05-05-2006 10:15 AM - edited 02-21-2020 02:24 PM
Hello all, I am sure I am close, but I am missing something. I have an ASA5510 that does client VPNs with radius authentication as well as 1 end for a VPN tunnel to a Pix 506. The client vpn works great, and there are no issues. The device tunnel is a different story. I cannot get traffic to go accross the vpn tunnel between the ASA and the 506 from either side. I have verified that clients behind both firewalls can get to the internet. My configs are below. Your help is greatly appreciated.
THe lan side of the ASA is 192.168.1.0. The lan side of the PIx506 is 10.20.30.0
ASA5510
hostname sb
domain-name business.com
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.20.30.0 255.255.255.0
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list sb_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any 10.2.2.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 10.20.30.0 255.255.255.0
access-list 102 extended permit icmp 10.20.30.0 255.255.255.0 192.168.1.0 255.255.255.0
!
ip local pool ippool 10.2.2.1-10.2.2.254 mask 255.255.255.0
global (outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.x.x.83.41.134 1
aaa-server sbVPN protocol radius
aaa-server sbVPN host exchange
timeout 5
key XXXXXXXXXXXXXX
group-policy sbVPN internal
group-policy sbVPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value sb_splitTunnelAcl
default-domain value sb.local
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 201.113.230.97
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group sbVPN type ipsec-ra
tunnel-group sbVPN general-attributes
address-pool ippool
authentication-server-group sbVPN
authorization-server-group sbVPN
accounting-server-group sbVPN
default-group-policy sbVPN
strip-realm
strip-group
tunnel-group sbVPN ipsec-attributes
pre-shared-key *
tunnel-group 201.x.x.97 type ipsec-l2l
tunnel-group 201.x.x.97 ipsec-attributes
pre-shared-key *
PIX2 Relevant Config
hostname SB2PIX506
domain-name business2.com
access-list 100 permit ip 10.20.30.0 255.255.255.0 192.168.1.0 255.255.255.0
ip address outside 201.113.x.x.x.255.0
ip address inside 10.20.30.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 100
route outside 0.0.0.0 0.0.x.x.113.230.1 1
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 83.x.x.133
crypto map mymap 10 set transform-set ESP-3DES-SHA
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 83.x.x.133 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
05-09-2006 05:21 PM
hi .. teh config seems OK .. are you able to ping each other 's public interfaces ..? please allow this on each outside interfaces to make sure reacheability is OK .. if they can then .. do a debug crypto isakmp and debug crypto ipsec on both ( ASA and PIxes ) and post the output
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide