Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Site to Site VPN between ASA5505 and PIX515E (one-to-multiple ip segment)

Dear All,

I have a problem when configure site to site between the ASA 5505 (with security base license) and PIX 515E (UR license)

The network should be somethings like:

Remote site network(10.2.3.0)<-->ASA5505<-->Internet<-->PIX515E<-->Local segment (192.168.10.0)

<-->Layer3 switch<--> other 3 segment (192.168.2x.0)

I tried to created a l2l vpn between ASA 5505 and PIX515E, the ASA 5505 local segment (10.2.3.0) and PIX515E local segment (192.168.10.0) can talk to each other success (try ping, vnc, remote desktop), but I fail to connect the segment which behind the PIX515E's layer 3 switch. The pix already had routing for the segment behind the L3 switch and the L3 switch's default gateway was pointed to PIX515E. And I already add the reverse routing in the ASA5505. I am not sure why it fail to communicate the ASA local segment to the segment behind the L3 switch. Here is the partial configure for the ASA and PIX:

For ASA 5505 configure

access-list no-nat extended permit ip 10.2.3.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list no-nat extended permit ip 10.2.3.0 255.255.255.0 192.168.20.0 255.255.255.0

...

access-list vpn extended permit ip 10.2.3.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list vpn extended permit ip 10.2.3.0 255.255.255.0 192.168.20.0 255.255.255.0

...

nat (inside) 0 access-list no-nat

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map outside_map 1 match address vpn

crypto map outside_map 1 set peer 172.16.1.2

crypto map outside_map 1 set transform-set ESP-DES-SHA

crypto map outside_map 1 reverse route

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 2

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

tunnel-group 172.16.1.2 type ipsec-l2l

tunnel-group 172.16.1.2 ipsec-attributes

pre-shared-key internet

For PIX515E configure

access-list no-nat extended permit ip 192.168.10.0 255.255.255.0 10.2.3.0 255.255.255.0

access-list no-nat extended permit ip 192.168.20.0 255.255.255.0 10.2.3.0 255.255.255.0

...

access-list vpn extended permit ip 192.168.10.0 255.255.255.0 10.2.3.0 255.255.255.0

access-list vpn extended permit ip 192.168.20.0 255.255.255.0 10.2.3.0 255.255.255.0

...

nat (inside) 0 access-list no-nat

route inside 192.168.20.0 255.255.255.0 192.168.10.10

...

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map outside_map 1 match address vpn

crypto map outside_map 1 set peer 172.16.1.1

crypto map outside_map 1 set transform-set ESP-DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 2

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

tunnel-group 172.16.1.1 type ipsec-l2l

tunnel-group 172.16.1.1 ipsec-attributes

pre-shared-key internet

Thanks!

1 REPLY
Silver

Re: Site to Site VPN between ASA5505 and PIX515E (one-to-multipl

Routing is a critical part of almost every IPsec VPN deployment. Be certain that your encryption devices such as Routers and PIX or ASA Security Appliances have the proper routing information to send traffic over your VPN tunnel. Moreover, if other routers exist behind your gateway device, be sure that those routers know how to reach the tunnel and what networks are on the other side. In a LAN-to-LAN configuration, it is important for each endpoint to have a route or routes to the networks for which it is supposed to encrypt traffic.

362
Views
0
Helpful
1
Replies
CreatePlease to create content