Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-Site VPN between ASA & PIX

Hi everyone,

If this has been posted before, which it probably has, I apologize in advance.

Basically, I have to configure a VPN between our NY ASA and a PIX we shipped to our LA office. The PIX is replacing an old Cisco router. The ASA is our main device which is configured for multiple VPN connections (and I have not touched this) and still has the old VPN config from that old Cisco router.

On my part, I configured the PIX with the same pre-share key, and security protocols as the old router. When I checked the log files of the ASA I see the error message: "tunnel manager has failed to establish an l2l sa all configured ike versions failed to establish the tunnel."

Since this is my first time setting up a PIX, I'm thinking there might be something the matter with my config, though I'm not exactly sure. The PIX config is as follows:


interface Ethernet0
  nameif Outside
  security-level 0
  ip address 173.xxx.xxx.xxx 255.255.255.224
!
interface Ethernet1
  nameif Inside
  security-level 100
  ip address 192.168.xxx.xxx 255.255.255.0
!
interface Ethernet2
  shutdown
  no nameif
  no security-level
  no ip address
!
ftp mode passive
dns server-group DefaultDNS
  domain-name xxxxxx.xxxxx.org
access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.5.0 255.255.255.0
access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.6.0 255.255.255.0
access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.7.0 255.255.255.0
access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.8.0 255.255.255.0
access-list acl_vpn extended permit ip 192.168.xxx.xxx 255.255.255.0 10.12.40.0 255.255.255.0
pager lines 24
mtu Outside 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
no asdm history enable
arp timeout 14400
global (Outside) 1 173.xxx.xxx.xxx netmask 255.255.255.224
nat (Inside) 2 192.168.0.0 255.0.0.0
nat (Inside) 1 0.0.0.0 0.0.0.0
route Outside 0.0.0.0 0.0.0.0 173.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df Outside
crypto map mymap 1 match address acl_vpn
crypto map mymap 1 set pfs
crypto map mymap 1 set peer 69.18.xxx.xxx
crypto map mymap 1 set transform-set myset
crypto map mymap 1 set security-association lifetime seconds 28800
crypto map mymap 1 set security-association lifetime kilobytes 4608000
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 10
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 5000
crypto isakmp policy 20
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 10000
crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 69.18.xxx.xxx type ipsec-l2l
tunnel-group 69.18.xxx.xxx ipsec-attributes
  pre-shared-key *
!
class-map inspection_default
  match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
  parameters
  parameters
policy-map global_policy
  class inspection_default
   inspect dns preset_dns_map
   inspect ftp
   inspect h323 h225
   inspect h323 ras
   inspect netbios
   inspect rsh
   inspect rtsp
   inspect skinny
   inspect esmtp
   inspect sqlnet
   inspect sunrpc
   inspect tftp
   inspect sip
   inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ff5fe6ea51385f0d3f6580a5fdd73d40
: end

If you need further information, please let me know. Also any feedback would be greatly appreciated.

Thanks,

-Sasha

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: Site-to-Site VPN between ASA & PIX

Also,

It would seem to me that you have not configured NAT0 for the VPN traffic

This in most cases matches exactly the ACL used in the Crypto Map configurations.

I suggest that you use another ACL for this purpose though to avoid any future problems

access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.5.0 255.255.255.0

access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.6.0 255.255.255.0

access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.7.0 255.255.255.0

access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.8.0 255.255.255.0

access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 10.12.40.0 255.255.255.0

nat (inside) 0 access-list NAT0

The below command seems to be useless since it doesnt have a match "global" configuration for ID 2

nat (Inside) 2 192.168.0.0 255.0.0.0

- Jouni

3 REPLIES
Super Bronze

Re: Site-to-Site VPN between ASA & PIX

Hi,

I think the problem is atleast that you have not attached the configured Crypto Map to any interface

Try adding this and then testing again

crypto map mymap interface Outside

Naturally also whether the above configurations are correct otherwise depends what is configured on the other site which we dont know.

Hope this helps

- Jouni

Super Bronze

Re: Site-to-Site VPN between ASA & PIX

Also,

It would seem to me that you have not configured NAT0 for the VPN traffic

This in most cases matches exactly the ACL used in the Crypto Map configurations.

I suggest that you use another ACL for this purpose though to avoid any future problems

access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.5.0 255.255.255.0

access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.6.0 255.255.255.0

access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.7.0 255.255.255.0

access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 192.168.8.0 255.255.255.0

access-list NAT0 extended permit ip 192.168.xxx.xxx 255.255.255.0 10.12.40.0 255.255.255.0

nat (inside) 0 access-list NAT0

The below command seems to be useless since it doesnt have a match "global" configuration for ID 2

nat (Inside) 2 192.168.0.0 255.0.0.0

- Jouni

New Member

Re: Site-to-Site VPN between ASA & PIX

Hi Jouni,

Thanks so much for the assitance, it was a major help!

I configured the PIX with the commands you mentioned. Additionally, I had to configure the tunnel-group on the ASA as well:

tunnel-group 173.xxx.xxx.xxx type ipsec

Everything is working now.

Thanks,

-Sasha

793
Views
0
Helpful
3
Replies
CreatePlease login to create content