×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cannot get end to end vpn to work between ASA5510 and PIX506

Unanswered Question
May 5th, 2006
User Badges:

Hello all, I am sure I am close, but I am missing something. I have an ASA5510 that does client VPNs with radius authentication as well as 1 end for a VPN tunnel to a Pix 506. The client vpn works great, and there are no issues. The device tunnel is a different story. I cannot get traffic to go accross the vpn tunnel between the ASA and the 506 from either side. I have verified that clients behind both firewalls can get to the internet. My configs are below. Your help is greatly appreciated.


THe lan side of the ASA is 192.168.1.0. The lan side of the PIx506 is 10.20.30.0


ASA5510

hostname sb

domain-name business.com


access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.20.30.0 255.255.255.0

access-list split_tunnel standard permit 192.168.1.0 255.255.255.0

access-list sb_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list outside_cryptomap_dyn_20 extended permit ip any 10.2.2.0 255.255.255.0

access-list outside_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 10.20.30.0 255.255.255.0

access-list 102 extended permit icmp 10.20.30.0 255.255.255.0 192.168.1.0 255.255.255.0

!

ip local pool ippool 10.2.2.1-10.2.2.254 mask 255.255.255.0

global (outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.x.x.83.41.134 1

aaa-server sbVPN protocol radius

aaa-server sbVPN host exchange

timeout 5

key XXXXXXXXXXXXXX

group-policy sbVPN internal

group-policy sbVPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value sb_splitTunnelAcl

default-domain value sb.local

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 201.113.230.97

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group sbVPN type ipsec-ra

tunnel-group sbVPN general-attributes

address-pool ippool

authentication-server-group sbVPN

authorization-server-group sbVPN

accounting-server-group sbVPN

default-group-policy sbVPN

strip-realm

strip-group

tunnel-group sbVPN ipsec-attributes

pre-shared-key *

tunnel-group 201.x.x.97 type ipsec-l2l

tunnel-group 201.x.x.97 ipsec-attributes

pre-shared-key *


PIX2 Relevant Config


hostname SB2PIX506

domain-name business2.com

access-list 100 permit ip 10.20.30.0 255.255.255.0 192.168.1.0 255.255.255.0

ip address outside 201.113.x.x.x.255.0

ip address inside 10.20.30.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 100

route outside 0.0.0.0 0.0.x.x.113.230.1 1

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 100

crypto map mymap 10 set peer 83.x.x.133

crypto map mymap 10 set transform-set ESP-3DES-SHA

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address 83.x.x.133 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Fernando_Meza Tue, 05/09/2006 - 17:21
User Badges:
  • Gold, 750 points or more

hi .. teh config seems OK .. are you able to ping each other 's public interfaces ..? please allow this on each outside interfaces to make sure reacheability is OK .. if they can then .. do a debug crypto isakmp and debug crypto ipsec on both ( ASA and PIxes ) and post the output

Actions

This Discussion