cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1223
Views
0
Helpful
26
Replies

Cisco 2811 ISR behind Cisco PIX 515

arabindas
Level 1
Level 1

Hello Experts,

I was trying to build a site-to-site vpn between two locations using Cisco 2811 ISR routers. At site A the 2811 router is behind a Cisco ASA with version 7.2 and at site B the Cisco 2811 router is behind a Cisco PIX 515 with version 6.3. The tunnel does not seems to come up, all the vpn configurations are fine, but the tunnel fails in Phase 2.

With the same configuration, the tunnel is working fine between Site A and Site C, where both the Cisco 2811 ISR routers are behind Cisco ASA 5510 with version 7.2.

On the Cisco ASA 5510 and Cisco PIX 515, we have only done a static NAT and opened the inbound & outbound ip traffic for the head-end ip addresses.

Is there any compatibility issues between Cisco ISR routers with Cisco PIX 515 with version 6.3?

Thanks

Arabinda

26 Replies 26

andrew.prince
Level 10
Level 10

The cause is you are not permitting Protocol 50 thru the firewall, to establish IPSEC Phase 2.

HTH>

Hello Andrew,

Thank you for your response.

I have allowed IP traffic both inbound and outbound on the firewalls at both sites. With the configuration the tunnel between Site A and Site C working fine. But not between Site A - Site B or Site C - Site B. The only difference Site B has a Cisco PIX 515 with 6.3 version and other two sites have a ASA 5510 with 7.2 version.

So I was suspecting if PIX requires any additional configuration or PIX and ISR routers not compatible.

Thanks

Arabinda

Arabinda,

If you have an ACL that allows "IP" thru - this also permit TCP/UDP. Phase 1 of a VPN tunnel is ISAKMP - typically UDP port 500 - so this will work

ESP which is Phase 2 of the VPN uses Protocol number 50 - you you also need to add to the ACL the permit for protocol 50-ESP.

Once you have done this, Phase 2 will complete - as long as all config matches.

HTH>

Hello Andrews,

Thank you for your suggestion.

I tried that, I added another acl allowing ESP both on inbound and outbound on both firewalls, still does not works.

attached is a log file hope that may throw some light to what the issue is going on.

Thanks

Arabinda

Post the config of the ACL - remove sensitive information.

Hello Andrew,

Here is the ACL which is applied on the PIX where the static NAT is done.

access-list outside-acl extended permit ip host 12.x.x.x host 12.x.x.x

access-list outside-acl extended permit esp host 12.x.x.x host 12.x.x.x

access-grooup outside-acl in interface outside

access-list inside-acl extended permit ip host 10.x.x.x any

access-list inside-acl extended permit host 10.x.x.x esp any

access-group inside-acl in interface inside

static (inside,outside) 12.x.x.x 10.x.x.x mask 255.255.255.255

Similar is the config on the other side ASA box.

Thanks

Arabinda

Change to:-

access-list outside-acl extended permit udp host 12.x.x.x host 12.x.x.x eq 500

access-list outside-acl extended permit udp host 12.x.x.x host 12.x.x.x eq 4500

access-list outside-acl extended permit esp host 12.x.x.x host 12.x.x.x

There is no need for the entries on the inside-acl, they should be removed.

Okay Thank you Andrew, let me try it out.

This ACL only applies to PIX 515? Since with the ACL mentiioned earlier I have VPN working between two sites perfectly difference is, there we have ASA 5510 as the NAT device.

Thanks

Arabinda

Andrew,

I have to disagree with you on this. Arabindas has this in the ACL:

access-list outside-acl extended permit ip host 12.x.x.x host 12.x.x.x

That should cover everything, including udp/500, udp-4500 and ESP, right?

Why does he have to modify the ACL? One other thing, you should put "log" at the end of the ACL so that you can see whether it is permitted or dennied on the syslog server or logging buffer

Andrews, even I modified the ACL as per recommended, still no luck. I also guess IP allowed should take care of both UDP and TCP.

Thanks

Arabinda

dst src state conn-id slot status

12.x.x.x 10.x.x.x MM_NO_STATE 0 0 ACTIVE

What is the debug on the ISR, is anything getting thru to it?

What is the debug at the remote end, is the ISR initiating the VPN, is the remote end Firewall allowing the traffic thru?

More debug is required.

I have had issues in the past were a blanket layer 3 IP acl just does not allow traffic thru. When replaced with a more specific layer 4 config, everything works.

"I have had issues in the past were a blanket layer 3 IP acl just does not allow traffic thru."

Are you telling me that if you have "permit ip any any log" in the ACL, it still may not work unless you have a more specific layer 4 config? That's the first time I have heard of this.

Yes - I have had that issue on PIX506E, 515 & 515E running 6.3.x & 7.0.x code in the past.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: