Link to home
Start Free TrialLog in
Avatar of mikael6
mikael6Flag for United States of America

asked on

problem setting up site to site vpn between cisco asa 5510 firewall and cisco pix 515 firewall

I have probably now spent over 40 hours trying to get a site to site vpn set up in my lab between a cisco asa 5510 firewall and a cisco pix 515 firewall.  There is connectivity between the firewalls (they can ping each other).  I have read various articles online about how to do this and consulted my cisco books and can't get this to work.  When I look at the logs it doesn't appear that the firewalls are even attempting to make a vpn connection.  I am posting the configs of both firewalls here.  Any help would be greatly appreciated as at this point I can't think of anything else to try so if I can't get an answer here I have to give up.
asa-config.TXT
pix-config.TXT
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hello, Mikael6

One thing I see immediately is that your asa has multiple crypto transform sets

you only need this one:

crypto ipsec transform-set strong esp-des esp-md5-hmac

Your pix config has only this,
crypto ipsec transform-set strong esp-des esp-md5-hmac

so it looks like the asa might not be selecting this as the primary transform set.
It has so many transform sets in the config, and unless it chooses the one that matches the pix, the tunnel won't form


You need something like this in the asa

crypto map outside_map 1 set transform-set gonder
crypto ipsec transform-set gonder esp-des esp-md5-hmac

Get rid of all this:

crypto map gonder 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

The pix needs the corresponding transform set to match:
crypto ipsec transform-set strong esp-des esp-md5-hmac




On the ASA
>crypto map gonder 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

This needs to match the PIX side
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto map gonder 10 set transform-set strong

So change the ASA to
crypto map gonder 1 set transform-set ESP-DES-MD5

By the way, you can get a free 3DES license upgrade for your PIX if you have a CCO login..
LOL! We must have been typing at the same time!

Probably, as I didn't see your comments as I was typing. It looks like we both saw the same transform set mismatch, the probable cause of the tunnel not forming.

Thanks for your comments, so mikael6 should have his tunnel up soon
Avatar of mikael6

ASKER

Perfect answer.  I was playing around so much trying to get this to work and trying every network configuration possible and I missed resetting the ip address in the crypto map.  So, I fixed this.  I am pretty sure that in my trials and tribulations I had this correct at one point and still didn't have the vpn working.  However, I didn't know that the vpn tunnels were created dynamically when traffic was established.  I wasn't doing a constant pinging like was suggested from a pc on each side to other side.  I thought the tunnel just formed automatically whether there was traffic or not.  Anyway, I began the pinging from both sides after I fixed the crypto map issue and vpn started working right away.  Previous to this I was trying to ping to test the vpn from the firewall's ethernet interface to the other firewall's ethernet interface.  This didn't work in making the vpn connection.

As to the other comments after yours, I will use those too to just clean up a little.  Also, whoever mentioned the upgrade to 3des, I will try to get this as I do have a cco account.  thanks much

To all:  I just began using this service and I am astounded.  I got so many replies to my issue so quickly and they were so good.  This issue was driving me nuts and I couldn't find an answer online through my google searches and through the cisco books.  I know this sounds kind of stupid, but the vpn documentation I read didn't explain that you needed to pass traffic to actively establish the vpn.  I was just playing with this stuff at home to learn more and am so happy I got this working.

THANK YOU ALL SO MUCH.  THIS MADE MY WEEKEND.