06-24-2009 09:35 PM - edited 03-11-2019 08:48 AM
Hello Experts,
I was trying to build a site-to-site vpn between two locations using Cisco 2811 ISR routers. At site A the 2811 router is behind a Cisco ASA with version 7.2 and at site B the Cisco 2811 router is behind a Cisco PIX 515 with version 6.3. The tunnel does not seems to come up, all the vpn configurations are fine, but the tunnel fails in Phase 2.
With the same configuration, the tunnel is working fine between Site A and Site C, where both the Cisco 2811 ISR routers are behind Cisco ASA 5510 with version 7.2.
On the Cisco ASA 5510 and Cisco PIX 515, we have only done a static NAT and opened the inbound & outbound ip traffic for the head-end ip addresses.
Is there any compatibility issues between Cisco ISR routers with Cisco PIX 515 with version 6.3?
Thanks
Arabinda
06-25-2009 07:50 AM
06-25-2009 07:52 AM
From the logs, it appears that you are blocking the response from C to A. Check the config on the 515.
06-25-2009 08:51 AM
"Yes - I have had that issue on PIX506E, 515 & 515E running 6.3.x & 7.0.x code in the past."
Do you have the exact version of 6.3.x and 7.0.x that you had issues with? Thanks.
06-25-2009 09:15 AM
I cannot remember - I encountered these issues in 2007
06-25-2009 08:32 PM
Hello,
Sorry since I work in India Time zone, it was quite late yesterday and could not respond.
I have allowed IP traffic, so now I do not know what is blocking on PIX side. Also the version of the code on PIX is 6.3(3)132.
Thanks
Arabinda
06-26-2009 12:04 AM
post the config for review, remove sensitive information.
06-26-2009 03:56 AM
I tried a couple of version 6.3.4 and 6.3.5 and a couple of 7.x with the exact scenario that the user had posted with "permit ip any any log" and it works fine without any issues. If it does not work with "permit ip any any log" then it must be either a) a bug or b) mis-configured firewall.
06-26-2009 04:11 AM
Hello Andrews,
Here is the configuration on the ISR routers.
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp key ******* address 12.x.x.x
crypto ipsec transform-set aesset esp-aes esp-sha-hmac
!
crypto map aesmap 172 ipsec-isakmp
set peer 12.x.x.x
set transform-set aesset
match address c-vpn-acl
ip access-list extended c-vpn-acl
permit ip host 10.x.x.x host 10.x.x.x
ip route 12.x.x.x 255.255.255.255 10.x.x.x
ip route 10.x.x.x 255.255.255.0 10.x.x.x
Site C
---------
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp key ******** address 12.x.x.x
crypto ipsec transform-set aesset esp-aes esp-sha-hmac
crypto map aesmap 173 ipsec-isakmp
set peer 12.x.x.x
set transform-set aesset
match address a-vpn-acl
ip access-list extended a-vpn-acl
permit ip host 10.x.x.x host 10.x.x.x
ip route 10.x.x.x 255.255.255.0 10.x.x.x
ip route 12.x.x.x 255.255.255.255 10.x.x.x
Thanks
Arabinda
06-26-2009 04:47 AM
Not enough infomation - check you are not natting the 10.x.x.x to 10.x.x.x in the firewalls.
06-26-2009 04:55 AM
Andrews, the earlier configuration were the coniguration of VPN on ISR routers.
We are doing a static nat of the outside interface of the ISR routers on firewalls ahead of them.
Below are the cofigurations done on the firewall:
Architecture:
Site A ISR router->Site A ASA5510-------SiteC PIX515<-SiteC ISR Router
Site A ASA config
----------------------
access-list outbound extended permit ip host 10.x.x.x any
access-list outbound extended permit esp host 10.x.x.x any
access-list inbound extended permit ip host 12.x.x.x host 12.x.x.x
access-list inbound extended permit esp host 12.x.x.x host 12.x.x.x
static (inside,outside) 12.x.x.x 10.x.x.x netmask 255.255.255.255 tcp 256 32 udp 32
Site C PIX Config
-------------------
access-list outbound extended permit ip host 10.x.x.x any
access-list outbound extended permit esp host 10.x.x.x any
access-list inbound extended permit ip host 12.x.x.x host 12.x.x.x
access-list inbound extended permit esp host 12.x.x.x host 12.x.x.x
static (dmz2,outside) 12.x.x.x 10.x.x.x netmask 255.255.255.255
06-26-2009 05:11 AM
Looks OK - going back to the ISR config's, is there a specific reason why you did not configure the Hash and the Group type?
06-26-2009 05:34 AM
Andrews,
Hashing is SHA, but does not displays in the router config.
Thanks
Arabinda
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: