cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10838
Views
0
Helpful
3
Replies

Two VPN L2L tunnels between one Cisco ASA 5520 and one PIX 515E

jhanington
Level 1
Level 1

Hello I am trying to setup a VPN tunnel between a PIX and an ASA. I went through the IPSec Site to site wizzard using the same settings but I cannot ping hosts from either side.

Here is the setup

ASA 5520

Device Manager 6.4(5)106

Software version 8.0(5)

Inside network 10.0.0.0/24

Inside IP 10.0.0.1

Outside Network 50.50.50.50/27 <- not real

Outside IP 50.50.50.60

PIX 515E

Device Manager 6.1(3)

Software version 8.0(4)

Inside Network 10.10.1.0/24

Inside IP 10.10.1.1

Outside Network IP 20.20.20.20/30

Outside IP 20.20.20.22

Errors when pinging device from ASA side to Pix side

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

Group = 50.50.50.60, IP = 50.50.50.60, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device

Group = 50.50.50.60, IP = 50.50.50.60, Freeing previously allocated memory for authorization-dn-attributes

AAA retrieved default group policy (DfltGrpPolicy) for user = 50.50.50.60

Group = 50.50.50.60, IP = 50.50.50.60, PHASE 1 COMPLETED

Group = 50.50.50.60, IP = 50.50.50.60, All IPSec SA proposals found unacceptable!

Group = 50.50.50.60, IP = 50.50.50.60, QM FSM error (P2 struct &0x5f47f78, mess id 0x958e0171)!

Group = 50.50.50.60, IP = 50.50.50.60, Removing peer from correlator table failed, no match!

Group = 50.50.50.60, Username = 50.50.50.60, IP = Data-Center-Firewall, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

IP = 50.50.50.60, Received encrypted packet with no matching SA, dropping

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

Errors when trying to ping from Pix side to ASA side

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

Group = 20.20.20.22, IP = 20.20.20.22, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device

Group = 20.20.20.22, IP = 20.20.20.22, PHASE 1 COMPLETED

Group = 20.20.20.22, IP = 20.20.20.22, All IPSec SA proposals found unacceptable!

Group = 20.20.20.22, IP = 20.20.20.22, Removing peer from correlator table failed, no match!

Group = 20.20.20.22, IP = 20.20.20.22, Session is being torn down. Reason: Phase 2 Mismatch

Group = 20.20.20.22, Username = 20.20.20.22, IP = 20.20.20.22, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

Group = 20.20.20.22, IP = 20.20.20.22, QM FSM error (P2 struct &0x6c2227f8, mess id 0x9fc7f3e8)!

-----------------------------------------------------------------------------------------------------------------------------------------------------------------


--------------------------------------------------------------------ASA Config-------------------------------------------------

ASA Version 8.0(5)

!

hostname FW-Cluster-PRI

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 50.50.50.50 255.255.255.224 standby 50.50.50.58

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0 standby 10.0.0.254

!

interface GigabitEthernet0/2

shutdown

nameif SAN

security-level 100

ip address 10.0.1.254 255.255.255.0

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa805-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list ciscoclient extended permit ip 10.0.0.0 255.0.0.0 any

access-list nonat extended permit ip 10.0.0.0 255.255.0.0 10.0.1.0 255.255.255.0

access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.5.0 255.255.255.0

access-list nonat extended permit ip 10.0.0.0 255.255.255.0 Plainsboro-Network 255.255.255.0

access-list outside_access_out extended permit ip any any

access-list inside_access_in extended permit ip any any

access-list SAN_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 Plainsboro-Network 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 Plainsboro-Network 255.255.255.0

pager lines 24

logging enable

logging trap informational

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu SAN 1500

mtu management 1500

ip local pool vpnpool 10.0.5.1-10.0.5.254 mask 255.255.255.0

failover

failover lan unit primary

failover lan interface failover GigabitEthernet0/3

failover key *****

failover link failover GigabitEthernet0/3

failover interface ip failover 172.16.1.1 255.255.255.0 standby 172.16.1.2

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-645-106.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 50.50.50.60

global (SAN) 2 10.0.1.80

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (SAN) 0 access-list SAN_nat0_outbound

access-group PERMIT_IN in interface outside

route outside 0.0.0.0 0.0.0.0 50.50.50.51 1

route SAN 10.0.1.0 255.255.255.0 10.0.1.254 1

route inside 10.0.5.0 255.255.255.0 10.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.0.0.0 255.255.255.0 inside

http 10.0.5.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

snmp-server host inside 10.0.0.58 community ***** version 2c

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service resetoutside

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 20.20.20.22

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 15

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 30

crypto isakmp ipsec-over-tcp port 10000

telnet 10.0.0.0 255.255.255.0 inside

telnet 10.0.5.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

enable outside

group-policy DfltGrpPolicy attributes

vpn-simultaneous-logins 20

vpn-tunnel-protocol IPSec webvpn

ipsec-udp enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ciscoclient

group-policy ciscoclient internal

group-policy ciscoclient attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ciscoclient

group-policy company internal

group-policy company attributes

webvpn

  url-list none

group-policy Any_Connect internal

username ciscoclient password coTI6gSGn5q3a/o6 encrypted privilege 0

username ciscoclient attributes

vpn-group-policy ciscoclient

username company password IaSFI7hfb4wuYvop encrypted privilege 0

username company attributes

vpn-group-policy Any_Connect

tunnel-group ciscoclient type remote-access

tunnel-group ciscoclient general-attributes

address-pool vpnpool

default-group-policy ciscoclient

tunnel-group ciscoclient ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication none

tunnel-group 20.20.20.22 type ipsec-l2l

tunnel-group 20.20.20.22 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

!

service-policy global_policy global

smtp-server 10.0.0.5

prompt hostname context

Cryptochecksum:dd98f79781d82d2dd637542e04f32af6

: end

---------------------------------------End of ASA Config-----------------------------------------

----------------------------------PIX Config----------------------------------------------------

Result of the command: "show running-config"

: Saved

:

PIX Version 8.0(4)

!

name 50.50.50.60 Data-Center-Firewall

name 10.0.0.0 Data-Center-Subnet

dns-guard

!

interface Ethernet0

speed 100

duplex full

nameif inside

security-level 100

ip address 10.10.1.1 255.255.255.0 standby 10.10.1.254

!

interface Ethernet1

speed 100

duplex full

nameif outside

security-level 0

ip address 20.20.20.22 255.255.255.252

!

interface Ethernet2

description LAN/STATE Failover Interface

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service http8080 tcp

description http8080

port-object eq 8080

object-group service DM_INLINE_TCP_1 tcp

port-object range 50000 50100

port-object eq 990

port-object eq ftp

port-object eq ftp-data

access-list allow_ping extended permit icmp any any echo-reply

access-list allow_ping extended permit icmp any any source-quench

access-list allow_ping extended permit icmp any any unreachable

access-list allow_ping extended permit icmp any any time-exceeded

access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 20.20.20.20 255.255.255.252

access-list inside_nat0_outbound extended permit ip 10.10.1.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list acl-out extended permit tcp any interface outside eq 8000

access-list acl-out extended permit icmp any any

access-list acl-out extended permit tcp any 20.20.20.20 255.255.255.252 eq ftp

access-list acl-out extended permit tcp any any eq ftp

access-list inside_access_in extended permit ip any any

access-list outside_access_in remark ip, tcp/990, tcp/ftp, tcp/ftp-data

access-list outside_access_in extended permit icmp host Data-Center-Firewall host 20.20.20.22

access-list outside_1_cryptomap extended permit ip 10.10.1.0 255.255.255.0 Data-Center-Subnet 255.255.255.0

access-list outside_2_cryptomap extended permit ip 10.10.1.0 255.255.255.0 Data-Center-Subnet 255.255.255.0

access-list VPN_NAT extended permit ip 10.0.0.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list ACL-VPN extended permit ip 10.10.1.0 255.255.255.0 10.0.0.0 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image flash:/asdm-613.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list ACL-VPN

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 20.20.20.21 1

route inside 10.10.0.0 255.255.255.0 10.10.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.10.1.0 255.255.255.0 inside

http 10.10.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service resetoutside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set AES128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer Data-Center-Firewall

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer Data-Center-Firewall

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 2 set security-association lifetime seconds 28800

crypto map outside_map 2 set security-association lifetime kilobytes 4608000

crypto map MAP-VPN 1 match address ACL-VPN

crypto map MAP-VPN 1 set pfs

crypto map MAP-VPN 1 set peer Data-Center-Firewall

crypto map MAP-VPN 1 set transform-set ESP-AES-128-SHA

crypto map MAP-VPN 1 set security-association lifetime seconds 28800

crypto map MAP-VPN 1 set security-association lifetime kilobytes 4608000

crypto map MAP-VPN interface outside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 10.10.1.0 255.255.255.0 inside

telnet 10.10.0.0 255.255.255.0 inside

telnet timeout 5

ssh 10.10.0.0 255.255.255.0 inside

ssh 10.10.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group 50.50.50.60 type ipsec-l2l

tunnel-group 50.50.50.60 ipsec-attributes

pre-shared-key *

!

class-map class_ftp

match port tcp eq ftp-data

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

class class_ftp

  inspect ftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:1ae7f7823d9010dc41909088221c637f

: end

----------------------------------------------------End of PIX Config-------------------------------------

Please advise!!! Thanks!

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

Your phase 2 policy does not match. PIX has AES and ASA is configured with 3DES.

Please change the PIX config as follows:

no crypto map MAP-VPN 1 set transform-set ESP-AES-128-SHA

crypto map MAP-VPN 1 set transform-set ESP-3DES-SHA

OK I tried that and it worked sortof. I can ping devices on the Pix side going to the ASA but not from the ASA going to the Pix. Any ideas?

Add the following on the PIX:

policy-map global_policy

  class inspection_default

     inspect icmp

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: