with an ASA 5505 at one end and a PIX 501 at the other.

I followed the section titled Configuring LAN-to-LAN IPsec VPNs from the Command Line Configuration Guide and added these line to the ASA config:

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 43200

isakmp enable outside

crypto ipsec transform-set TRANSFORM_SET esp-3des esp-sha-hmac

access-list l2l_list extended permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0

tunnel-group yyy.yyy.yyy.yyy type ipsec-l2l

tunnel-group yyy.yyy.yyy.yyy ipsec-attributes

pre-shared-key ****

crypto map CRYPTO_MAP 10 match address l2l_list

crypto map CRYPTO_MAP 10 set peer yyy.yyy.yyy.yyy

crypto map CRYPTO_MAP 10 set transform-set TRANSFORM_SET

crypto map CRYPTO_MAP interface outside

For the PIX I followed the example config in Richard Deal's book Cisco PIX Firewalls and added these lines to the PIX config:

access-list l2l_list permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

nat (inside) 0 access-list l2l_list

access-list IPSEC permit udp host yyy.yyy.yyy.yyy host xxx.xxx.xxx.xxx eq isakmp

access-list IPSEC permit ah host yyy.yyy.yyy.yyy host xxx.xxx.xxx.xxx

access-list IPSEC permit esp host yyy.yyy.yyy.yyy host xxx.xxx.xxx.xxx

access-group IPSEC in interface outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 group 2

isakmp policy 10 hash sha

isakmp key **** address xxx.xxx.xxx.xxx

crypto ipsec transform-set TRANSFORM_SET esp-3des esp-sha-hmac

crypto map GHA_CRYPTO_MAP 10 ipsec-isakmp

crypto map GHA_CRYPTO_MAP 10 set peer xxx.xxx.xxx.xxx

crypto map GHA_CRYPTO_MAP 10 match address l2l_list

crypto map GHA_CRYPTO_MAP 10 set transform-set TRANSFORM_SET

crypto map GHA_CRYPTO_MAP interface outside

I have not been able to establish a connection between the two devices.  I just don't see what I am missing.  Maybe it is not even possible with these two devices.  The ASA has version is 7.2(4) and I believe the PIX is running version 6.3 (I will have to double check later).

Thanks for your help.

26 Replies 26

I don't think he needs dynamic-to-static because he has the peer explicitly defined, he'd just have to change it.... when the lease expires .  Can both the crypto map & nonat call upon the same list? I'm wondering if that might be an issue.

I don't think you want to be changing the VPN peer configuration everytime the lease expires ;-)
That's exactly the reason of being able to configure a static-to-dynamic VPN.

Both crypto ACL and nonat ACL can be called the same as long as you have a single tunnel.
When you have more than one tunnel, there has to be different ACLs.

Federico.

I agree, I'm just saying that there's no reason why it shouldn't work  the way it is (even though it doesn't make the most sense).  He can then also initiate traffic from both sides instead of just the dynamic.  It would be nice if you could define peer using dynamic dns.

I've removed both of those lines from the ASA and still cannot access anything on the other side.  I have talked to the ISP that the PIX is attached to and they say that incoming VPNs are not blocked.  When I do the debug cry is 127 and debug cry ip 127 now nothing shows up at all when I ping the other network.

Since PIX is the dynamic site, you would need to ping from the PIX LAN towards the ASA LAN. If you try to ping from ASA towards the PIX, it will not initiate the VPN tunnel as you can only initiate the tunnel from the dynamic end towards the static end.

Base on the output of the first debug you posted, it's waiting for Phase 1 message 2, but that was when ping was initiated from the ASA end, instead of PIX end. However, it's worth to double check if UDP/500 is being blocked on either the router in front of your PIX or ASA.

This is the output from the PIX when I try to ping the ASA.

PIX# sh cry isa sa

Total     : 1

Embryonic : 1

        dst                       src                       state                        pending     created

        xxx.xxx.xxx.xxx   yyy.yyy.yyy.yyy    MM_NO_STATE           0               0

PIX# sh cry ip sa

interface: outside

    Crypto map tag: CRYPTO_MAP, local addr. yyy,yyy,yyy,yyy

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)

   current_peer: xxx.xxx.xxx.xxx:0

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

    #send errors 91, #recv errors 0

     local crypto endpt.: yyy.yyy.yyy.yyy, remote crypto endpt.: xxx.xxx.xxx.xxx

     path mtu 1500, ipsec overhead 0, media mtu 1500

     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Did you try to ping from the PIX or from LAN behind the PIX?

If you tried to ping from the PIX, please try to ping as follows: ping inside 10.0.1.1

Also try to remove the static crypto map completely from the ASA as follows:

no crypto map CRYPTO_MAP 10 match address l2l_list

no crypto map  CRYPTO_MAP 10 set transform-set TRANSFORM_SET

no crypto dynamic-map DYN_MAP 10 match address l2l_list

I've removed those three lines from the ASA and then tried pinging the ASA from the PIX and these are the response I get.

PIX# ping inside 10.0.1.1

        10.0.1.1 NO response received -- 1000ms

        10.0.1.1 NO response received -- 1000ms

        10.0.1.1 NO response received -- 1000ms

PIX# ping outside 10.0.1.1

        10.0.1.1 response received -- 10ms

        10.0.1.1 response received -- 10ms

        10.0.1.1 response received -- 10ms

Not too sure how you are getting a response when ping is initiated from the outside interface of the PIX.

After you tried to ping from the PIX, is the tunnel up? what is the status of "show crypto isa sa" and "show crypto ipsec sa"?

PIX# sh cry isa sa

Total     : 1

Embryonic : 1

        dst                       src                       state                        pending     created

        xxx.xxx.xxx.xxx   yyy.yyy.yyy.yyy    MM_NO_STATE           0               0

PIX# sh cry ip sa

interface: outside

    Crypto map tag: CRYPTO_MAP, local addr. yyy,yyy,yyy,yyy

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)

   current_peer: xxx.xxx.xxx.xxx:0

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

    #send errors 91, #recv errors 0

     local crypto endpt.: yyy.yyy.yyy.yyy, remote crypto endpt.: xxx.xxx.xxx.xxx

     path mtu 1500, ipsec overhead 0, media mtu 1500

     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

I added isakmp enable outside to both devices and now I can ping and browse the systems on the 10.0.1.0 network from the PIX side.

I still don't receive a response when I try to ping the ASA which is 10.0.1.1, but when I ping the other address I get a response.  I cannot browse the computer's on the ASA side by name but I can get to them by their ip addresses.

OK, great, now the VPN tunnel is up and running.

To ping the ASA inside interface, you would need to add "management-access inside" on the ASA.

If you can't browse the computer by name on the ASA side from the PIX side, you would need to configure either the ASA side DNS or WINS server on the PIX hosts so it can resolve the name.