06-24-2009 09:35 PM - edited 03-11-2019 08:48 AM
Hello Experts,
I was trying to build a site-to-site vpn between two locations using Cisco 2811 ISR routers. At site A the 2811 router is behind a Cisco ASA with version 7.2 and at site B the Cisco 2811 router is behind a Cisco PIX 515 with version 6.3. The tunnel does not seems to come up, all the vpn configurations are fine, but the tunnel fails in Phase 2.
With the same configuration, the tunnel is working fine between Site A and Site C, where both the Cisco 2811 ISR routers are behind Cisco ASA 5510 with version 7.2.
On the Cisco ASA 5510 and Cisco PIX 515, we have only done a static NAT and opened the inbound & outbound ip traffic for the head-end ip addresses.
Is there any compatibility issues between Cisco ISR routers with Cisco PIX 515 with version 6.3?
Thanks
Arabinda
06-25-2009 01:42 AM
The cause is you are not permitting Protocol 50 thru the firewall, to establish IPSEC Phase 2.
HTH>
06-25-2009 02:24 AM
Hello Andrew,
Thank you for your response.
I have allowed IP traffic both inbound and outbound on the firewalls at both sites. With the configuration the tunnel between Site A and Site C working fine. But not between Site A - Site B or Site C - Site B. The only difference Site B has a Cisco PIX 515 with 6.3 version and other two sites have a ASA 5510 with 7.2 version.
So I was suspecting if PIX requires any additional configuration or PIX and ISR routers not compatible.
Thanks
Arabinda
06-25-2009 02:31 AM
Arabinda,
If you have an ACL that allows "IP" thru - this also permit TCP/UDP. Phase 1 of a VPN tunnel is ISAKMP - typically UDP port 500 - so this will work
ESP which is Phase 2 of the VPN uses Protocol number 50 - you you also need to add to the ACL the permit for protocol 50-ESP.
Once you have done this, Phase 2 will complete - as long as all config matches.
HTH>
06-25-2009 02:59 AM
06-25-2009 03:21 AM
Post the config of the ACL - remove sensitive information.
06-25-2009 07:10 AM
Hello Andrew,
Here is the ACL which is applied on the PIX where the static NAT is done.
access-list outside-acl extended permit ip host 12.x.x.x host 12.x.x.x
access-list outside-acl extended permit esp host 12.x.x.x host 12.x.x.x
access-grooup outside-acl in interface outside
access-list inside-acl extended permit ip host 10.x.x.x any
access-list inside-acl extended permit host 10.x.x.x esp any
access-group inside-acl in interface inside
static (inside,outside) 12.x.x.x 10.x.x.x mask 255.255.255.255
Similar is the config on the other side ASA box.
Thanks
Arabinda
06-25-2009 07:13 AM
Change to:-
access-list outside-acl extended permit udp host 12.x.x.x host 12.x.x.x eq 500
access-list outside-acl extended permit udp host 12.x.x.x host 12.x.x.x eq 4500
access-list outside-acl extended permit esp host 12.x.x.x host 12.x.x.x
There is no need for the entries on the inside-acl, they should be removed.
06-25-2009 07:17 AM
Okay Thank you Andrew, let me try it out.
This ACL only applies to PIX 515? Since with the ACL mentiioned earlier I have VPN working between two sites perfectly difference is, there we have ASA 5510 as the NAT device.
Thanks
Arabinda
06-25-2009 07:23 AM
Andrew,
I have to disagree with you on this. Arabindas has this in the ACL:
access-list outside-acl extended permit ip host 12.x.x.x host 12.x.x.x
That should cover everything, including udp/500, udp-4500 and ESP, right?
Why does he have to modify the ACL? One other thing, you should put "log" at the end of the ACL so that you can see whether it is permitted or dennied on the syslog server or logging buffer
06-25-2009 07:26 AM
Andrews, even I modified the ACL as per recommended, still no luck. I also guess IP allowed should take care of both UDP and TCP.
Thanks
Arabinda
dst src state conn-id slot status
12.x.x.x 10.x.x.x MM_NO_STATE 0 0 ACTIVE
06-25-2009 07:30 AM
What is the debug on the ISR, is anything getting thru to it?
What is the debug at the remote end, is the ISR initiating the VPN, is the remote end Firewall allowing the traffic thru?
More debug is required.
06-25-2009 07:29 AM
I have had issues in the past were a blanket layer 3 IP acl just does not allow traffic thru. When replaced with a more specific layer 4 config, everything works.
06-25-2009 07:33 AM
"I have had issues in the past were a blanket layer 3 IP acl just does not allow traffic thru."
Are you telling me that if you have "permit ip any any log" in the ACL, it still may not work unless you have a more specific layer 4 config? That's the first time I have heard of this.
06-25-2009 07:50 AM
Yes - I have had that issue on PIX506E, 515 & 515E running 6.3.x & 7.0.x code in the past.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: