cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1221
Views
0
Helpful
26
Replies

Cisco 2811 ISR behind Cisco PIX 515

arabindas
Level 1
Level 1

Hello Experts,

I was trying to build a site-to-site vpn between two locations using Cisco 2811 ISR routers. At site A the 2811 router is behind a Cisco ASA with version 7.2 and at site B the Cisco 2811 router is behind a Cisco PIX 515 with version 6.3. The tunnel does not seems to come up, all the vpn configurations are fine, but the tunnel fails in Phase 2.

With the same configuration, the tunnel is working fine between Site A and Site C, where both the Cisco 2811 ISR routers are behind Cisco ASA 5510 with version 7.2.

On the Cisco ASA 5510 and Cisco PIX 515, we have only done a static NAT and opened the inbound & outbound ip traffic for the head-end ip addresses.

Is there any compatibility issues between Cisco ISR routers with Cisco PIX 515 with version 6.3?

Thanks

Arabinda

26 Replies 26

Hello ,

Just now I captured the logs from both the ISR routers simultaneously.

Site A refers to logs from ISR router behind an ASA and Site C refers to ISR router Cisco PIX 515.

Thanks

Arabinda

From the logs, it appears that you are blocking the response from C to A. Check the config on the 515.

"Yes - I have had that issue on PIX506E, 515 & 515E running 6.3.x & 7.0.x code in the past."

Do you have the exact version of 6.3.x and 7.0.x that you had issues with? Thanks.

I cannot remember - I encountered these issues in 2007

Hello,

Sorry since I work in India Time zone, it was quite late yesterday and could not respond.

I have allowed IP traffic, so now I do not know what is blocking on PIX side. Also the version of the code on PIX is 6.3(3)132.

Thanks

Arabinda

post the config for review, remove sensitive information.

I tried a couple of version 6.3.4 and 6.3.5 and a couple of 7.x with the exact scenario that the user had posted with "permit ip any any log" and it works fine without any issues. If it does not work with "permit ip any any log" then it must be either a) a bug or b) mis-configured firewall.

Hello Andrews,

Here is the configuration on the ISR routers.

crypto isakmp policy 1

encr aes

authentication pre-share

crypto isakmp key ******* address 12.x.x.x

crypto ipsec transform-set aesset esp-aes esp-sha-hmac

!

crypto map aesmap 172 ipsec-isakmp

set peer 12.x.x.x

set transform-set aesset

match address c-vpn-acl

ip access-list extended c-vpn-acl

permit ip host 10.x.x.x host 10.x.x.x

ip route 12.x.x.x 255.255.255.255 10.x.x.x

ip route 10.x.x.x 255.255.255.0 10.x.x.x

Site C

---------

crypto isakmp policy 1

encr aes

authentication pre-share

crypto isakmp key ******** address 12.x.x.x

crypto ipsec transform-set aesset esp-aes esp-sha-hmac

crypto map aesmap 173 ipsec-isakmp

set peer 12.x.x.x

set transform-set aesset

match address a-vpn-acl

ip access-list extended a-vpn-acl

permit ip host 10.x.x.x host 10.x.x.x

ip route 10.x.x.x 255.255.255.0 10.x.x.x

ip route 12.x.x.x 255.255.255.255 10.x.x.x

Thanks

Arabinda

Not enough infomation - check you are not natting the 10.x.x.x to 10.x.x.x in the firewalls.

Andrews, the earlier configuration were the coniguration of VPN on ISR routers.

We are doing a static nat of the outside interface of the ISR routers on firewalls ahead of them.

Below are the cofigurations done on the firewall:

Architecture:

Site A ISR router->Site A ASA5510-------SiteC PIX515<-SiteC ISR Router

Site A ASA config

----------------------

access-list outbound extended permit ip host 10.x.x.x any

access-list outbound extended permit esp host 10.x.x.x any

access-list inbound extended permit ip host 12.x.x.x host 12.x.x.x

access-list inbound extended permit esp host 12.x.x.x host 12.x.x.x

static (inside,outside) 12.x.x.x 10.x.x.x netmask 255.255.255.255 tcp 256 32 udp 32

Site C PIX Config

-------------------

access-list outbound extended permit ip host 10.x.x.x any

access-list outbound extended permit esp host 10.x.x.x any

access-list inbound extended permit ip host 12.x.x.x host 12.x.x.x

access-list inbound extended permit esp host 12.x.x.x host 12.x.x.x

static (dmz2,outside) 12.x.x.x 10.x.x.x netmask 255.255.255.255

Looks OK - going back to the ISR config's, is there a specific reason why you did not configure the Hash and the Group type?

Andrews,

Hashing is SHA, but does not displays in the router config.

Thanks

Arabinda

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: