09-23-2010 07:12 PM - edited 03-11-2019 11:44 AM
PIX 506e 6.3
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.254.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.254.0
crypto isakmp policy 13 authen pre-share
crypto isakmp policy 13 encrypt 3des
crypto isakmp policy 13 hash sha
crypto isakmp policy 13 group 2
crypto isakmp policy 13 lifetime 86400
crypto ipsec transform-set MCS esp-3des esp-sha-hmac
isakmp key IT5ngr1 address yyy.yyy.yyy.yyy netmask 255.255.255.255 no-xauth no-config-mode
crypto map outside_map 1 match address 101
crypto map outside_map 1 set pfs group2
crypto map outside_map 1 set peer yyy.yyy.yyy.yyycrypto map outside_map 1 set transform-set MCS
crypto map outside_map interface outside
crypto isakmp policy 13 authen pre-share
crypto isakmp policy 13 encrypt 3des
crypto isakmp policy 13 hash sha
crypto isakmp policy 13 group 2
crypto isakmp policy 13 lifetime 86400
------------------------------------------------------------------------------------------------------------------------------------------------
ASA 5505
access-list 101 extended permit ip 192.168.12.0 255.255.254.0 192.168.1.0 255.255.255.0
access-list 104 extended permit ip 192.168.12.0 255.255.254.0 192.168.1.0 255.255.255.0
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key IT5ngr1
crypto ipsec transform-set MCS1 esp-3des esp-sha-hmac
crypto map name 3 match address 104
crypto map name 3 set pfs group2
crypto map name 3 set peer xxx.xxx.xxx.xxx
crypto map name 3 set transform-set MCS1
crypto map name interface outside
crypto isakmp policy 13 authen pre-share
crypto isakmp policy 13 encrypt 3des
crypto isakmp policy 13 hash sha
crypto isakmp policy 13 group 2
crypto isakmp policy 13 lifetime 86400
----------
show crypto ipsec sa
in the output there is no IP for the tunnel
show crypto isakmp sa
5 IKE Peer: xxx.xxx.xxx.xxx
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There is good response on PIX, I can see both show commands out put on pix.
Please help , Very urgent
Thanks
Amardeep rana
09-23-2010 08:21 PM
Hey,
Can you also attach the outputs of "sh run | in nat" from the PIX and "sh run nat" from the ASA? also please add the outputs of the "sh access-list
Regards,
Narayanan.
09-23-2010 08:28 PM
PIX
pixfirewall(config)# sh run | in nat
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
pixfirewall(config)#
asa
ciscoasa# sh run nat
nat (inside) 0 access-list 101
nat (inside) 1 192.168.12.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
ciscoasa#
asa
access-list 101 line 4 extended permit ip 192.168.12.0 255.255.254.0 192.168.1.0
255.255.255.0 (hitcnt=0) 0x2eb71f45
pix
pixfirewall(config)# sh access-list 102
access-list 102; 1 elements
access-list 102 line 1 permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.
254.0 (hitcnt=2406)
pixfirewall(config)#
Thanks
Amardeep Rana
09-23-2010 08:37 PM
Hey,
I think you are missing the nat exempt statement on the pix.
Kindly enter the following command:
nat (inside) 0 access-list 102
Regards,
Narayanan.
09-23-2010 08:48 PM
HI
I ran this command but nothing happend
thanks
Amardeep
09-23-2010 08:40 PM
HI
May I talk to you on cell , if you dont mind , I have spent whole night on the issue.
Thanks
Amardeep
09-23-2010 09:15 PM
hi amardeep,
if this issue is still unresolved, please paste the output of the command show crypto ipsec sa
09-24-2010 12:33 AM
HI
here is the putput of the command you gave. But I am already running two another tunnel on asa 5505 and they are running properly.
From PIX --
interface: outside
Crypto map tag: outside_map, local addr. Live IP
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.12.0/255.255.254.0/0/0)
current_peer: ASA Live IP:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: Live IP, remote crypto endpt.: Remote ASA Live IP
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
FROM ASA
ciscoasa(config)# show crypto ipsec sa
interface: outside
Crypto map tag: name, seq num: 2, local addr: Local IP IP ( Tunnel Already Running)
access-list outside_2_cryptomap permit ip 192.168.12.0 255.255.254.0 192.1
68.20.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.12.0/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
current_peer: Remote Live IP (( Tunnel Already Running)
#pkts encaps: 1600, #pkts encrypt: 1600, #pkts digest: 1600
#pkts decaps: 1600, #pkts decrypt: 1600, #pkts verify: 1600
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1600, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: Local IP IP ( Tunnel Already Running), remote crypto endpt.: Remote Live IP (( Tunnel Already Running)
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 147F5CD2
inbound esp sas:
spi: 0xEC5DAE06 (3965562374)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 2, crypto-map: name
sa timing: remaining key lifetime (kB/sec): (4274905/28005)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x147F5CD2 (343891154)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 2, crypto-map: name
sa timing: remaining key lifetime (kB/sec): (4274904/28003)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: name, seq num: 6, local addr: Local IP IP ( Tunnel Already Running)
access-list 102 permit ip 192.168.12.0 255.255.254.0 192.168.3.0 255.255.2
55.0
local ident (addr/mask/prot/port): (192.168.12.0/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: Remote Live IP (( Tunnel Already Running)
#pkts encaps: 1588, #pkts encrypt: 1588, #pkts digest: 1588
#pkts decaps: 1539, #pkts decrypt: 1539, #pkts verify: 1539
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1590, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: Local Live IP ( Tunnel Already Running), remote crypto endpt.: Remote Live IP (( Tunnel Already Running)
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: F7114C6E
inbound esp sas:
spi: 0x5F116DB2 (1594977714)
transform: esp-des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: chetu
sa timing: remaining key lifetime (kB/sec): (4274906/27995)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xF7114C6E (4145106030)
transform: esp-des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1, crypto-map: name
sa timing: remaining key lifetime (kB/sec): (4274898/27993)
IV size: 8 bytes
replay detection support: Y
thanks
Amardeep
09-24-2010 01:21 AM
looks like the phase 2 is not up
from which side are you trying to iniate the tunnel and how are you pinging (source ping from interfac eor inside hosts)
give the command management-access inside on both the devices and initiate a ping from both the sides but source it from the inside interface ip
ping inside
see if phase 2 comes up
also run a packet tracer and paste the output from 192.168.1.0 end
packet-tracer in inside icmp 192.168.1.100 8 0 192.168.12.100 detail
very imp: make sure the ip's that you use in packet tracer are not interface ip's
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide