Site to Site VPN issues between PIX506 and ASA5505

Unanswered Question
Aug 27th, 2007

Hello all, I have a PIX506 running 635, and an ASA5505 running 722. The PIX is at corporate and is setup for remote vpn access. The remote user VPN is working. I have also attempted to do a site to site vpn to the ASA, but its not working correctly. I feel like I am missing something, but I can't figure it out. Your help would be greatly appreciated. Sanitized relevant config is below

Corporate

PIX Version 6.3(5)

access-list split_tunnel permit ip 192.168.119.0 255.255.255.0 10.20.20.0 255.255.255.0

access-list nonat permit ip 192.168.119.0 255.255.255.0 10.20.20.0 255.255.255.0

access-list nonat permit ip 192.168.119.0 255.255.255.0 172.16.2.0 255.255.255.0

access-list outside_cryptomap_20 permit ip 192.168.119.0 255.255.255.0 172.16.2.0 255.255.255.0

ip address outside xxx.yyy.170.160 255.255.255.0

ip address inside 192.168.119.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nonat

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10 set transform-set ESP-AES-256-SHA

crypto map mymap 20 ipsec-isakmp

crypto map mymap 20 match address outside_cryptomap_20

crypto map mymap 20 set pfs group2

crypto map mymap 20 set peer aaa.bbb.175.218

crypto map mymap 20 set transform-set ESP-3DES-SHA

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication w2k3

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address aaa.bbb.175.218 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp keepalive 10

isakmp nat-traversal 10

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption aes-256

isakmp policy 30 hash sha

isakmp policy 30 group 5

isakmp policy 30 lifetime 86400

vpngroup vpners address-pool ippool

vpngroup vpners dns-server 192.168.119.11

vpngroup vpners default-domain mydomain.local

vpngroup vpners split-tunnel split_tunnel

vpngroup vpners idle-time 1800

vpngroup vpners password ********

Remote Site

ASA Version 7.2(2)

interface Vlan1

nameif inside

security-level 100

ip address 172.16.2.1 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address aaa.bbb.175.218 255.255.128.0

access-list outside_20_cryptomap extended permit ip 172.16.2.0 255.255.255.0 192.168.119.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 192.168.119.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer xxx.yyy.170.160

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

tunnel-group xxx.yyy.170.160 type ipsec-l2l

tunnel-group xxx.yyy.170.160 ipsec-attributes

pre-shared-key *

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
joneschw1 Mon, 08/27/2007 - 07:13

I just figured it out. I did not issue the sysopt connection permit-ipsec on the ASA5505. Issuing that command made it work.

Actions

This Discussion