Cisco 2811 ISR behind Cisco PIX 515

Unanswered Question
Jun 24th, 2009

Hello Experts,


I was trying to build a site-to-site vpn between two locations using Cisco 2811 ISR routers. At site A the 2811 router is behind a Cisco ASA with version 7.2 and at site B the Cisco 2811 router is behind a Cisco PIX 515 with version 6.3. The tunnel does not seems to come up, all the vpn configurations are fine, but the tunnel fails in Phase 2.


With the same configuration, the tunnel is working fine between Site A and Site C, where both the Cisco 2811 ISR routers are behind Cisco ASA 5510 with version 7.2.


On the Cisco ASA 5510 and Cisco PIX 515, we have only done a static NAT and opened the inbound & outbound ip traffic for the head-end ip addresses.


Is there any compatibility issues between Cisco ISR routers with Cisco PIX 515 with version 6.3?


Thanks

Arabinda

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
arabindas Thu, 06/25/2009 - 02:24

Hello Andrew,


Thank you for your response.


I have allowed IP traffic both inbound and outbound on the firewalls at both sites. With the configuration the tunnel between Site A and Site C working fine. But not between Site A - Site B or Site C - Site B. The only difference Site B has a Cisco PIX 515 with 6.3 version and other two sites have a ASA 5510 with 7.2 version.


So I was suspecting if PIX requires any additional configuration or PIX and ISR routers not compatible.


Thanks

Arabinda

Arabinda,


If you have an ACL that allows "IP" thru - this also permit TCP/UDP. Phase 1 of a VPN tunnel is ISAKMP - typically UDP port 500 - so this will work


ESP which is Phase 2 of the VPN uses Protocol number 50 - you you also need to add to the ACL the permit for protocol 50-ESP.


Once you have done this, Phase 2 will complete - as long as all config matches.


HTH>

arabindas Thu, 06/25/2009 - 02:59

Hello Andrews,


Thank you for your suggestion.


I tried that, I added another acl allowing ESP both on inbound and outbound on both firewalls, still does not works.


attached is a log file hope that may throw some light to what the issue is going on.


Thanks

Arabinda



Attachment: 
arabindas Thu, 06/25/2009 - 07:10

Hello Andrew,


Here is the ACL which is applied on the PIX where the static NAT is done.


access-list outside-acl extended permit ip host 12.x.x.x host 12.x.x.x


access-list outside-acl extended permit esp host 12.x.x.x host 12.x.x.x


access-grooup outside-acl in interface outside


access-list inside-acl extended permit ip host 10.x.x.x any


access-list inside-acl extended permit host 10.x.x.x esp any


access-group inside-acl in interface inside


static (inside,outside) 12.x.x.x 10.x.x.x mask 255.255.255.255


Similar is the config on the other side ASA box.


Thanks

Arabinda

Change to:-


access-list outside-acl extended permit udp host 12.x.x.x host 12.x.x.x eq 500

access-list outside-acl extended permit udp host 12.x.x.x host 12.x.x.x eq 4500

access-list outside-acl extended permit esp host 12.x.x.x host 12.x.x.x


There is no need for the entries on the inside-acl, they should be removed.

arabindas Thu, 06/25/2009 - 07:17

Okay Thank you Andrew, let me try it out.


This ACL only applies to PIX 515? Since with the ACL mentiioned earlier I have VPN working between two sites perfectly difference is, there we have ASA 5510 as the NAT device.


Thanks

Arabinda

cisco24x7 Thu, 06/25/2009 - 07:23

Andrew,


I have to disagree with you on this. Arabindas has this in the ACL:


access-list outside-acl extended permit ip host 12.x.x.x host 12.x.x.x


That should cover everything, including udp/500, udp-4500 and ESP, right?


Why does he have to modify the ACL? One other thing, you should put "log" at the end of the ACL so that you can see whether it is permitted or dennied on the syslog server or logging buffer

arabindas Thu, 06/25/2009 - 07:26

Andrews, even I modified the ACL as per recommended, still no luck. I also guess IP allowed should take care of both UDP and TCP.


Thanks

Arabinda


dst src state conn-id slot status

12.x.x.x 10.x.x.x MM_NO_STATE 0 0 ACTIVE

cisco24x7 Thu, 06/25/2009 - 07:33

"I have had issues in the past were a blanket layer 3 IP acl just does not allow traffic thru."


Are you telling me that if you have "permit ip any any log" in the ACL, it still may not work unless you have a more specific layer 4 config? That's the first time I have heard of this.

arabindas Thu, 06/25/2009 - 07:50

Hello ,


Just now I captured the logs from both the ISR routers simultaneously.


Site A refers to logs from ISR router behind an ASA and Site C refers to ISR router Cisco PIX 515.


Thanks

Arabinda



Attachment: 
cisco24x7 Thu, 06/25/2009 - 08:51

"Yes - I have had that issue on PIX506E, 515 & 515E running 6.3.x & 7.0.x code in the past."


Do you have the exact version of 6.3.x and 7.0.x that you had issues with? Thanks.



arabindas Thu, 06/25/2009 - 20:32

Hello,


Sorry since I work in India Time zone, it was quite late yesterday and could not respond.


I have allowed IP traffic, so now I do not know what is blocking on PIX side. Also the version of the code on PIX is 6.3(3)132.


Thanks

Arabinda

cisco24x7 Fri, 06/26/2009 - 03:56

I tried a couple of version 6.3.4 and 6.3.5 and a couple of 7.x with the exact scenario that the user had posted with "permit ip any any log" and it works fine without any issues. If it does not work with "permit ip any any log" then it must be either a) a bug or b) mis-configured firewall.

arabindas Fri, 06/26/2009 - 04:11

Hello Andrews,


Here is the configuration on the ISR routers.



crypto isakmp policy 1

encr aes

authentication pre-share

crypto isakmp key ******* address 12.x.x.x


crypto ipsec transform-set aesset esp-aes esp-sha-hmac

!

crypto map aesmap 172 ipsec-isakmp

set peer 12.x.x.x

set transform-set aesset

match address c-vpn-acl


ip access-list extended c-vpn-acl

permit ip host 10.x.x.x host 10.x.x.x


ip route 12.x.x.x 255.255.255.255 10.x.x.x

ip route 10.x.x.x 255.255.255.0 10.x.x.x


Site C

---------


crypto isakmp policy 1

encr aes

authentication pre-share

crypto isakmp key ******** address 12.x.x.x


crypto ipsec transform-set aesset esp-aes esp-sha-hmac


crypto map aesmap 173 ipsec-isakmp

set peer 12.x.x.x

set transform-set aesset

match address a-vpn-acl



ip access-list extended a-vpn-acl

permit ip host 10.x.x.x host 10.x.x.x


ip route 10.x.x.x 255.255.255.0 10.x.x.x

ip route 12.x.x.x 255.255.255.255 10.x.x.x


Thanks

Arabinda

arabindas Fri, 06/26/2009 - 04:55

Andrews, the earlier configuration were the coniguration of VPN on ISR routers.


We are doing a static nat of the outside interface of the ISR routers on firewalls ahead of them.


Below are the cofigurations done on the firewall:


Architecture:


Site A ISR router->Site A ASA5510-------SiteC PIX515<-SiteC ISR Router


Site A ASA config

----------------------


access-list outbound extended permit ip host 10.x.x.x any

access-list outbound extended permit esp host 10.x.x.x any


access-list inbound extended permit ip host 12.x.x.x host 12.x.x.x

access-list inbound extended permit esp host 12.x.x.x host 12.x.x.x

static (inside,outside) 12.x.x.x 10.x.x.x netmask 255.255.255.255 tcp 256 32 udp 32


Site C PIX Config

-------------------


access-list outbound extended permit ip host 10.x.x.x any

access-list outbound extended permit esp host 10.x.x.x any


access-list inbound extended permit ip host 12.x.x.x host 12.x.x.x

access-list inbound extended permit esp host 12.x.x.x host 12.x.x.x

static (dmz2,outside) 12.x.x.x 10.x.x.x netmask 255.255.255.255

Actions

This Discussion