07-13-2010 09:27 AM - edited 03-11-2019 11:11 AM
I am trying to create a site-to-site ipsec tunnel. My first attempt failed and I was given some information from someone using an ASA (8.0?) for my second attempt. They were not sure of the compatibility of some of the commands and I ran into an error with the first line they provided. Can somebody help me figure out why I am getting this error:
"ERROR: Source address,mask <255.255.255.252,170.x.x.0> doesn't pair"
when I try to add the following line:
access-list HCA permit ip host 10.x.x.0 255.255.255.252 170.x.x.0 255.255.255.128
Additionally, the ASA command I was provided included the word "extended" before the "permit", however the PIX did not recognize that command so I omitted it. Should still work right?
Here is my existing config:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *************** encrypted
passwd **************** encrypted
hostname JMSBCFW
domain-name JMS
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any source-quench
access-list outside_in permit tcp any interface outside eq 1000
access-list outside_in permit tcp any interface outside eq 1001
access-list outside_in permit tcp any interface outside eq 1002
access-list outside_in permit tcp any interface outside eq 1003
access-list outside_in permit tcp any interface outside eq 1004
access-list outside_in permit tcp any interface outside eq 1005
access-list outside_in permit tcp any interface outside eq 1006
access-list outside_in permit tcp any interface outside eq 1007
access-list outside_in permit tcp any interface outside eq 1008
access-list outside_in permit tcp any interface outside eq 1009
access-list outside_in permit tcp any interface outside eq 1010
access-list outside_in permit tcp any interface outside eq 1011
access-list outside_in permit tcp any interface outside eq 1012
access-list outbound permit tcp any any
access-list outbound permit ip any any
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 216.x.x.x 255.255.255.252
ip address inside 192.168.1.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.55 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1000 192.168.1.4 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1001 192.168.1.67 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1002 192.168.1.85 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1003 192.168.1.29 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1004 192.168.1.12 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1005 192.168.1.64 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1006 192.168.1.62 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1007 192.168.1.18 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1008 192.168.1.70 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1009 192.168.1.68 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1010 192.168.1.44 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1011 192.168.1.37 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1012 192.168.1.73 3389 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 216.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.168.1.4 source inside
http server enable
http 192.168.1.3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
isakmp enable outside
isakmp key ******** address 199.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
username admin password **************** encrypted privilege 2
terminal width 90
Cryptochecksum:5f1148abb28fc6b2ad0035733b20b393
: end
Please bear with me as I am a beginner to the Cisco firewall programming and unfortunately I cannot get the PDM to work for me (but that is another story), so I am doing everything in console. I am upgrading this customer to an ASA 5510, which I am told will be a whole lot easier to manage/configure. Not soon enough though.
Regards,
MIKET
07-13-2010 02:46 PM
Miket,
access-list HCA permit ip host 10.x.x.0 255.255.255.252 170.x.x.0 255.255.255.128
Notice the "host" ... host mean that the IP address give after will be treated with mask 255.255.255.255. Remove the host.
Check this out to see what more you might be missing:
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sit2site.html
HTH,
Marcin
07-14-2010 09:42 AM
Thanks! I removed "host" from the line and was able to finish adding all of the commands that I was instructed to add. However, I was not able to achieve the desired end result of being able to ping the 170.x.x.x address. I have ordered an ASA5510 that should be arriving in a few days (been putting it off too long). Can you or any members here tell me whether it will be simple to transfer/migrate the PIX configuration into the new appliance?
Kind Regards,
MikeT
07-15-2010 01:19 AM
Mike,
ASA and PIX (6.3) use different syntax of commands. Good news is that there is a built in translator (into ASA/PIX 7.x/8.x versions).
Please note that some information will not be migrated by copy/paste (passwords if obfuscated for example).
I'll have a look at the config again and post an update to see if anything confg-wise is missing, but it would help if you put int current config.
Marcin
07-15-2010 10:08 AM
Thanks Marcin,
Here is the latest config:
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******************** encrypted
passwd ******************** encrypted
hostname JMSBCFW
domain-name JMS
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit icmp any any time-exceeded
access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any source-quench
access-list outside_in permit tcp any interface outside eq 1000
access-list outside_in permit tcp any interface outside eq 1001
access-list outside_in permit tcp any interface outside eq 1002
access-list outside_in permit tcp any interface outside eq 1003
access-list outside_in permit tcp any interface outside eq 1004
access-list outside_in permit tcp any interface outside eq 1005
access-list outside_in permit tcp any interface outside eq 1006
access-list outside_in permit tcp any interface outside eq 1007
access-list outside_in permit tcp any interface outside eq 1008
access-list outside_in permit tcp any interface outside eq 1009
access-list outside_in permit tcp any interface outside eq 1010
access-list outside_in permit tcp any interface outside eq 1011
access-list outside_in permit tcp any interface outside eq 1012
access-list outbound permit tcp any any
access-list outbound permit ip any any
access-list HCA_cryptomap permit ip 10.129.64.0 255.255.255.252 170.x.x.0 255.255.255.128
access-list HCA permit ip 192.168.1.0 255.255.255.0 170.x.x.0 255.255.255.128
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 216.x.x.x 255.255.255.252
ip address inside 192.168.1.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 10.129.64.1
nat (inside) 2 10.129.64.0 255.255.255.252 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3389 192.168.1.55 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1000 192.168.1.4 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1001 192.168.1.67 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1002 192.168.1.85 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1003 192.168.1.29 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1004 192.168.1.12 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1005 192.168.1.64 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1006 192.168.1.62 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1007 192.168.1.18 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1008 192.168.1.70 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1009 192.168.1.68 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1010 192.168.1.44 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1011 192.168.1.37 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1012 192.168.1.73 3389 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 216.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.168.1.4 source inside
http server enable
http 192.168.1.3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map hca 10 ipsec-isakmp
crypto map hca 10 match address HCA_cryptomap
crypto map hca 10 set peer 199.x.x.x
crypto map hca 10 set transform-set myset
crypto map hca interface outside
isakmp enable outside
isakmp key ******** address 199.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
username admin password ******************************* encrypted privilege 2
terminal width 90
Cryptochecksum:5f1148abb28fc6b2ad0035733b20b393
: end
07-16-2010 01:19 AM
Mike,
Configuration from IPsec's point of view looks OK.
The thing to know ... if otherside side perepared to accept connections from here and were you supposed to NAT traffic?
show crypto isakmp
and
show crypto ipsec sa
will tell you if the negotiation finished correctly.
I will be off as of today, sorry I will not be able to provide further help
Marcin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide