urgent help !! problem when ASA connect site-to-site with pix

yiuyuenyan · ‎08-19-2012

Hello, I've a question about Cisco ASA, last week I try to use ASA connect to pix but fail

local Site using ASA with static ip

the ASA is already acts as a remote access vpn server which accept outside peoples through ipsec connect local lan already

remote Site using pix with dynamic ip

is there any command line missing in the site-to-site configuration with pix & asa ?

here is the config file in ASA & Pix also, anyone can give some sugguestion is appreciate !

ASA:

ASA Version 8.3(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 3Wyb.JCq2csepdi encrypted
passwd 8KCQnbNPcI.6KROM encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group PCCW
ip address pppoe
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone HKST 8
dns server-group DefaultDNS
domain-name default.domain.invalid
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network rdp_3389
host 192.168.1.200
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.20.0_27
subnet 192.168.20.0 255.255.255.224
object network Main-Office
subnet 192.168.1.0 255.255.255.0
object network Branch-Office
subnet 192.168.33.0 255.255.255.0
object network Site-A-Subnet
subnet 192.168.1.0 255.255.255.0
object network Site-B-Subnet
subnet 192.168.33.0 255.255.255.0
object network Site-B-firewall
host 183.178.xx.xx
access-list OUTSIDE-IN extended permit tcp any host 192.168.1.200 eq 3389
access-list OUTSIDE-IN extended permit icmp any any echo-reply
access-list OUTSIDE-IN extended permit icmp any any source-quench
access-list OUTSIDE-IN extended permit icmp any any unreachable
access-list OUTSIDE-IN extended permit icmp any any time-exceeded
access-list VPNGROUP_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 obj
ect Site-B-Subnet
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool addresspool 192.168.20.10-192.168.20.30 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.20.0_27 NETWORK_OBJ_192.168.20.0_27
nat (inside,outside) source static Main-Office Main-Office destination static Branch-Office Branch-Office
nat (inside,outside) source static Site-A-Subnet Site-A-Subnet destination static Site-B-Subnet Site-B-Subnet
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Site-B-Subnet Site-B-Subnet
!
object network obj_any
nat (inside,outside) dynamic interface
object network rdp_3389
nat (inside,outside) static interface service tcp 3389 3389
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 inside
http 119.247.xx.xx 255.255.255.252 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 183.178.xx.xx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 600
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.20.0 255.255.255.0 inside
telnet timeout 30
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.20.0 255.255.255.0 inside
ssh 119.247.xx.xx 255.255.255.252 outside
ssh timeout 30
ssh version 2
console timeout 0
management-access inside
vpdn group PCCW request dialout pppoe
vpdn group PCCW localname maqaccount012
vpdn group PCCW ppp authentication pap
vpdn username mac1account1012@work password ******
dhcpd auto_config outside
!
dhcpd address 192.168.1.160-192.168.1.190 inside
dhcpd dns 203.198.23.208 218.102.32.208 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPNGROUP internal
group-policy VPNGROUP attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNGROUP_splitTunnelAcl
username vpnclient password PekoINFEvjsdPsn encrypted privilege 0
username vpnclient attributes
vpn-group-policy VPNGROUP
tunnel-group VPNGROUP type remote-access
tunnel-group VPNGROUP general-attributes
address-pool addresspool
default-group-policy VPNGROUP
tunnel-group VPNGROUP ipsec-attributes
pre-shared-key *****
tunnel-group 183.178.xx.xx type ipsec-l2l
tunnel-group 183.178.xx.xx ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:50db8538c9b17e0fb49534de1a4ba935
: end

PIX:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password VDcS/JTrc3R5UuT/ encrypted

passwd 1KDQndNdI.2IOH encrypted

hostname pix506e

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

name 192.168.1.0 Site-A-Subnet

access-list acl_out permit icmp any any echo-reply

access-list acl_out permit icmp any any source-quench

access-list acl_out permit icmp any any unreachable

access-list acl_out permit icmp any any time-exceeded

access-list acl_out permit tcp 119.247.xxx.xx 255.255.255.252 host 183.178.xxx.xxx eq ftp

access-list inside_outbound_nat0_acl permit ip 192.168.33.0 255.255.255.0 Site-A-Subnet 255.255.255.0

access-list outside_cryptomap_20 permit ip 192.168.33.0 255.255.255.0 Site-A-Subnet 255.255.255.0

pager lines 24

interface ethernet0 10full

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.33.150 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.33.100 255.255.255.255 inside

pdm location Site-A-Subnet 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 183.178.xx.xx ftp 192.168.33.100 ftp netmask 255.255.255.255 0 0

access-group acl_out in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 119.247.xx.xx 255.255.255.252 outside

http 192.168.33.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set pfs group2

crypto map outside_map 20 set peer 218.103.118.xxx

crypto map outside_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-MD5 ESP-DES-SHA

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 218.103.xx.xx netmask 255.255.255.255 no-xauth no-config-mode

isakmp keepalive 3600 10

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet 192.168.33.0 255.255.255.0 inside

telnet timeout 5

ssh 119.247.xx.xx 255.255.255.252 outside

ssh 192.168.33.0 255.255.255.0 inside

ssh timeout 5

dhcpd address 192.168.33.151-192.168.33.254 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

username pix506e password acgODpC4FIvCA9GD encrypted privilege 3

terminal width 80

Cryptochecksum:80af400964b431db9c1ab697c09a4beb

: end

Jennifer Halim · ‎08-19-2012

If PIX has dynamic IP, then only the PIX end should have static crypto map.

The following should be removed on the ASA end:

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 183.178.xx.xx

crypto map outside_map 1 set transform-set ESP-3DES-SHA

Also remove the following from the PIX end:

crypto map outside_map 20 set pfs group2

After the above, pls share where it's failing if it's still not working.

Share the output of :

show cry isa sa

show cry ipsec sa