Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
817
Views
0
Helpful
1
Replies

asa 5505 to pix

Eric Albert
Level 1
Level 1

‎07-26-2012 06:33 AM

I've been pulling my hair out on this one.  I had 3 tunnels using a pix firewall at each location going to the main office (I didn't set it up).  One of the pix toasted, so I'm trying to replace it with a cisco asa 5505.  I created the tunnel, it sees the tunnel on both sides, I can see the encaps and decaps at the main office, but I can't ping from the new tunnel to the main office, or vice-versa.  I've tried all kinds of things, rebuilt the tunnel umpteen times, and I just can't see where the problem is.  Maybe fresh eyes can save my hair.  I hope someone sees something that I missed.  Here's the config:

: Saved
:
ASA Version 7.2(2) 
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 142.176.18.178 255.255.255.252 
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex half
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone AST -4
clock summer-time ADT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 142.177.1.2
 name-server 142.177.129.11
 domain-name default.domain.invalid
access-list outside_cryptomap_20 extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list outside_cryptomap_40 extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list outside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0 
pager lines 24
logging enable
logging history debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (inside) 1 10.0.1.2-10.0.1.254 netmask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (outside) 0 access-list outside_nat0_outbound
nat (outside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 142.176.18.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
http server enable
http 10.0.1.0 255.255.255.0 inside
http 24.222.27.154 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp outside
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 142.176.4.90 
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set reverse-route
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 142.176.4.90 
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 40 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group 142.176.4.90 type ipsec-l2l
tunnel-group 142.176.4.90 ipsec-attributes
 pre-shared-key *
tunnel-group-map enable rules
tunnel-group-map default-group 142.176.4.90
telnet 10.0.1.220 255.255.255.255 inside
telnet 10.0.1.0 255.255.255.0 inside
telnet 24.222.27.154 255.255.255.255 outside
telnet timeout 5
ssh 24.222.27.154 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd dns 142.177.1.2 142.177.129.11
dhcpd auto_config outside
dhcpd option 3 ip 10.0.1.1
!
dhcpd address 10.0.1.2-10.0.1.129 inside
dhcpd option 3 ip 10.0.1.1 interface inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:7f220b76774dd4827498398c39a951f7
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
Labels:
0 Helpful
1 Reply 1

Javier Portuguez
Level 9
Level 9

‎07-26-2012 06:51 AM

Hi Eric,

Thanks for the problem description

May I know the peer IP address of the new tunnel?

Can you also include the configuration of the other VPN device?

Your collaboration on this issue is highly appreciated.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents