Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cannot get end to end vpn to work between ASA5510 and PIX506

Hello all, I am sure I am close, but I am missing something. I have an ASA5510 that does client VPNs with radius authentication as well as 1 end for a VPN tunnel to a Pix 506. The client vpn works great, and there are no issues. The device tunnel is a different story. I cannot get traffic to go accross the vpn tunnel between the ASA and the 506 from either side. I have verified that clients behind both firewalls can get to the internet. My configs are below. Your help is greatly appreciated.

THe lan side of the ASA is 192.168.1.0. The lan side of the PIx506 is 10.20.30.0

ASA5510

hostname sb

domain-name business.com

access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.20.30.0 255.255.255.0

access-list split_tunnel standard permit 192.168.1.0 255.255.255.0

access-list sb_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list outside_cryptomap_dyn_20 extended permit ip any 10.2.2.0 255.255.255.0

access-list outside_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 10.20.30.0 255.255.255.0

access-list 102 extended permit icmp 10.20.30.0 255.255.255.0 192.168.1.0 255.255.255.0

!

ip local pool ippool 10.2.2.1-10.2.2.254 mask 255.255.255.0

global (outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.x.x.83.41.134 1

aaa-server sbVPN protocol radius

aaa-server sbVPN host exchange

timeout 5

key XXXXXXXXXXXXXX

group-policy sbVPN internal

group-policy sbVPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value sb_splitTunnelAcl

default-domain value sb.local

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 201.113.230.97

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group sbVPN type ipsec-ra

tunnel-group sbVPN general-attributes

address-pool ippool

authentication-server-group sbVPN

authorization-server-group sbVPN

accounting-server-group sbVPN

default-group-policy sbVPN

strip-realm

strip-group

tunnel-group sbVPN ipsec-attributes

pre-shared-key *

tunnel-group 201.x.x.97 type ipsec-l2l

tunnel-group 201.x.x.97 ipsec-attributes

pre-shared-key *

PIX2 Relevant Config

hostname SB2PIX506

domain-name business2.com

access-list 100 permit ip 10.20.30.0 255.255.255.0 192.168.1.0 255.255.255.0

ip address outside 201.113.x.x.x.255.0

ip address inside 10.20.30.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 100

route outside 0.0.0.0 0.0.x.x.113.230.1 1

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 100

crypto map mymap 10 set peer 83.x.x.133

crypto map mymap 10 set transform-set ESP-3DES-SHA

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address 83.x.x.133 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

1 REPLY

Re: Cannot get end to end vpn to work between ASA5510 and PIX506

hi .. teh config seems OK .. are you able to ping each other 's public interfaces ..? please allow this on each outside interfaces to make sure reacheability is OK .. if they can then .. do a debug crypto isakmp and debug crypto ipsec on both ( ASA and PIxes ) and post the output

104
Views
0
Helpful
1
Replies
CreatePlease to create content