Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco 2811 ISR behind Cisco PIX 515

Hello Experts,

I was trying to build a site-to-site vpn between two locations using Cisco 2811 ISR routers. At site A the 2811 router is behind a Cisco ASA with version 7.2 and at site B the Cisco 2811 router is behind a Cisco PIX 515 with version 6.3. The tunnel does not seems to come up, all the vpn configurations are fine, but the tunnel fails in Phase 2.

With the same configuration, the tunnel is working fine between Site A and Site C, where both the Cisco 2811 ISR routers are behind Cisco ASA 5510 with version 7.2.

On the Cisco ASA 5510 and Cisco PIX 515, we have only done a static NAT and opened the inbound & outbound ip traffic for the head-end ip addresses.

Is there any compatibility issues between Cisco ISR routers with Cisco PIX 515 with version 6.3?

Thanks

Arabinda

  • Firewalling
26 REPLIES

Re: Cisco 2811 ISR behind Cisco PIX 515

The cause is you are not permitting Protocol 50 thru the firewall, to establish IPSEC Phase 2.

HTH>

New Member

Re: Cisco 2811 ISR behind Cisco PIX 515

Hello Andrew,

Thank you for your response.

I have allowed IP traffic both inbound and outbound on the firewalls at both sites. With the configuration the tunnel between Site A and Site C working fine. But not between Site A - Site B or Site C - Site B. The only difference Site B has a Cisco PIX 515 with 6.3 version and other two sites have a ASA 5510 with 7.2 version.

So I was suspecting if PIX requires any additional configuration or PIX and ISR routers not compatible.

Thanks

Arabinda

Re: Cisco 2811 ISR behind Cisco PIX 515

Arabinda,

If you have an ACL that allows "IP" thru - this also permit TCP/UDP. Phase 1 of a VPN tunnel is ISAKMP - typically UDP port 500 - so this will work

ESP which is Phase 2 of the VPN uses Protocol number 50 - you you also need to add to the ACL the permit for protocol 50-ESP.

Once you have done this, Phase 2 will complete - as long as all config matches.

HTH>

New Member

Re: Cisco 2811 ISR behind Cisco PIX 515

Hello Andrews,

Thank you for your suggestion.

I tried that, I added another acl allowing ESP both on inbound and outbound on both firewalls, still does not works.

attached is a log file hope that may throw some light to what the issue is going on.

Thanks

Arabinda

Re: Cisco 2811 ISR behind Cisco PIX 515

Post the config of the ACL - remove sensitive information.

New Member

Re: Cisco 2811 ISR behind Cisco PIX 515

Hello Andrew,

Here is the ACL which is applied on the PIX where the static NAT is done.

access-list outside-acl extended permit ip host 12.x.x.x host 12.x.x.x

access-list outside-acl extended permit esp host 12.x.x.x host 12.x.x.x

access-grooup outside-acl in interface outside

access-list inside-acl extended permit ip host 10.x.x.x any

access-list inside-acl extended permit host 10.x.x.x esp any

access-group inside-acl in interface inside

static (inside,outside) 12.x.x.x 10.x.x.x mask 255.255.255.255

Similar is the config on the other side ASA box.

Thanks

Arabinda

Re: Cisco 2811 ISR behind Cisco PIX 515

Change to:-

access-list outside-acl extended permit udp host 12.x.x.x host 12.x.x.x eq 500

access-list outside-acl extended permit udp host 12.x.x.x host 12.x.x.x eq 4500

access-list outside-acl extended permit esp host 12.x.x.x host 12.x.x.x

There is no need for the entries on the inside-acl, they should be removed.

New Member

Re: Cisco 2811 ISR behind Cisco PIX 515

Okay Thank you Andrew, let me try it out.

This ACL only applies to PIX 515? Since with the ACL mentiioned earlier I have VPN working between two sites perfectly difference is, there we have ASA 5510 as the NAT device.

Thanks

Arabinda

Silver

Re: Cisco 2811 ISR behind Cisco PIX 515

Andrew,

I have to disagree with you on this. Arabindas has this in the ACL:

access-list outside-acl extended permit ip host 12.x.x.x host 12.x.x.x

That should cover everything, including udp/500, udp-4500 and ESP, right?

Why does he have to modify the ACL? One other thing, you should put "log" at the end of the ACL so that you can see whether it is permitted or dennied on the syslog server or logging buffer

433
Views
0
Helpful
26
Replies