Tunnel is not working between asa 5505 and PIX 506

Unanswered Question
Sep 23rd, 2010

PIX 506e 6.3

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.254.0

access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.254.0

crypto isakmp policy 13 authen pre-share
crypto isakmp policy 13 encrypt 3des
crypto isakmp policy 13 hash sha
crypto isakmp policy 13 group 2
crypto isakmp policy 13 lifetime 86400

crypto ipsec transform-set MCS esp-3des esp-sha-hmac

isakmp key IT5ngr1 address yyy.yyy.yyy.yyy netmask 255.255.255.255 no-xauth no-config-mode

crypto map outside_map 1 match address 101
crypto map outside_map 1 set pfs group2
crypto map outside_map 1 set peer yyy.yyy.yyy.yyycrypto map outside_map 1 set transform-set MCS
crypto map outside_map interface outside

crypto isakmp policy 13 authen pre-share
crypto isakmp policy 13 encrypt 3des
crypto isakmp policy 13 hash sha
crypto isakmp policy 13 group 2
crypto isakmp policy 13 lifetime 86400

------------------------------------------------------------------------------------------------------------------------------------------------

ASA 5505 

access-list 101 extended permit ip 192.168.12.0 255.255.254.0 192.168.1.0 255.255.255.0

access-list 104 extended permit ip 192.168.12.0 255.255.254.0 192.168.1.0 255.255.255.0

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l

tunnel-group xxx.xxx.xxx.xxx ipsec-attributes

pre-shared-key IT5ngr1

crypto ipsec transform-set MCS1 esp-3des esp-sha-hmac

crypto map name 3 match address 104
crypto map name 3 set pfs group2
crypto map name 3 set peer xxx.xxx.xxx.xxx
crypto map name 3 set transform-set MCS1
crypto map name interface outside

crypto isakmp policy 13 authen pre-share
crypto isakmp policy 13 encrypt 3des
crypto isakmp policy 13 hash sha
crypto isakmp policy 13 group 2
crypto isakmp policy 13 lifetime 86400

----------

show crypto ipsec sa
in the output there is no IP for the tunnel

show crypto isakmp sa
5   IKE Peer: xxx.xxx.xxx.xxx
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

There is good response on PIX, I can see both show commands out put on pix.

Please help , Very urgent

Thanks

Amardeep rana

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
nseshan Thu, 09/23/2010 - 20:21

Hey,

Can you also attach the outputs of "sh run | in nat" from the PIX and "sh run nat" from the ASA? also please add the outputs of the "sh access-list " along with it.

Regards,

Narayanan.

Amardeep Kumar Thu, 09/23/2010 - 20:28

PIX

pixfirewall(config)# sh run | in nat
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
pixfirewall(config)#

asa

ciscoasa# sh run nat
nat (inside) 0 access-list 101
nat (inside) 1 192.168.12.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
ciscoasa#

asa

access-list 101 line 4 extended permit ip 192.168.12.0 255.255.254.0 192.168.1.0
255.255.255.0 (hitcnt=0) 0x2eb71f45

pix

pixfirewall(config)# sh access-list 102
access-list 102; 1 elements
access-list 102 line 1 permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.
254.0 (hitcnt=2406)
pixfirewall(config)#

Thanks

Amardeep Rana

nseshan Thu, 09/23/2010 - 20:37

Hey,

I think you are missing the nat exempt statement on the pix.

Kindly enter the following command:

nat (inside) 0 access-list 102

Regards,

Narayanan.

Jitendriya Athavale Thu, 09/23/2010 - 21:15

hi amardeep,

if this issue is still unresolved, please paste the output of the command show crypto ipsec sa

Amardeep Kumar Fri, 09/24/2010 - 00:33

HI

here is the putput of the command you gave. But I am already running two another tunnel on asa 5505 and they are running properly.

From PIX --

interface: outside

    Crypto map tag: outside_map, local addr. Live IP

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.12.0/255.255.254.0/0/0)

   current_peer: ASA Live IP:0

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

   #send errors 0, #recv errors 0

     local crypto endpt.: Live IP, remote crypto endpt.: Remote ASA Live IP

     path mtu 1500, ipsec overhead 0, media mtu 1500

     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

FROM ASA

ciscoasa(config)# show crypto ipsec sa

interface: outside

    Crypto map tag: name, seq num: 2, local addr: Local IP IP ( Tunnel Already Running)

      access-list outside_2_cryptomap permit ip 192.168.12.0 255.255.254.0 192.1

68.20.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.12.0/255.255.254.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)

      current_peer: Remote Live IP (( Tunnel Already Running)

      #pkts encaps: 1600, #pkts encrypt: 1600, #pkts digest: 1600

      #pkts decaps: 1600, #pkts decrypt: 1600, #pkts verify: 1600

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 1600, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: Local IP IP ( Tunnel Already Running), remote crypto endpt.: Remote Live IP (( Tunnel Already Running)

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 147F5CD2

    inbound esp sas:

      spi: 0xEC5DAE06 (3965562374)

         transform: esp-3des esp-md5-hmac none

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 2, crypto-map: name

         sa timing: remaining key lifetime (kB/sec): (4274905/28005)

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x147F5CD2 (343891154)

         transform: esp-3des esp-md5-hmac none

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 2, crypto-map: name

         sa timing: remaining key lifetime (kB/sec): (4274904/28003)

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: name, seq num: 6, local addr: Local IP IP ( Tunnel Already Running)

      access-list 102 permit ip 192.168.12.0 255.255.254.0 192.168.3.0 255.255.2

55.0

      local ident (addr/mask/prot/port): (192.168.12.0/255.255.254.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

      current_peer: Remote Live IP (( Tunnel Already Running)

      #pkts encaps: 1588, #pkts encrypt: 1588, #pkts digest: 1588

      #pkts decaps: 1539, #pkts decrypt: 1539, #pkts verify: 1539

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 1590, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: Local Live IP ( Tunnel Already Running), remote crypto endpt.: Remote Live IP (( Tunnel Already Running)

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: F7114C6E

    inbound esp sas:

      spi: 0x5F116DB2 (1594977714)

         transform: esp-des esp-md5-hmac none

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 1, crypto-map: chetu

         sa timing: remaining key lifetime (kB/sec): (4274906/27995)

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xF7114C6E (4145106030)

         transform: esp-des esp-md5-hmac none

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 1, crypto-map: name

         sa timing: remaining key lifetime (kB/sec): (4274898/27993)

         IV size: 8 bytes

         replay detection support: Y

thanks

Amardeep

Jitendriya Athavale Fri, 09/24/2010 - 01:21

looks like the phase 2 is not up

from which side are you trying to iniate the tunnel and how are you pinging (source ping from interfac eor inside hosts)

give the command management-access inside on both the devices and initiate a ping from both the sides but source it from the inside interface ip

ping inside

see if phase 2 comes up

also run a packet tracer and paste the output from 192.168.1.0 end

packet-tracer in inside icmp 192.168.1.100 8 0 192.168.12.100 detail

very imp: make sure the ip's that you use in packet tracer are not interface ip's

Actions

This Discussion