Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site to Site VPN issues between PIX506 and ASA5505

Hello all, I have a PIX506 running 635, and an ASA5505 running 722. The PIX is at corporate and is setup for remote vpn access. The remote user VPN is working. I have also attempted to do a site to site vpn to the ASA, but its not working correctly. I feel like I am missing something, but I can't figure it out. Your help would be greatly appreciated. Sanitized relevant config is below

Corporate

PIX Version 6.3(5)

access-list split_tunnel permit ip 192.168.119.0 255.255.255.0 10.20.20.0 255.255.255.0

access-list nonat permit ip 192.168.119.0 255.255.255.0 10.20.20.0 255.255.255.0

access-list nonat permit ip 192.168.119.0 255.255.255.0 172.16.2.0 255.255.255.0

access-list outside_cryptomap_20 permit ip 192.168.119.0 255.255.255.0 172.16.2.0 255.255.255.0

ip address outside xxx.yyy.170.160 255.255.255.0

ip address inside 192.168.119.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nonat

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10 set transform-set ESP-AES-256-SHA

crypto map mymap 20 ipsec-isakmp

crypto map mymap 20 match address outside_cryptomap_20

crypto map mymap 20 set pfs group2

crypto map mymap 20 set peer aaa.bbb.175.218

crypto map mymap 20 set transform-set ESP-3DES-SHA

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication w2k3

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address aaa.bbb.175.218 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp keepalive 10

isakmp nat-traversal 10

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption aes-256

isakmp policy 30 hash sha

isakmp policy 30 group 5

isakmp policy 30 lifetime 86400

vpngroup vpners address-pool ippool

vpngroup vpners dns-server 192.168.119.11

vpngroup vpners default-domain mydomain.local

vpngroup vpners split-tunnel split_tunnel

vpngroup vpners idle-time 1800

vpngroup vpners password ********

Remote Site

ASA Version 7.2(2)

interface Vlan1

nameif inside

security-level 100

ip address 172.16.2.1 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address aaa.bbb.175.218 255.255.128.0

access-list outside_20_cryptomap extended permit ip 172.16.2.0 255.255.255.0 192.168.119.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 192.168.119.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer xxx.yyy.170.160

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

tunnel-group xxx.yyy.170.160 type ipsec-l2l

tunnel-group xxx.yyy.170.160 ipsec-attributes

pre-shared-key *

  • Other Security Subjects
1 REPLY
New Member

Re: Site to Site VPN issues between PIX506 and ASA5505

I just figured it out. I did not issue the sysopt connection permit-ipsec on the ASA5505. Issuing that command made it work.

119
Views
0
Helpful
1
Replies
This widget could not be displayed.