Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA5510 to PIX506 vpn tunnel issues

Hello all, I am sure I am close, but I am missing something. I have an ASA5510 that does client VPNs with radius authentication as well as 1 end for a VPN tunnel to a Pix 506. The client vpn works great, and there are no issues. The device tunnel is a different story. I cannot get traffic to go accross the vpn tunnel between the ASA and the 506 from either side. I have verified that clients behind both firewalls can get to the internet. My configs are below. Your help is greatly appreciated.

lan side of ASA is 192.168.1.0. lan side of PIx506 is 10.20.30.0

ASA5510

hostname sb

domain-name business.com

access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.20.30.0 255.255.255.0

access-list split_tunnel standard permit 192.168.1.0 255.255.255.0

access-list sb_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list outside_cryptomap_dyn_20 extended permit ip any 10.2.2.0 255.255.255.0

access-list outside_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 10.20.30.0 255.255.255.0

access-list 102 extended permit icmp 10.20.30.0 255.255.255.0 192.168.1.0 255.255.255.0

!

ip local pool ippool 10.2.2.1-10.2.2.254 mask 255.255.255.0

global (outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 83.83.41.134 1

aaa-server sbVPN protocol radius

aaa-server sbVPN host exchange

timeout 5

key XX

group-policy sbVPN internal

group-policy sbVPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value sb_splitTunnelAcl

default-domain value sb.local

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 201.113.230.97

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group sbVPN type ipsec-ra

tunnel-group sbVPN general-attributes

address-pool ippool

authentication-server-group sbVPN

authorization-server-group sbVPN

accounting-server-group sbVPN

default-group-policy sbVPN

strip-realm

strip-group

tunnel-group sbVPN ipsec-attributes

pre-shared-key *

tunnel-group 201.113.230.97 type ipsec-l2l

tunnel-group 201.113.230.97 ipsec-attributes

pre-shared-key *

PIX2 Relevant Config

hostname SB2PIX506

domain-name business2.com

access-list 100 permit ip 10.20.30.0 255.255.255.0 192.168.1.0 255.255.255.0

ip address outside 201.113.230.97 255.255.255.0

ip address inside 10.20.30.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 100

route outside 0.0.0.0 0.0.0.0 201.113.230.1 1

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 100

crypto map mymap 10 set peer 83.83.41.133

crypto map mymap 10 set transform-set ESP-3DES-SHA

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address 83.83.41.133 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

2 REPLIES

Re: ASA5510 to PIX506 vpn tunnel issues

Make sure you have reachibilility PIX <-> ASA first .. You will need to allow this by applying ACL to the external interfaces accordingly. Also make sure you are not using Xauth on the ASA fro the static tunnel.

If you are still having problems. Make sure the shares key is the same. Also, the output of debug crypto isakmp and debug crypto ipsec will help us in the troubleshooting. Are you able to post this.

New Member

Re: ASA5510 to PIX506 vpn tunnel issues

I actually figured the issue late last night (I think anyway since it is working). I had configured the ASA to accept client vpn connections a couple of weeks before configuring it to do the site to site. I believe that the sysopt connection permit-ipsec command needed to be re-applied to account for the site to site that I put in after the fact. As soon as I re-applied that statement, everything started working.

112
Views
0
Helpful
2
Replies