General discussion

  • Creator
    Topic
  • #2150327

    Site-to-site VPN between ASA 5500 and PIX 501 Problem

    Locked

    by mcjjj ·

    I admit that I’m rather new to Cisco gear and I’m trying to setup a VPN between a PIX 501 (version 6.3(3)) and an ASA 5500 (version 7.0(7)) but am unable to get the VPN tunnel up.

    Originally, there were multiple remote sites with 501s connecting back to the main site’s 501. The main site’s 501 is being replaced by the ASA so basicallly, all I did was change the IP the remote was using to point to the new IP of the host ASA and then setup the VPN config on the ASA using the VPN Wizard. To me it all looks like it should work. It’s late and I’d appreciate any help, direction and/or suggestions to what I’m doing wrong.

    (IP changed from actual but you should still be able to figure it out).
    ASA IP 172.16.2.56/27
    PIX IP 172.16.1.250/29

    ————-
    ASA Version 7.0(7)
    !
    hostname asahost
    domain-name somedomain.com
    enable password ********** encrypted
    names
    dns-guard
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 172.16.2.56 255.255.255.224
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 10.0.0.2 255.255.255.0
    !
    interface Ethernet0/2
    nameif outside-in
    security-level 100
    ip address 10.1.0.1 255.255.255.0
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    passwd S49nXKiaAhKFdDj2 encrypted
    ftp mode passive
    access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
    access-list outside_cryptomap_20 extended permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0

    access-list inside_nat0_inbound extended permit icmp any any echo-reply
    access-list inside_nat0_inbound extended permit icmp any any unreachable
    access-list inside_nat0_inbound extended permit icmp any any source-quench
    access-list inside_nat0_inbound extended permit icmp any any time-exceeded
    pager lines 24
    logging monitor emergencies
    mtu outside 1500
    mtu inside 1500
    mtu outside-in 1500
    mtu management 1500
    asdm image disk0:/asdm-507.bin
    no asdm history enable
    arp timeout 14400
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 0 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 172.16.2.33 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    http server enable
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer 75.148.91.250
    crypto map outside_map 20 set transform-set ESP-DES-MD5
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    isakmp policy 65535 authentication pre-share
    isakmp policy 65535 encryption 3des
    isakmp policy 65535 hash sha
    isakmp policy 65535 group 2
    isakmp policy 65535 lifetime 86400
    tunnel-group 172.16.1.250 type ipsec-l2l
    tunnel-group 172.16.1.250 ipsec-attributes
    pre-shared-key *
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !
    service-policy global_policy global

    ———- PIX Config ————

    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ************* encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname host-Pix
    domain-name somedomain.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 172
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list Host permit ip 10.0.8.0 255.255.255.0 10.0.0.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 172.16.1.250 255.255.255.248
    ip address inside 10.0.8.2 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list Host
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 172.16.1.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http 10.0.8.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set vpn esp-des esp-md5-hmac
    crypto map partner-map 10 ipsec-isakmp
    crypto map partner-map 10 match address Host
    crypto map partner-map 10 set peer 209.210.201.56
    crypto map partner-map 10 set transform-set vpn
    crypto map partner-map interface outside
    isakmp enable outside
    isakmp key ******** address 172.16.2.56 netmask 255.255.255.255
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    telnet timeout 5
    ssh xxx.xxx.xxx.104 255.255.255.248 outside
    ssh timeout 5
    console timeout 0
    dhcpd address 10.0.8.200-10.0.8.250 inside
    dhcpd dns 4.2.2.1 4.2.2.2
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd enable inside
    terminal width 80
    ———-
    Thanks!

All Comments

Viewing 1 reply thread