08-27-2007 07:10 AM - edited 02-21-2020 03:14 PM
Hello all, I have a PIX506 running 635, and an ASA5505 running 722. The PIX is at corporate and is setup for remote vpn access. The remote user VPN is working. I have also attempted to do a site to site vpn to the ASA, but its not working correctly. I feel like I am missing something, but I can't figure it out. Your help would be greatly appreciated. Sanitized relevant config is below
Corporate
PIX Version 6.3(5)
access-list split_tunnel permit ip 192.168.119.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list nonat permit ip 192.168.119.0 255.255.255.0 10.20.20.0 255.255.255.0
access-list nonat permit ip 192.168.119.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.119.0 255.255.255.0 172.16.2.0 255.255.255.0
ip address outside xxx.yyy.170.160 255.255.255.0
ip address inside 192.168.119.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list nonat
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set ESP-AES-256-SHA
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address outside_cryptomap_20
crypto map mymap 20 set pfs group2
crypto map mymap 20 set peer aaa.bbb.175.218
crypto map mymap 20 set transform-set ESP-3DES-SHA
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication w2k3
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address aaa.bbb.175.218 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 5
isakmp policy 30 lifetime 86400
vpngroup vpners address-pool ippool
vpngroup vpners dns-server 192.168.119.11
vpngroup vpners default-domain mydomain.local
vpngroup vpners split-tunnel split_tunnel
vpngroup vpners idle-time 1800
vpngroup vpners password ********
Remote Site
ASA Version 7.2(2)
interface Vlan1
nameif inside
security-level 100
ip address 172.16.2.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address aaa.bbb.175.218 255.255.128.0
access-list outside_20_cryptomap extended permit ip 172.16.2.0 255.255.255.0 192.168.119.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 192.168.119.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer xxx.yyy.170.160
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
tunnel-group xxx.yyy.170.160 type ipsec-l2l
tunnel-group xxx.yyy.170.160 ipsec-attributes
pre-shared-key *
08-27-2007 07:13 AM
I just figured it out. I did not issue the sysopt connection permit-ipsec on the ASA5505. Issuing that command made it work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide