July 20, 2008 02:14am pdt

1. batry_boy 60,960
2. lrmoore 49,665
3. RobWill 21,300
4. arnold 17,500
5. dpk_wal 14,875
6. mkielar 12,500
7. Voltz-dk 12,420
8. ebjers 12,130
9. MrHusy 10,000
10. Cyclops3590 8,900
11. SteveH_UK 8,000
12. mwecompu... 7,985
13. trinak96 7,865
14. PeteLong 5,975
15. stuknhawaii 4,950

1. lrmoore 309,007
2. RobWill 176,524
3. richrumble 111,117
4. batry_boy 107,335
5. rsivanandan 50,017
6. ahoffmann 44,523
7. grblades 35,012
8. pseudocyber 34,059
9. Cyclops3590 33,775
10. arnold 30,760
11. tim_holman 27,445
12. kbbcnet 26,524
13. dpk_wal 24,875
14. Tolomir 23,651
15. sciwriter 23,050

04.22.2008 at 01:08AM PDT, ID: 23342111

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.6

VPN Lan 2 lan problem

Zones: IPSec Security Protocol, Network Software Firewalls, Cisco PIX Firewall

Tags: Cisco, ASA and PIX, ASA 5505 and Pix 501

Hello

I have some problems with my test lan 2 lan conf.

I hope some one can help me. :-)

I have made a

packet-tracer input inside udp 192.168.1.1 isakmp 192.168.10.1 isakmp

The result:

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Attachments:

asa5505.TXT (3 KB) (File Type Details)

My asa 5505 conf.

pix501.TXT (2 KB) (File Type Details)

My Pix 501 conf.

Start your free trial to view this solution

Question Stats

Zone: Networking

Question Asked By: deo112

Solution Provided By: lrmoore

Participating Experts: 1

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
Automotive
New Net Users
New Users

Software
Digital Music
Gaming World
Home Security

Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Displays / Monitors
Handhelds / PDAs
Components
Peripherals
Laptops/Notebooks

Servers
Misc
Apple
Embedded Hardware
Networking Hardware

Storage
Desktops
New Users

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMware
Misc
Web Development

OS
CYGWIN
Voice Recognition
Virtualization
Message Queue
Quality Assurance
Security
Firewalls

MultiMedia Applications
Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals
Devices

Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
Web Computing
WebApplications
IDS
Vulnerabilities
Email Clients
File Sharing

Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Consulting
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMware

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel
Automation

Algorithms
Game
Signal Processing
Project Management
Open Source
Database

Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Web Services

Images
Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration

WebApplications
Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Web Computing

Broadband
Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Lounge
Business Travel
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles
Automotive

Community Support

Suggestions
New to EE
New Topics
CleanUp

Announcements
General
Feedback

Input
EE Bugs

04.22.2008 at 03:14PM PDT, ID: 21416076

Rank: Genius

lrmoore:

>crypto map outside_map 10 set pfs
You need to match this in the ASA on the PIX

Add to the PIX:
crypto map outside_map 20 set pfs

Also on the PIX, add "no-xauth no-config-mode" to the isakmp key entry
isakmp key ******** address 10.1.0.2 netmask 255.255.255.255
Should be
isakmp key ******** address 10.1.0.2 netmask 255.255.255.255 no-xauth no-config-mode

On both sides, you have transform set
set transform-set ESP_3DES_SHA
But, your isakmp policies are et for aes-256/sha
Make the policy match the transform sets on both sides.
On PIX:
isakmp policy 10 encryption 3des

On ASA
crypto isakmp policy 5
encryption 3des

Then post results of "show cry is sa" and "show access-list"

Accepted Solution

04.23.2008 at 01:39AM PDT, ID: 21418600

deo112:

Hello
Thanks for the reply, but it did not solve my problem.

Ping and show access.list on pix:

pixfirewall# ping inside 192.168.1.1
192.168.1.1 NO response received -- 1000ms
192.168.1.1 NO response received -- 1000ms
192.168.1.1 NO response received -- 1000ms
pixfirewall# shwo access-list
Type help or '?' for a list of available commands.
pixfirewall# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list inside_nat0_outbound; 1 elements
access-list inside_nat0_outbound line 1 permit ip 192.168.10.0 255.255.255.0 192
.168.1.0 255.255.255.0 (hitcnt=0)
access-list outside_cryptomap_20; 1 elements
access-list outside_cryptomap_20 line 1 permit ip 192.168.10.0 255.255.255.0 192
.168.1.0 255.255.255.0 (hitcnt=0)
pixfirewall#

Show cry is sa and show access-list on ASA:
ciscoasa# show cry is sa

There are no isakmp sas
ciscoasa# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list crypto_test; 1 elements
access-list crypto_test line 1 extended permit ip 192.168.1.0 255.255.255.0 192.
168.10.0 255.255.255.0 (hitcnt=0) 0x044b44ad
access-list nonat; 1 elements
access-list nonat line 1 extended permit ip 192.168.1.0 255.255.255.0 192.168.10
.0 255.255.255.0 (hitcnt=0) 0x3dd75066
ciscoasa#

04.23.2008 at 05:55AM PDT, ID: 21420085

Rank: Genius

lrmoore:

>pixfirewall# ping inside 192.168.1.1
This will never work anyway. First, 192.168.1.1 is OUTside, not INside. Second, you cannot initiate the ping from the pix firewall itself, you must initiate it from a PC inside the PIX and you must ping a host on the inside of the ASA, not the ASA's inside interface.

>There are no isakmp sas
The tunnel is not getting negotiated properly.
What do you see on the PIX side from the same show cry is sa command?
Start a continuous host-host ping then look at this command. Do it several times in a row and see if the state changes. Then look at the access-lists again for hitcounters to increment

04.23.2008 at 05:58AM PDT, ID: 21420116

Rank: Genius

lrmoore:

How do you have these two connected in the lab? Crossover cable, or through a switch or hub? If using a switch, is there anything else on the same switch?

04.23.2008 at 09:09AM PDT, ID: 21422265

deo112:

OK
I will try this tomorrow.

Here is the network diagram.

This is only a test setup, Yes it is in a lab.

I can ping fra ASA to PIX Outside interface and also from PIX to ASA outside.

network.jpg (56 KB) (File Type Details)

Test network diagram

04.23.2008 at 11:57AM PDT, ID: 21424050

Rank: Genius

lrmoore:

You still have to have a host PC on the 192.168.1.x network and a host PC on the 192.168.10.x network and make sure they are two separate VLAN's on the switch..

04.24.2008 at 04:32AM PDT, ID: 21429612

deo112:

Thans. It works now.

20080236-EE-VQP-29 / EE_QW_2_20070628