Solved: PIX and ASA Static, Dynamic and RA VPN not working

m.pinheiro · ‎01-22-2009

Hi,

I am facing a quite interesting problem between a PIX 515 and an ASA 5510.

The PIX is in the HQ and has multiple dynamic VPN connections (aroung 130) and IPsec remote vpn working just fine. I needed to add one Static PIX-to-ASA L2L VPN and it is not working as supposed to be. The ASA 5510, at the remote end, connects and stays up for a small amount of time, however, all other VPN connections stop working.

The most interesting thing is that the ASA is associated with the Dynamic MAP and not the static map which I created (check through sh crypto ipsec sa peer x.x.x.x). However, if I make any change on the ACL "ACL-Remote" it affects the tunnel between the PIX and ASA.

Has anyone seen anything like this?

Here are more detailed info:

PIX 515 - IOS 8.0(3) - HQ

ASA 5510 - IOS 7.2(3) - Remote Supplier

Several Huawei and Cisco routers dynamically connected through ADSL

Several IPsec remote access users

One static site-to-site VPN between PIX and ASA - not working.

Here is the config at the PIX:

crypto ipsec transform-set ESP-3DES-ESP-SHA-HMAC-IPSec esp-3des esp-sha-hmac

crypto dynamic-map Dyn-VPN 100 set transform-set ESP-3DES-ESP-SHA-HMAC-IPSec

crypto dynamic-map Dyn-VPN 100 set reverse-route

crypto map VPN-Map 30 match address ACL-Remote

crypto map VPN-Map 30 set peer 20X.XX.XX.XX

crypto map VPN-Map 30 set transform-set ESP-3DES-ESP-SHA-HMAC-IPSec

crypto map VPN-Map 100 ipsec-isakmp dynamic Dyn-VPN

crypto map VPN-Map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

access-list ACL-Remote ext permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

Thank you.

Marcelo Pinheiro

Ivan Martinon · ‎01-23-2009

The problem is that the ASA has a crypto acl defined from host to network whereas the remote end has network to network.

Make sure the acl's are mirrored.

View solution in original post

Ivan Martinon · ‎01-23-2009

Hi Marcelo, Yes I have seen that before, and it usually happens when some settings do not match, can you paste the asa config here?

m.pinheiro · ‎01-23-2009

Hi Ivan,

Here is the conf at the ASA side. This is the suppliers conf.

object-group network Test

network-object host 192.168.1.88

object-group network Remote_NET

network-object 10.0.0.0 255.255.255.0

crypto map SPEEDY_map 2 match address SPEEDY_2_cryptomap

crypto map SPEEDY_map 2 set peer X.x.x.x (PIX External IP Address)

crypto map SPEEDY_map 2 set transform-set ESP-3DES-SHA

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

access-list nat0_outbound extended permit ip object-group Test object-group Remote_NET

access-list SPEEDY_2_cryptomap extended permit ip object-group Test object-group Remote_NET

crypto isakmp enable SPEEDY

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

Thank you.

Marcelo

Ivan Martinon · ‎01-23-2009

The problem is that the ASA has a crypto acl defined from host to network whereas the remote end has network to network.

Make sure the acl's are mirrored.

m.pinheiro · ‎01-29-2009

Thanks Ivan for your helpful hint.

After a long discussion, now I understood why it suddenly stopped working. The supplier was simply changing his configuration without telling me anything.

Sorry for the long delay.

Best regards.