09-23-2010 07:12 PM - edited 03-11-2019 11:44 AM
PIX 506e 6.3
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.254.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.254.0
crypto isakmp policy 13 authen pre-share
crypto isakmp policy 13 encrypt 3des
crypto isakmp policy 13 hash sha
crypto isakmp policy 13 group 2
crypto isakmp policy 13 lifetime 86400
crypto ipsec transform-set MCS esp-3des esp-sha-hmac
isakmp key IT5ngr1 address yyy.yyy.yyy.yyy netmask 255.255.255.255 no-xauth no-config-mode
crypto map outside_map 1 match address 101
crypto map outside_map 1 set pfs group2
crypto map outside_map 1 set peer yyy.yyy.yyy.yyycrypto map outside_map 1 set transform-set MCS
crypto map outside_map interface outside
crypto isakmp policy 13 authen pre-share
crypto isakmp policy 13 encrypt 3des
crypto isakmp policy 13 hash sha
crypto isakmp policy 13 group 2
crypto isakmp policy 13 lifetime 86400
------------------------------------------------------------------------------------------------------------------------------------------------
ASA 5505
access-list 101 extended permit ip 192.168.12.0 255.255.254.0 192.168.1.0 255.255.255.0
access-list 104 extended permit ip 192.168.12.0 255.255.254.0 192.168.1.0 255.255.255.0
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key IT5ngr1
crypto ipsec transform-set MCS1 esp-3des esp-sha-hmac
crypto map name 3 match address 104
crypto map name 3 set pfs group2
crypto map name 3 set peer xxx.xxx.xxx.xxx
crypto map name 3 set transform-set MCS1
crypto map name interface outside
crypto isakmp policy 13 authen pre-share
crypto isakmp policy 13 encrypt 3des
crypto isakmp policy 13 hash sha
crypto isakmp policy 13 group 2
crypto isakmp policy 13 lifetime 86400
----------
show crypto ipsec sa
in the output there is no IP for the tunnel
show crypto isakmp sa
5 IKE Peer: xxx.xxx.xxx.xxx
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There is good response on PIX, I can see both show commands out put on pix.
Please help , Very urgent
Thanks
Amardeep rana
09-23-2010 08:21 PM
Hey,
Can you also attach the outputs of "sh run | in nat" from the PIX and "sh run nat" from the ASA? also please add the outputs of the "sh access-list
Regards,
Narayanan.
09-23-2010 08:28 PM
PIX
pixfirewall(config)# sh run | in nat
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
pixfirewall(config)#
asa
ciscoasa# sh run nat
nat (inside) 0 access-list 101
nat (inside) 1 192.168.12.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
ciscoasa#
asa
access-list 101 line 4 extended permit ip 192.168.12.0 255.255.254.0 192.168.1.0
255.255.255.0 (hitcnt=0) 0x2eb71f45
pix
pixfirewall(config)# sh access-list 102
access-list 102; 1 elements
access-list 102 line 1 permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.
254.0 (hitcnt=2406)
pixfirewall(config)#
Thanks
Amardeep Rana
09-23-2010 08:37 PM
Hey,
I think you are missing the nat exempt statement on the pix.
Kindly enter the following command:
nat (inside) 0 access-list 102
Regards,
Narayanan.
09-23-2010 08:48 PM
HI
I ran this command but nothing happend
thanks
Amardeep
09-23-2010 08:40 PM
HI
May I talk to you on cell , if you dont mind , I have spent whole night on the issue.
Thanks
Amardeep
09-23-2010 09:15 PM
hi amardeep,
if this issue is still unresolved, please paste the output of the command show crypto ipsec sa
09-24-2010 12:33 AM
HI
here is the putput of the command you gave. But I am already running two another tunnel on asa 5505 and they are running properly.
From PIX --
interface: outside
Crypto map tag: outside_map, local addr. Live IP
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.12.0/255.255.254.0/0/0)
current_peer: ASA Live IP:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: Live IP, remote crypto endpt.: Remote ASA Live IP
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
FROM ASA
ciscoasa(config)# show crypto ipsec sa
interface: outside
Crypto map tag: name, seq num: 2, local addr: Local IP IP ( Tunnel Already Running)
access-list outside_2_cryptomap permit ip 192.168.12.0 255.255.254.0 192.1
68.20.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.12.0/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
current_peer: Remote Live IP (( Tunnel Already Running)
#pkts encaps: 1600, #pkts encrypt: 1600, #pkts digest: 1600
#pkts decaps: 1600, #pkts decrypt: 1600, #pkts verify: 1600
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1600, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: Local IP IP ( Tunnel Already Running), remote crypto endpt.: Remote Live IP (( Tunnel Already Running)
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 147F5CD2
inbound esp sas:
spi: 0xEC5DAE06 (3965562374)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 2, crypto-map: name
sa timing: remaining key lifetime (kB/sec): (4274905/28005)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x147F5CD2 (343891154)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 2, crypto-map: name
sa timing: remaining key lifetime (kB/sec): (4274904/28003)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: name, seq num: 6, local addr: Local IP IP ( Tunnel Already Running)
access-list 102 permit ip 192.168.12.0 255.255.254.0 192.168.3.0 255.255.2
55.0
local ident (addr/mask/prot/port): (192.168.12.0/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: Remote Live IP (( Tunnel Already Running)
#pkts encaps: 1588, #pkts encrypt: 1588, #pkts digest: 1588
#pkts decaps: 1539, #pkts decrypt: 1539, #pkts verify: 1539
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1590, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: Local Live IP ( Tunnel Already Running), remote crypto endpt.: Remote Live IP (( Tunnel Already Running)
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: F7114C6E
inbound esp sas:
spi: 0x5F116DB2 (1594977714)
transform: esp-des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: chetu
sa timing: remaining key lifetime (kB/sec): (4274906/27995)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xF7114C6E (4145106030)
transform: esp-des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: name
sa timing: remaining key lifetime (kB/sec): (4274898/27993)
IV size: 8 bytes
replay detection support: Y
thanks
Amardeep
09-24-2010 01:21 AM
looks like the phase 2 is not up
from which side are you trying to iniate the tunnel and how are you pinging (source ping from interfac eor inside hosts)
give the command management-access inside on both the devices and initiate a ping from both the sides but source it from the inside interface ip
ping inside
see if phase 2 comes up
also run a packet tracer and paste the output from 192.168.1.0 end
packet-tracer in inside icmp 192.168.1.100 8 0 192.168.12.100 detail
very imp: make sure the ip's that you use in packet tracer are not interface ip's
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: