×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX 501 to ASA 5520 VPN not working

Unanswered Question
Apr 4th, 2014
User Badges:

I am trying to setup a VPN between a customer's PIX and our ASA.  I am new to both of these firewalls and just acquired access to both of them yesterday.

WSI-PAR-ASA# sh cryp is sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 173.15.202.145
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2
WSI-PAR-ASA# sh run
: Saved
:
ASA Version 8.3(2)
!
hostname WSI-PAR-ASA
domain-name wsilc.local
enable password pD8LU0HnzGcOsuME encrypted
passwd rVeeEKq7K7syKusK encrypted
names
name 10.0.0.253 NTPDC
name 10.0.0.252 NOCSERVER1
!
interface GigabitEthernet0/0
 description outside interface to comcast gateway
 nameif outside
 security-level 0
 ip address 173.167.50.213 255.255.255.248
!
interface GigabitEthernet0/1
 description uplink to inside router
 nameif inside
 security-level 100
 ip address 10.1.255.1 255.255.255.252
!
interface GigabitEthernet0/2
 description B&B Exchange Environmnet (Hosting)
 shutdown
 nameif B&B_Exchange
 security-level 50
 ip address 192.168.33.1 255.255.255.252
!
interface GigabitEthernet0/3
 shutdown
 nameif Guest_wireless
 security-level 50
 ip address 10.0.240.1 255.255.255.0
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name wsilc.local
object network wheat_hii_nat
 subnet 10.1.0.0 255.255.255.0
object network wheat_hii_vpn
 subnet 10.0.0.0 255.255.255.0
object network ME_WEB
 host 10.1.0.8
object network Wireless
 subnet 10.0.10.0 255.255.255.0
object network wheat_new_ips
 subnet 10.0.250.0 255.255.255.0
object network guest_wireless
 subnet 10.0.240.0 255.255.255.0
object network NTPDC
 host 10.0.0.253
object network Mac_Chad_VNC
 host 10.1.0.19
 description Remote Access to Chad's system
object service VNC
 service tcp source eq 5900 destination eq 5900
object network HyperV_Host1
 host 10.0.0.2
 description Remote Access to HyperV Host 1
object network 173.167.50.212
 host 173.167.50.212
object network IT360SRV
 host 10.1.0.7
 description IT 360 Central Server
object network CoH_Test
 subnet 192.168.99.0 255.255.255.0
object network NEC_VoiceServer
 host 10.0.48.247
 description NEC Phone System
object network wheat_hii_voice
 subnet 10.0.48.0 255.255.255.0
 description Voice Servers
object network NEC_VoiceMailServer
 host 10.0.48.249
 description Voicemail Web Interface
object service RDP
 service tcp destination eq 3389
object network RedCloud_Appliance
 host 10.1.0.20
 description RedCloud_Appliance
object service RedCloud_Panel
 service tcp source eq 3001 destination eq 3001
object network HyperV_Host2
 host 10.0.0.3
 description Remote Access to HyperV Host 2
object network RedCloud_WebAccess
 host 10.1.0.20
 description HTTPS to RedCloud Appliance
object service RedCloud_SSL
 service tcp destination eq 9443
object network Imac_RDP1
 host 10.1.0.220
 description Imac RDP for Chad
object network Imac_RDP2
 host 10.1.0.220
 description Imac RDP for Chad
object network Imac_RDP3
 host 10.1.0.220
 description Imac RDP for Chad
object network Wiki
 host 10.1.0.220
object network Wiki2
 host 10.1.0.220
object network RedCloud_6050
 host 10.1.0.20
 description RedCloud Flash Player
object network RedCloud_843
 host 10.1.0.20
 description RedCloud Appliance Access
object network 173.167.50.211
 host 173.167.50.211
object network B&B_Exchange_Server
 host 192.168.33.2
 description B&B Exchange Server (Hosting)
object network MESandbox
 host 10.0.0.10
 description MESandbox Server
object network iCHRIE
 subnet 10.4.5.0 255.255.255.0
object-group service SBS_services tcp-udp
 port-object eq 4125
 port-object eq 443
 port-object eq 444
 port-object eq 25
 port-object eq 987
 port-object eq 8080
 port-object eq 1723
 port-object eq 21
 port-object eq 20
 port-object range 65000 65500
 port-object eq domain
 port-object eq 143
 port-object eq 110
 port-object eq 993
 port-object eq 995
object-group service ME_services tcp-udp
 port-object eq 8100
 port-object eq 8200
 port-object eq 8300
 port-object eq 8400
 port-object eq 8443
object-group service Mac_Mini_Remote tcp-udp
 port-object eq 3283
 port-object eq 5900
 port-object eq 443
 port-object eq www
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network AMAZON_PROD_VPC
 network-object 172.24.0.0 255.255.0.0
object-group service RedCloud_Service tcp
 description RedCloud Appliance Services
 port-object eq 3001
 port-object eq 6050
 port-object eq 843
 port-object eq 9443
access-list outside_inbound extended permit ip any any inactive
access-list outside_inbound extended permit object RDP any object HyperV_Host1 inactive
access-list outside_inbound extended permit object RDP any object HyperV_Host2 inactive
access-list outside_inbound extended permit ip 10.0.0.0 255.255.255.0 10.1.0.0 255.255.255.0 inactive
access-list outside_inbound extended permit tcp any object NEC_VoiceServer eq www inactive
access-list outside_inbound extended permit tcp any host 10.0.0.253 object-group SBS_services
access-list outside_inbound extended permit gre any host 10.0.0.253
access-list outside_inbound extended permit object-group TCPUDP any host 10.1.0.8 object-group ME_services inactive
access-list outside_inbound extended permit object-group TCPUDP any object IT360SRV object-group ME_services
access-list outside_inbound extended permit tcp any object NEC_VoiceMailServer eq https
access-list outside_inbound extended permit tcp any object RedCloud_Appliance object-group RedCloud_Service
access-list outside_inbound extended permit tcp any object RedCloud_WebAccess eq https
access-list outside_inbound remark Customer Web Access to RedCloud
access-list outside_inbound extended permit object-group TCPUDP any object Imac_RDP1 object-group Mac_Mini_Remote inactive
access-list outside_inbound remark B&B Exchange Hosting
access-list outside_inbound extended permit object-group TCPUDP any object B&B_Exchange_Server object-group SBS_services inactive
access-list outside_inbound extended permit object RDP any object MESandbox
access-list outside_inbound remark B&B Exchange Hosting
access-list outside_inbound remark Customer Web Access to RedCloud
access-list 101 extended permit ip 10.1.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 101 extended permit ip 10.0.10.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list acl-amazon extended permit ip any 172.24.0.0 255.255.0.0
access-list inside_access_in extended permit tcp host 10.0.0.253 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list outside_1_cryptomap extended permit ip object wheat_hii_nat object iCHRIE
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging buffered warnings
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu B&B_Exchange 1500
mtu Guest_wireless 1500
ip local pool VPNIP 10.0.254.1-10.0.254.15
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static wheat_hii_nat wheat_hii_nat destination static wheat_hii_vpn wheat_hii_vpn
nat (inside,outside) source static wheat_hii_nat wheat_hii_nat destination static AMAZON_PROD_VPC AMAZON_PROD_VPC
nat (inside,outside) source static wheat_hii_nat wheat_hii_nat destination static iCHRIE iCHRIE
!
object network wheat_hii_nat
 nat (inside,outside) dynamic interface
object network wheat_hii_vpn
 nat (inside,outside) dynamic interface
object network Wireless
 nat (inside,outside) dynamic interface
object network wheat_new_ips
 nat (inside,outside) dynamic interface
object network guest_wireless
 nat (inside,outside) dynamic interface
object network NTPDC
 nat (inside,outside) static 173.167.50.209
object network HyperV_Host1
 nat (inside,outside) static 173.167.50.210 service tcp 3389 3382
object network IT360SRV
 nat (any,any) static 173.167.50.212
object network CoH_Test
 nat (any,outside) dynamic interface
object network NEC_VoiceServer
 nat (inside,outside) static 173.167.50.210 service tcp www www
object network wheat_hii_voice
 nat (any,outside) dynamic interface
object network NEC_VoiceMailServer
 nat (inside,outside) static 173.167.50.210 service tcp https https
object network RedCloud_Appliance
 nat (inside,outside) static 173.167.50.210 service tcp 3001 3001
object network HyperV_Host2
 nat (inside,outside) static 173.167.50.210 service tcp 3389 3383
object network RedCloud_WebAccess
 nat (inside,outside) static 173.167.50.210 service tcp https 9443
object network Imac_RDP1
 nat (any,any) static 173.167.50.210 service tcp 3283 3283
object network Imac_RDP2
 nat (any,any) static 173.167.50.210 service tcp 5900 5900
object network Wiki
 nat (inside,outside) static 173.167.50.210 service tcp https 2443
object network Wiki2
 nat (inside,outside) static 173.167.50.210 service tcp www 280
object network RedCloud_6050
 nat (inside,outside) static 173.167.50.210 service tcp 6050 6050
object network RedCloud_843
 nat (inside,outside) static 173.167.50.210 service tcp 843 843
object network B&B_Exchange_Server
 nat (B&B_Exchange,outside) static 173.167.50.211
object network MESandbox
 nat (inside,outside) static 173.167.50.210 service tcp 3389 7177
!
nat (inside,outside) after-auto source static wheat_hii_voice interface unidirectional
access-group outside_inbound in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 173.167.50.214 1
route inside 10.0.0.0 255.255.255.0 10.1.255.2 1
route inside 10.0.10.0 255.255.255.0 10.1.255.2 1
route inside 10.0.48.0 255.255.255.0 10.1.255.2 1
route inside 10.0.240.0 255.255.255.0 10.1.255.2 1
route inside 10.0.250.0 255.255.255.0 10.1.255.2 1
route inside 10.1.0.0 255.255.0.0 10.1.255.2 1
route inside 10.1.100.0 255.255.255.0 10.1.255.2 1
route inside 192.168.99.0 255.255.255.0 10.1.255.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.1.0.0 255.255.255.0 inside
snmp-server host inside 10.1.0.5 community *****
no snmp-server location
snmp-server contact NOC
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 2147483647
crypto ipsec security-association replay window-size 128
crypto ipsec df-bit clear-df outside
crypto map WHEATHII 1 match address 101
crypto map WHEATHII 1 set pfs
crypto map WHEATHII 1 set peer 173.167.50.209
crypto map WHEATHII 1 set transform-set ESP-3DES-SHA
crypto map TO_AMAZON 1 match address outside_1_cryptomap
crypto map TO_AMAZON 1 set peer 173.15.202.145
crypto map TO_AMAZON 1 set transform-set ESP-3DES-SHA
crypto map TO_AMAZON 10 match address acl-amazon
crypto map TO_AMAZON 10 set pfs
crypto map TO_AMAZON 10 set peer 205.251.233.122 205.251.233.121
crypto map TO_AMAZON 10 set transform-set transform-amzn
crypto map TO_AMAZON interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 28800
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 138.236.128.36 source outside
ntp server 72.26.198.233 source outside
ntp server 65.182.224.60 source outside
webvpn
username ssmith password SOgzNhPphuvZ3kQf encrypted privilege 15
username dmills password CohQOQ5Qubm4l8kx encrypted privilege 15
username Don password 9c3pIbTEkyTWNKsj encrypted privilege 15
username kdingwall password tZijbQGDZn4JdBm4 encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 3
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 3
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 3
tunnel-group 173.167.50.209 type ipsec-l2l
tunnel-group 173.167.50.209 ipsec-attributes
 pre-shared-key *****
 isakmp keepalive threshold 10 retry 3
tunnel-group 205.251.233.122 type ipsec-l2l
tunnel-group 205.251.233.122 ipsec-attributes
 pre-shared-key *****
 isakmp keepalive threshold 10 retry 3
tunnel-group 205.251.233.121 type ipsec-l2l
tunnel-group 205.251.233.121 ipsec-attributes
 pre-shared-key *****
 isakmp keepalive threshold 10 retry 3
tunnel-group 173.15.202.145 type ipsec-l2l
tunnel-group 173.15.202.145 ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
class-map default
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect ip-options
  inspect icmp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1fd55a2281d0dedc46b0d4a6ac223027
: end

 

 

 

 

 


ICHRIEpix# show conf
: Saved
: Written by admin at 21:14:08.210 UTC Thu Feb 11 1993
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password BUBNK77GIFseOoUT encrypted
passwd eIax9fdkHD7dOu8M encrypted
hostname ICHRIEpix
domain-name Ichrie.local.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network ENGINEERS
  description NDSE for Site to Site
  network-object host 10.1.101.40
  network-object host 10.1.101.41
  network-object host 10.1.101.42
  network-object host 10.1.101.20
  network-object host 10.1.101.21
  network-object host 10.1.101.22
  network-object host 10.1.101.23
  network-object host 10.1.101.24
  network-object host 10.1.101.25
  network-object host 10.1.101.26
  network-object host 10.1.101.27
  network-object host 10.1.101.28
  network-object host 10.1.101.29
access-list 90 permit ip 10.5.4.0 255.255.255.0 10.1.0.0 255.255.255.0
access-list OBX permit icmp any any echo-reply
access-list OBX permit icmp any any traceroute
access-list OBX permit icmp any any information-reply
access-list OBX permit icmp any any unreachable
access-list OBX permit icmp any any time-exceeded
access-list OBX permit udp any any eq 4500
access-list OBX permit tcp any any eq 16000
access-list OBX deny udp any any eq isakmp log
pager lines 24
logging on
logging timestamp
logging buffered errors
logging trap warnings
logging queue 5000
logging device-id hostname
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 173.15.202.145 255.255.255.248
ip address inside 10.5.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm drop reset
ip local pool RASVPNpool 10.255.255.40-10.255.255.50
pdm location 0.0.0.0 0.0.0.0 inside
pdm location 10.255.255.0 255.255.255.0 outside
pdm logging errors 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 90
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group OBX in interface outside
route outside 0.0.0.0 0.0.0.0 173.15.202.150 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication secure-http-client
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 137.167.50.213 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 inside
snmp-server host outside 192.168.188.93
snmp-server host outside 74.92.186.90
snmp-server host outside 74.92.186.93
snmp-server location Dr. Hazelgrove
snmp-server contact FE4 Consulting
snmp-server community fe4@!*^&%only
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
sysopt ipsec pl-compatible
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map INFIAN 1 ipsec-isakmp
crypto map INFIAN 1 match address 90
crypto map INFIAN 1 set peer 173.167.50.213
crypto map INFIAN 1 set transform-set strong
crypto map INFIAN interface outside
isakmp key ******** address 173.167.50.213 netmask 255.255.255.255
isakmp client configuration address-pool local RASVPNpool outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 28000
vpngroup iChR3_Kathy address-pool RASVPNpool
vpngroup iChR3_Kathy dns-server 10.4.5.100 64.83.1.10
vpngroup iChR3_Kathy default-domain Ichrie.local.com
vpngroup iChR3_Kathy split-tunnel NONAT
vpngroup iChR3_Kathy idle-time 1800
vpngroup iChR3_Kathy password ********
vpngroup NDSE address-pool RASVPNpool
vpngroup NDSE dns-server 10.4.5.100 64.83.1.10
vpngroup NDSE default-domain Ichrie.local.com
vpngroup NDSE split-tunnel NONAT
vpngroup NDSE idle-time 1800
vpngroup NDSE password ********
telnet timeout 5
ssh 137.167.50.213 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 137.167.50.213 255.255.255.255 inside
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoex request dialout pppoe
vpdn group pppoex localname vze7qrga
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username admin password y8ugfM8XdzxhKi4f encrypted privilege 15
terminal width 80
banner login monitoring to appropriate officials.
banner motd WARNING!!!
banner motd This system is solely for the use of authorized users for official purposes.
banner motd You have no expectation of privacy in its use and to ensure that the system
banner motd is functioning properly; individuals using this computer system are subject
banner motd to having all of their activities monitored and recorded by system personnel.
banner motd Use of this system evidences an express consent to such monitoring and
banner motd agreement that if such monitoring reveals evidence of possible abuse or
banner motd criminal activity, system personnel may provide the results of such
banner motd monitoring to appropriate officials.
Cryptochecksum:f275e46af056967683a137acf191b8b4
ICHRIEpix#

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
speed41ae Fri, 04/04/2014 - 08:44
User Badges:

I figured it out

I needed

isakmp enable outside

on the PIX and change

object network iCHRIE
 subnet 10.4.5.0 255.255.255.0

to

object network iCHRIE
 subnet 10.5.4.0 255.255.255.0

 

on the ASA.

Actions

This Discussion