Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
922
Views
0
Helpful
8
Replies

Tunnel is not working between asa 5505 and PIX 506

Amardeep Kumar
Level 1
Level 1

‎09-23-2010 07:12 PM - edited ‎03-11-2019 11:44 AM

PIX 506e 6.3

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.254.0

access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.254.0

crypto isakmp policy 13 authen pre-share
crypto isakmp policy 13 encrypt 3des
crypto isakmp policy 13 hash sha
crypto isakmp policy 13 group 2
crypto isakmp policy 13 lifetime 86400

crypto ipsec transform-set MCS esp-3des esp-sha-hmac

isakmp key IT5ngr1 address yyy.yyy.yyy.yyy netmask 255.255.255.255 no-xauth no-config-mode

crypto map outside_map 1 match address 101
crypto map outside_map 1 set pfs group2
crypto map outside_map 1 set peer yyy.yyy.yyy.yyycrypto map outside_map 1 set transform-set MCS
crypto map outside_map interface outside

crypto isakmp policy 13 authen pre-share
crypto isakmp policy 13 encrypt 3des
crypto isakmp policy 13 hash sha
crypto isakmp policy 13 group 2
crypto isakmp policy 13 lifetime 86400

------------------------------------------------------------------------------------------------------------------------------------------------

ASA 5505 

access-list 101 extended permit ip 192.168.12.0 255.255.254.0 192.168.1.0 255.255.255.0

access-list 104 extended permit ip 192.168.12.0 255.255.254.0 192.168.1.0 255.255.255.0

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key IT5ngr1

crypto ipsec transform-set MCS1 esp-3des esp-sha-hmac

crypto map name 3 match address 104
crypto map name 3 set pfs group2
crypto map name 3 set peer xxx.xxx.xxx.xxx
crypto map name 3 set transform-set MCS1
crypto map name interface outside

crypto isakmp policy 13 authen pre-share
crypto isakmp policy 13 encrypt 3des
crypto isakmp policy 13 hash sha
crypto isakmp policy 13 group 2
crypto isakmp policy 13 lifetime 86400

----------

show crypto ipsec sa
in the output there is no IP for the tunnel

show crypto isakmp sa
5   IKE Peer: xxx.xxx.xxx.xxx
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

There is good response on PIX, I can see both show commands out put on pix.

Please help , Very urgent

Thanks

Amardeep rana

Labels:
0 Helpful
8 Replies 8

nseshan
Level 1
Level 1

‎09-23-2010 08:21 PM

Hey,

Can you also attach the outputs of "sh run | in nat" from the PIX and "sh run nat" from the ASA? also please add the outputs of the "sh access-list " along with it.

Regards,

Narayanan.

0 Helpful

Amardeep Kumar
Level 1
Level 1
In response to nseshan

‎09-23-2010 08:28 PM

PIX

pixfirewall(config)# sh run | in nat
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
pixfirewall(config)#

asa

ciscoasa# sh run nat
nat (inside) 0 access-list 101
nat (inside) 1 192.168.12.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
ciscoasa#

asa

access-list 101 line 4 extended permit ip 192.168.12.0 255.255.254.0 192.168.1.0
255.255.255.0 (hitcnt=0) 0x2eb71f45

pix

pixfirewall(config)# sh access-list 102
access-list 102; 1 elements
access-list 102 line 1 permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.
254.0 (hitcnt=2406)
pixfirewall(config)#

Thanks

Amardeep Rana

0 Helpful

nseshan
Level 1
Level 1
In response to Amardeep Kumar

‎09-23-2010 08:37 PM

Hey,

I think you are missing the nat exempt statement on the pix.

Kindly enter the following command:

nat (inside) 0 access-list 102

Regards,

Narayanan.

0 Helpful

Amardeep Kumar
Level 1
Level 1
In response to nseshan

‎09-23-2010 08:48 PM

HI

I ran this command but nothing happend

thanks

Amardeep

0 Helpful

Amardeep Kumar
Level 1
Level 1
In response to Amardeep Kumar

‎09-23-2010 08:40 PM

HI

May I talk to you on cell  , if you dont mind , I have spent whole night on the issue.

amardeepk@mycomputerstaff.com

Thanks

Amardeep

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to Amardeep Kumar

‎09-23-2010 09:15 PM

hi amardeep,

if this issue is still unresolved, please paste the output of the command show crypto ipsec sa

0 Helpful

Amardeep Kumar
Level 1
Level 1
In response to Jitendriya Athavale

‎09-24-2010 12:33 AM

HI

here is the putput of the command you gave. But I am already running two another tunnel on asa 5505 and they are running properly.

From PIX --

interface: outside

    Crypto map tag: outside_map, local addr. Live IP

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.12.0/255.255.254.0/0/0)

   current_peer: ASA Live IP:0

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

   #send errors 0, #recv errors 0

     local crypto endpt.: Live IP, remote crypto endpt.: Remote ASA Live IP

     path mtu 1500, ipsec overhead 0, media mtu 1500

     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

FROM ASA

ciscoasa(config)# show crypto ipsec sa

interface: outside

    Crypto map tag: name, seq num: 2, local addr: Local IP IP ( Tunnel Already Running)

      access-list outside_2_cryptomap permit ip 192.168.12.0 255.255.254.0 192.1

68.20.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.12.0/255.255.254.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)

      current_peer: Remote Live IP (( Tunnel Already Running)

      #pkts encaps: 1600, #pkts encrypt: 1600, #pkts digest: 1600

      #pkts decaps: 1600, #pkts decrypt: 1600, #pkts verify: 1600

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 1600, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: Local IP IP ( Tunnel Already Running), remote crypto endpt.: Remote Live IP (( Tunnel Already Running)

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 147F5CD2

    inbound esp sas:

      spi: 0xEC5DAE06 (3965562374)

         transform: esp-3des esp-md5-hmac none

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 2, crypto-map: name

         sa timing: remaining key lifetime (kB/sec): (4274905/28005)

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x147F5CD2 (343891154)

         transform: esp-3des esp-md5-hmac none

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 2, crypto-map: name

         sa timing: remaining key lifetime (kB/sec): (4274904/28003)

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: name, seq num: 6, local addr: Local IP IP ( Tunnel Already Running)

      access-list 102 permit ip 192.168.12.0 255.255.254.0 192.168.3.0 255.255.2

55.0

      local ident (addr/mask/prot/port): (192.168.12.0/255.255.254.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

      current_peer: Remote Live IP (( Tunnel Already Running)

      #pkts encaps: 1588, #pkts encrypt: 1588, #pkts digest: 1588

      #pkts decaps: 1539, #pkts decrypt: 1539, #pkts verify: 1539

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 1590, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: Local Live IP ( Tunnel Already Running), remote crypto endpt.: Remote Live IP (( Tunnel Already Running)

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: F7114C6E

    inbound esp sas:

      spi: 0x5F116DB2 (1594977714)

         transform: esp-des esp-md5-hmac none

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 1, crypto-map: chetu

         sa timing: remaining key lifetime (kB/sec): (4274906/27995)

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xF7114C6E (4145106030)

         transform: esp-des esp-md5-hmac none

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 1, crypto-map: name

         sa timing: remaining key lifetime (kB/sec): (4274898/27993)

         IV size: 8 bytes

         replay detection support: Y

thanks

Amardeep

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to Amardeep Kumar

‎09-24-2010 01:21 AM

looks like the phase 2 is not up

from which side are you trying to iniate the tunnel and how are you pinging (source ping from interfac eor inside hosts)

give the command management-access inside on both the devices and initiate a ping from both the sides but source it from the inside interface ip

ping inside

see if phase 2 comes up

also run a packet tracer and paste the output from 192.168.1.0 end

packet-tracer in inside icmp 192.168.1.100 8 0 192.168.12.100 detail

very imp: make sure the ip's that you use in packet tracer are not interface ip's

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card