Question

Site-to-Site VPN from ASA 5505 to PIX 501 with Client VPN on ASA 5505

Asked by: RishMaster

I'm trying to get a site-to-site VPN going between a Cisco ASA 5505 and PIX 501.  The ASA 5505 currently supports client VPN and I want to keep that.

I'm guessing my issue is that the PIX 501 is on the same subnet as the client VPN pool, but I'm not sure.

I've posted my ASA and PIX configs below.  Please let me know how to correct this and any other things missing/incorrect in my configs.

On a side note, can the Cisco VPN Client 4.8 support AES VPN?

ASA# sh conf
: Saved
: Written by enable_15 at 05:42:43.942 MST Wed Jan 2 2008
!
ASA Version 7.2(2)
!
hostname ASA
domain-name domain.local
enable password sUh51JfF84zKYNlu encrypted
names
name 10.1.1.100 SERVER-IP
dns-guard
!
interface Vlan1
 description LAN
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
 description WAN
 nameif outside
 security-level 0
 ip address <SITE 1 IP> 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
banner exec Configured by Keeran Systems
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
 domain-name domain.local
object-group network VPNPOOL
 network-object 10.1.2.0 255.255.255.0
access-list traffic_in extended permit tcp host <BARRACUDA IP> host <SITE 1 IP - SERVER> eq smtp
access-list traffic_in extended permit tcp any host <SITE 1 IP - SERVER> eq www
access-list traffic_in extended permit tcp any host <SITE 1 IP - SERVER> eq https
access-list traffic_in extended permit tcp any host <SITE 1 IP - SERVER> eq pop3
access-list traffic_in extended permit tcp any host <SITE 1 IP - SERVER> eq 2343
access-list traffic_in extended permit tcp any host <SITE 1 IP - SERVER> eq 2344
access-list traffic_in extended permit tcp any host <SITE 1 IP - SERVER> eq 2345
access-list traffic_in extended permit tcp any host <SITE 1 IP - SERVER> eq 2346
access-list traffic_in extended permit tcp any host <SITE 1 IP - SERVER> eq 2347
access-list traffic_in extended permit tcp any host <SITE 1 IP - SERVER> eq 2348
access-list traffic_in extended permit tcp any host <SITE 1 IP - SERVER> eq 3000
access-list traffic_in extended permit tcp any host <SITE 1 IP - SERVER> eq 3101
access-list traffic_in extended permit tcp any host <SITE 1 IP - SERVER> eq 3389
access-list traffic_in extended permit tcp any host <SITE 1 IP - SERVER> eq 3390
access-list traffic_in extended permit tcp any host <SITE 1 IP - SERVER> eq 8080
access-list traffic_in extended permit icmp any any
access-list VPN_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip any 10.1.2.0 255.255.255.0
access-list outside_cryptomap_20.20 extended permit ip any object-group VPNPOOL
access-list outside_cryptomap_20 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL 10.1.2.2-10.1.2.19 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp <SITE 1 IP - SERVER> https SERVER-IP https netmask 255.255.255.255
static (inside,outside) tcp <SITE 1 IP - SERVER> smtp SERVER-IP smtp netmask 255.255.255.255
static (inside,outside) tcp <SITE 1 IP - SERVER> pop3 SERVER-IP pop3 netmask 255.255.255.255
static (inside,outside) tcp <SITE 1 IP - SERVER> www SERVER-IP www netmask 255.255.255.255
static (inside,outside) tcp <SITE 1 IP - SERVER> 2343 SERVER-IP 2343 netmask 255.255.255.255
static (inside,outside) tcp <SITE 1 IP - SERVER> 2344 SERVER-IP 2344 netmask 255.255.255.255
static (inside,outside) tcp <SITE 1 IP - SERVER> 2345 SERVER-IP 2345 netmask 255.255.255.255
static (inside,outside) tcp <SITE 1 IP - SERVER> 2346 SERVER-IP 2346 netmask 255.255.255.255
static (inside,outside) tcp <SITE 1 IP - SERVER> 2347 SERVER-IP 2347 netmask 255.255.255.255
static (inside,outside) tcp <SITE 1 IP - SERVER> 2348 SERVER-IP 2348 netmask 255.255.255.255
static (inside,outside) tcp <SITE 1 IP - SERVER> 3000 10.1.1.101 3000 netmask 255.255.255.255
static (inside,outside) tcp <SITE 1 IP - SERVER> 3101 SERVER-IP 3101 netmask 255.255.255.255
static (inside,outside) tcp <SITE 1 IP - SERVER> 3389 SERVER-IP 3389 netmask 255.255.255.255
static (inside,outside) tcp <SITE 1 IP - SERVER> 3390 10.1.1.101 3389 netmask 255.255.255.255
static (inside,outside) tcp <SITE 1 IP - SERVER> 8080 10.1.1.101 8080 netmask 255.255.255.255
access-group traffic_in in interface outside
route outside 0.0.0.0 0.0.0.0 207.176.143.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy VPN internal
group-policy VPN attributes
 wins-server value 10.1.1.100
 dns-server value 10.1.1.100
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_splitTunnelAcl
 default-domain value domain.local
username nsjiwani password IYuFCTs5pkIvceky encrypted
username keeran password dbJ35eQnAlma.f6R encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_20.20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group VPN type ipsec-ra
tunnel-group VPN general-attributes
 address-pool VPNPOOL
 default-group-policy VPN
tunnel-group VPN ipsec-attributes
 pre-shared-key *
tunnel-group <SITE 2 IP> type ipsec-l2l
tunnel-group <SITE 2 IP> ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global
 class class-default
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9f915d07d00c8237fcbd595a0a9295ca
ASA#
 
PIXfirewall# sh conf
: Saved
: Written by enable_15 at 11:40:13.290 UTC Wed Jan 2 2008
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password sUh51JfF84zKYNlu encrypted
passwd sUh51JfF84zKYNlu encrypted
hostname PIXfirewall
domain-name domain.local
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inside_nat0_outbound permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.1.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.2.0 255.255.255.0 inside
snmp-server host outside <KEERAN IP> poll
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer <SITE 1 IP>
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address <SITE 1 IP> netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.1.2.45-10.1.2.74 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:9aaed8d974011aa157f3daf21d90cb68
PIXfirewall#
                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2008-01-02 at 12:35:40ID23054088
Tags

Cisco

,

ASA / PIX

,

5505 / 501

,

Site-to-Site VPN from ASA 5505 to PIX 501 with Client VPN on ASA 5505

,

Same as My problem

Topics

Cisco PIX Firewall

,

Virtual Private Networking (VPN)

,

Enterprise Firewalls

Participating Experts
2
Points
500
Comments
20

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. PIX to PIX VPN
    I currently have 1 win2k domain behind a cisco pix 515 and i would like to set up 2 vpn connections into this network using two pix 506e firewalls. I have done lots of work with pix and win2k but none with vpns. If anyone has any links or suggestions on the easiest way to acc...
  2. Cisco VPN Client to PIX to PIX Failure
    I have a network configuration as follows: Site 1: Subnet: 10.0.0.0 Gateway: PIX A (10.0.0.1) Site 2: Subnet: 10.0.1.0 Gateway: PIX B (10.0.1.1) PIX A and PIX B are connected via static VPN PIX A is configured to allow connections via Cisco VPN Client A user connecting to...
  3. CISCO PIX VPN
    CISC PIX REMOTE VPN Hi I hvae sucsefuuly set-up a remote VPN PIX as well as a lan to lan VPN with two pixes /ASA. Boteh VPNS use pre share key whicgh are separate keys. What i want to do is use xauth (extened authentication ) on the remote VPN with TACACS but do not want ...
  4. cisco PIX ASA 5505 VPN configuration
    dear all, i have PIX ASA cisco and i configured with VPN connection between IT office and other office in other country and working fine i mean i can ping from my lan to remote lan with different LAN IP, the question is now i have plan to make another VPN with our head office...
  5. PIX vpn
    I am setting up a site to site vpn from a PIX version 6.3 to checkpoint: In the checkpoint the log are showing the error: Failed to establish VPN Tunnel with 192.168.2.1: no proposal chosen 00244 26Sep2000 12:56:26 Closed VPN Tunnel with 192.168.2.1 00243 26Sep2000 12:...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: batry_boyPosted on 2008-01-02 at 14:44:26ID: 20568916

>>I'm guessing my issue is that the PIX 501 is on the same subnet as the client VPN pool, but I'm not sure.

Yes, that is a problem.  I would change the VPN client pool to a different network range, say 10.10.1.0/24 or something other than 10.1.1.0/24 or 10.1.2.0/24.

>>On a side note, can the Cisco VPN Client 4.8 support AES VPN?

No, but I haven't seen any documentation saying that...I only have anecdotal evidence to support that answer.

 

by: RishMasterPosted on 2008-01-02 at 16:52:51ID: 20569589

I have moved it to 10.1.5.0/24 and the VPN still works but the site-to-site doesn't.

ASA(config)# sh conf
: Saved
: Written by enable_15 at 09:29:55.960 MST Wed Jan 2 2008
!
ASA Version 7.2(2)
!
hostname ASA
domain-name domain.local
enable password sUh51JfF84zKYNlu encrypted
names
name 10.1.1.100 SERVER-IP
dns-guard
!
interface Vlan1
 description LAN
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
 description WAN
 nameif outside
 security-level 0
 ip address <ASA WAN IP> 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
banner exec Configured by Keeran Systems
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
 domain-name domain.local
object-group network VPNPOOL
 network-object 10.1.5.0 255.255.255.0
access-list traffic_in extended permit tcp host <BARRACUDA IP> host <SERVER WAN IP> eq smtp
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq www
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq https
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq pop3
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq 2343
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq 2344
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq 2345
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq 2346
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq 2347
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq 2348
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq 3000
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq 3101
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq 3389
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq 3390
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq 8080
access-list traffic_in extended permit icmp any any
access-list VPN_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list outside_cryptomap_20.20 extended permit ip any object-group VPNPOOL
access-list outside_cryptomap_20 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL 10.1.5.45-10.1.5.60 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp <SERVER WAN IP> https SERVER-IP https netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> smtp SERVER-IP smtp netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> pop3 SERVER-IP pop3 netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> www SERVER-IP www netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> 2343 SERVER-IP 2343 netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> 2344 SERVER-IP 2344 netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> 2345 SERVER-IP 2345 netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> 2346 SERVER-IP 2346 netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> 2347 SERVER-IP 2347 netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> 2348 SERVER-IP 2348 netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> 3000 10.1.1.101 3000 netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> 3101 SERVER-IP 3101 netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> 3389 SERVER-IP 3389 netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> 3390 10.1.1.101 3389 netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> 8080 10.1.1.101 8080 netmask 255.255.255.255
access-group traffic_in in interface outside
route outside 0.0.0.0 0.0.0.0 <WAN DG IP> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy VPN internal
group-policy VPN attributes
 wins-server value 10.1.1.100
 dns-server value 10.1.1.100
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_splitTunnelAcl
 default-domain value domain.local
username nsjiwani password IYuFCTs5pkIvceky encrypted
username keeran password dbJ35eQnAlma.f6R encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_20.20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group VPN type ipsec-ra
tunnel-group VPN general-attributes
 address-pool VPNPOOL
 default-group-policy VPN
tunnel-group VPN ipsec-attributes
 pre-shared-key *
tunnel-group 209.89.45.8 type ipsec-l2l
tunnel-group 209.89.45.8 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global
 class class-default
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2f385718e0bfc0fd51d6170fe80638be

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:

Select allOpen in new window

 

by: MrHusyPosted on 2008-01-02 at 19:19:07ID: 20570084

  Hi Rishmaster
      I dont see cryptomap entries for site-to-site?

crypto map outside_map 20 set peer 209.89.45.8
crypto map outside_map 20 match address outside_cryptomap_20

Regards

 

by: RishMasterPosted on 2008-01-03 at 10:19:03ID: 20575084

I think I already put those in but it doesn't display in the running-config.

When I add "crypto map outside_map 20 set peer 209.89.45.8" it says "ERROR: Multiple Peers can be specified only with originate-only connections".

"crypto map outside_map 20 match address outside_cryptomap_20" takes fine.

 

by: RishMasterPosted on 2008-01-03 at 10:48:00ID: 20575332

OK, so I seperated the site-to-site crypto's/isakmp from the VPN crypto's/isakmp.  The site-to-site doesn't work but at least I can add those lines in properly.

I've attached the updated ASA and PIX configs.

ASA 5505
: Saved
: Written by enable_15 at 04:15:28.279 MST Thu Jan 3 2008
!
ASA Version 7.2(2)
!
hostname ASA
domain-name domain.local
enable password sUh51JfF84zKYNlu encrypted
names
name 10.1.1.100 SERVER-IP
dns-guard
!
interface Vlan1
 description LAN
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
 description WAN
 nameif outside
 security-level 0
 ip address <ASA WAN IP> 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
banner exec Configured by Keeran Systems
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
 domain-name domain.local
object-group network VPNPOOL
 network-object 10.1.5.0 255.255.255.0
access-list traffic_in extended permit tcp host <BARRACUDA IP> host <SERVER WAN IP> eq smtp
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq www
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq https
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq pop3
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq 2343
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq 2344
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq 2345
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq 2346
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq 2347
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq 2348
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq 3000
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq 3101
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq 3389
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq 3390
access-list traffic_in extended permit tcp any host <SERVER WAN IP> eq 8080
access-list traffic_in extended permit icmp any any
access-list VPN_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.5.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ip any object-group VPNPOOL
access-list outside_cryptomap_20 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL 10.1.5.45-10.1.5.60 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp <SERVER WAN IP> https SERVER-IP https netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> smtp SERVER-IP smtp netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> pop3 SERVER-IP pop3 netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> www SERVER-IP www netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> 2343 SERVER-IP 2343 netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> 2344 SERVER-IP 2344 netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> 2345 SERVER-IP 2345 netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> 2346 SERVER-IP 2346 netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> 2347 SERVER-IP 2347 netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> 2348 SERVER-IP 2348 netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> 3000 10.1.1.101 3000 netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> 3101 SERVER-IP 3101 netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> 3389 SERVER-IP 3389 netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> 3390 10.1.1.101 3389 netmask 255.255.255.255
static (inside,outside) tcp <SERVER WAN IP> 8080 10.1.1.101 8080 netmask 255.255.255.255
access-group traffic_in in interface outside
route outside 0.0.0.0 0.0.0.0 <WAN DG IP> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy VPN internal
group-policy VPN attributes
 wins-server value 10.1.1.100
 dns-server value 10.1.1.100
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_splitTunnelAcl
 default-domain value domain.local
username nsjiwani password IYuFCTs5pkIvceky encrypted
username keeran password dbJ35eQnAlma.f6R encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_10
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer <PIX WAN IP>
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group VPN type ipsec-ra
tunnel-group VPN general-attributes
 address-pool VPNPOOL
 default-group-policy VPN
tunnel-group VPN ipsec-attributes
 pre-shared-key *
tunnel-group <PIX WAN IP> type ipsec-l2l
tunnel-group <PIX WAN IP> ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global
 class class-default
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d6135bf88bcaec9ce69e17ffdaf88f88
ASA(config)#
 
PIX 501
PIXfirewall# sh conf
: Saved
: Written by enable_15 at 10:03:50.155 UTC Thu Jan 3 2008
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password sUh51JfF84zKYNlu encrypted
passwd sUh51JfF84zKYNlu encrypted
hostname PIXfirewall
domain-name domain.local
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list inside_nat0_outbound permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.1.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.1.2.0 255.255.255.0 inside
snmp-server host outside 207.176.143.8 poll
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer <ASA WAN IP>
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address <ASA WAN IP> netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 10.1.2.45-10.1.2.74 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:4b7a1d4ac27e49bb5244a0dd3132495f
PIXfirewall#

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:

Select allOpen in new window

 

by: batry_boyPosted on 2008-01-03 at 11:50:52ID: 20575947

I would try using group 2 for DH on the tunnel:

PIX:

no isakmp policy 20 group 5
isakmp policy 20 group 2

ASA:

crypto isakmp policy 20
group 2

See if that helps...

 

by: RishMasterPosted on 2008-01-03 at 12:30:46ID: 20576362

Hi batry_boy,

Thanks for your suggestions.  I changed from group 5 to group 2 but still no luck.

BTW, is there a quicker way to refresh the ASA / PIX without doing reloads on both sides?

 

by: batry_boyPosted on 2008-01-03 at 15:38:56ID: 20578259

Since you only have one site-to-site VPN tunnel configured, meaning you won't affect any other tunnels if you do this, you can issue the commands:

clear crypto ip sa
clear crypto is sa

And then try to send interesting traffic to bring the tunnel up, such as pinging a host on the other side of the tunnel.  Before you do this, turn on debugs so that we can see how far the tunnel setup is getting, if anywhere at all:

debug crypto ipsec
debug crypto isakmp

Post the output of those commands.

 

by: RishMasterPosted on 2008-01-03 at 15:50:45ID: 20578340

When I run "sh crypto is sa" and "sh crypto ip sa" on both devices neither of them indicates there's a tunnel.

 

by: batry_boyPosted on 2008-01-03 at 15:55:45ID: 20578379

Yes, I know...did you perform the "clear" commands I posted above?  When you asked about the quickest way to "refresh" the firewalls, I thought you meant in regards to the VPN tunnel setup.  Since establishing the VPN tunnel in the first place is your issue, you won't see any output from the "sh cryp is sa" and "sh cryp ip sa" commands.

But if you enter the debug commands above, you should see the tunnel trying to be negotiated as long as interesting traffic is being sent that causes the firewall to try and bring it up.

 

by: RishMasterPosted on 2008-01-03 at 16:10:07ID: 20578488

Sorry, I was trying to explain that nothing was appearing after I put in the debug commands.  So I ran the "sh crypto is sa" and "sh crypto ip sa" commands...

I pinged the PIX from the Server behind the ASA.  Below is the debug dump from the PIX.  Nothing appears on the ASA.

crypto_isakmp_process_block:src:<ASA WAN IP>, dest:<PIX WAN IP> spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
 
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      default group 2
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy
ISAKMP:      default group 2
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 256
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
 
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
 
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
 
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:<ASA WAN IP>, dest:<PIX WAN IP> spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
 
ISAKMP (0): processing NONCE payload. message ID = 0
 
ISAKMP (0): processing vendor id payload
 
ISAKMP (0): processing vendor id payload
 
ISAKMP (0): received xauth v6 vendor id
 
ISAKMP (0): processing vendor id payload
 
ISAKMP (0): speaking to another IOS box!
 
ISAKMP (0): processing vendor id payload
 
ISAKMP (0): speaking to a VPN3000 concentrator
 
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:<ASA WAN IP>, dest:<PIX WAN IP> spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing vendor id payload
 
ISAKMP (0): remote peer supports dead peer detection
 
ISAKMP (0): SA has been authenticated
 
ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:<ASA WAN IP>/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:<ASA WAN IP>/500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_block:src:<ASA WAN IP>, dest:<PIX WAN IP> spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 66413285
 
ISAKMP : Checking IPSec proposal 1
 
ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      encaps is 1
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 256
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= <PIX WAN IP>, src= <ASA WAN IP>,
    dest_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),
    src_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes-256 esp-sha-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x4
 
ISAKMP (0): processing NONCE payload. message ID = 66413285
 
ISAKMP (0): processing ID payload. message ID = 66413285
ISAKMP (0): ID_IPV4_ADDR_SUBNET src 10.1.1.0/255.255.255.0 prot 0 port 0
ISAKMP (0): processing ID payload. message ID = 66413285
ISAKMP (0): ID_IPV4_ADDR_SUBNET dst 10.1.2.0/255.255.255.0 prot 0 port 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
        spi 0, message ID = 66413285
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with <ASA WAN IP>
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xa1658d29(2707787049) for SA
        from <ASA WAN IP> to     <PIX WAN IP> for prot 3
 
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:<ASA WAN IP>, dest:<PIX WAN IP> spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAIT
ISAKMP (0): Creating IPSec SAs
        inbound SA from <ASA WAN IP> to     <PIX WAN IP> (proxy        10.1.1.0 to        10.1.2.0)
        has spi 2707787049 and conn_id 1 and flags 4
        lifetime of 28800 seconds
        lifetime of 4608000 kilobytes
        outbound SA from     <PIX WAN IP> to <ASA WAN IP> (proxy        10.1.2.0 to        10.1.1.0)
        has spi 4175311487 and conn_id 2 and flags 4
        lifetime of 28800 seconds
        lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
  (key eng. msg.) dest= <PIX WAN IP>, src= <ASA WAN IP>,
    dest_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),
    src_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes-256 esp-sha-hmac ,
    lifedur= 28800s and 4608000kb,
    spi= 0xa1658d29(2707787049), conn_id= 1, keysize= 256, flags= 0x4
IPSEC(initialize_sas): ,
  (key eng. msg.) src= <PIX WAN IP>, dest= <ASA WAN IP>,
    src_proxy= 10.1.2.0/255.255.255.0/0/0 (type=4),
    dest_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes-256 esp-sha-hmac ,
    lifedur= 28800s and 4608000kb,
    spi= 0xf8de327f(4175311487), conn_id= 2, keysize= 256, flags= 0x4
 
VPN Peer: IPSEC: Peer ip:<ASA WAN IP>/500 Ref cnt incremented to:2 Total VPN Peers:1
VPN Peer: IPSEC: Peer ip:<ASA WAN IP>/500 Ref cnt incremented to:3 Total VPN Peers:1
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:<ASA WAN IP>, dest:<PIX WAN IP> spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 1276633203
ISAMKP (0): received DPD_R_U_THERE from peer <ASA WAN IP>
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:<ASA WAN IP>, dest:<PIX WAN IP> spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 987708692
ISAMKP (0): received DPD_R_U_THERE from peer <ASA WAN IP>
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:<ASA WAN IP>, dest:<PIX WAN IP> spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 1790163787
ISAMKP (0): received DPD_R_U_THERE from peer <ASA WAN IP>
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:<ASA WAN IP>, dest:<PIX WAN IP> spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 196042510
ISAMKP (0): received DPD_R_U_THERE from peer <ASA WAN IP>
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:<ASA WAN IP>, dest:<PIX WAN IP> spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 3369434978
ISAMKP (0): received DPD_R_U_THERE from peer <ASA WAN IP>
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0xa8b8b4, conn_id = 0
crypto_isakmp_process_block:src:<ASA WAN IP>, dest:<PIX WAN IP> spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 2390903041
ISAMKP (0): received DPD_R_U_THERE from peer <ASA WAN IP>
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:<ASA WAN IP>, dest:<PIX WAN IP> spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 1845516604
ISAMKP (0): received DPD_R_U_THERE from peer <ASA WAN IP>
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:<ASA WAN IP>, dest:<PIX WAN IP> spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 1807682357
ISAMKP (0): received DPD_R_U_THERE from peer <ASA WAN IP>
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:<ASA WAN IP>, dest:<PIX WAN IP> spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 748755349
ISAMKP (0): received DPD_R_U_THERE from peer <ASA WAN IP>
ISAKMP (0): sending NOTIFY message 36137 protocol 1

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:

Select allOpen in new window

 

by: RishMasterPosted on 2008-01-03 at 16:47:45ID: 20578802

I ran "debug crypto ipsec 127" and "debug crypto isakmp 127" on the ASA and here's the output when I pinged from the server behind the ASA to the PIX local IP.

Jan 03 10:24:13 [IKEv1 DEBUG]: IP = <PIX WAN IP>, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, constructing dpd vid payload
Jan 03 10:24:13 [IKEv1]: IP = <PIX WAN IP>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Jan 03 10:24:13 [IKEv1]: IP = <PIX WAN IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, processing ID payload
Jan 03 10:24:13 [IKEv1 DECODE]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, ID_IPV4_ADDR ID received
<PIX WAN IP>
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, processing hash payload
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, Computing hash for ISAKMP
Jan 03 10:24:13 [IKEv1]: IP = <PIX WAN IP>, Connection landed on tunnel_group <PIX WAN IP>
Jan 03 10:24:13 [IKEv1]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, Freeing previously allocated memory for authorization-dn-attributes
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, Oakley begin quick mode
Jan 03 10:24:13 [IKEv1 DECODE]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, IKE Initiator starting QM: msg id = 41322913
Jan 03 10:24:13 [IKEv1]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, PHASE 1 COMPLETED
Jan 03 10:24:13 [IKEv1]: IP = <PIX WAN IP>, Keep-alive type for this connection: DPD
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, Starting P1 rekey timer: 82080 seconds.
Jan 03 10:24:13 [IKEv1]: IP = <PIX WAN IP>, IKE_DECODE RECEIVED Message (msgid=a1869c84) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, processing hash payload
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, processing notify payload
IPSEC: New embryonic SA created @ 0x01B28848,
    SCB: 0x03C6F968,
    Direction: inbound
    SPI      : 0x203415E1
    Session ID: 0x00000003
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, IKE got SPI from key engine: SPI = 0x203415e1
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, oakley constucting quick mode
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, constructing blank hash payload
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, constructing IPSec SA payload
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, constructing IPSec nonce payload
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, constructing proxy ID
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, Transmitting Proxy Id:
  Local subnet:  10.1.1.0  mask 255.255.255.0 Protocol 0  Port 0
  Remote subnet: 10.1.2.0  Mask 255.255.255.0 Protocol 0  Port 0
Jan 03 10:24:13 [IKEv1 DECODE]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, IKE Initiator sending Initial Contact
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, constructing qm hash payload
Jan 03 10:24:13 [IKEv1 DECODE]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, IKE Initiator sending 1st QM pkt: msg id = 41322913
Jan 03 10:24:13 [IKEv1]: IP = <PIX WAN IP>, IKE_DECODE SENDING Message (msgid=41322913) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 200
Jan 03 10:24:13 [IKEv1]: IP = <PIX WAN IP>, IKE_DECODE RECEIVED Message (msgid=41322913) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, processing hash payload
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, processing SA payload
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, processing nonce payload
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, processing ID payload
Jan 03 10:24:13 [IKEv1 DECODE]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, ID_IPV4_ADDR_SUBNET ID received--10.1.1.0--255.255.255.0
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, processing ID payload
Jan 03 10:24:13 [IKEv1 DECODE]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, ID_IPV4_ADDR_SUBNET ID received--10.1.2.0--255.255.255.0
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, loading all IPSEC SAs
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, Generating Quick Mode Key!
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, Generating Quick Mode Key!
Jan 03 10:24:13 [IKEv1]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, Security negotiation complete for LAN-to-LAN Group (<PIX WAN IP>)  Initiator, Inbound SPI = 0x203415e1, Outbound SPI = 0x2d8579b0
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, oakley constructing final quick mode
Jan 03 10:24:13 [IKEv1 DECODE]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, IKE Initiator sending 3rd QM pkt: msg id = 41322913
Jan 03 10:24:13 [IKEv1]: IP = <PIX WAN IP>, IKE_DECODE SENDING Message (msgid=41322913) with payloads : HDR + HASH (8) + NONE (0) total length : 76
IPSEC: New embryonic SA created @ 0x03C65918,
    SCB: 0x03CB8B88,
    Direction: outbound
    SPI      : 0x2D8579B0
    Session ID: 0x00000003
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host OBSA update, SPI 0x2D8579B0
IPSEC: Creating outbound VPN context, SPI 0x2D8579B0
    Flags: 0x00000005
    SA   : 0x03C65918
    SPI  : 0x2D8579B0
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x03CB8B88
    Channel: 0x0172DD48
IPSEC: Completed outbound VPN context, SPI 0x2D8579B0
    VPN handle: 0x000A0FF4
IPSEC: New outbound encrypt rule, SPI 0x2D8579B0
    Src addr: 10.1.1.0
    Src mask: 255.255.255.0
    Dst addr: 10.1.2.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0x2D8579B0
    Rule ID: 0x03C5FB40
IPSEC: New outbound permit rule, SPI 0x2D8579B0
    Src addr: <ASA WAN IP>
    Src mask: 255.255.255.255
    Dst addr: <PIX WAN IP>
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x2D8579B0
    Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0x2D8579B0
    Rule ID: 0x03C71830
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, IKE got a KEY_ADD msg for SA: SPI = 0x2d8579b0
IPSEC: Completed host IBSA update, SPI 0x203415E1
IPSEC: Creating inbound VPN context, SPI 0x203415E1
    Flags: 0x00000006
    SA   : 0x01B28848
    SPI  : 0x203415E1
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x000A0FF4
    SCB  : 0x03C6F968
    Channel: 0x0172DD48
IPSEC: Completed inbound VPN context, SPI 0x203415E1
    VPN handle: 0x000DE3CC
IPSEC: Updating outbound VPN context 0x000A0FF4, SPI 0x2D8579B0
    Flags: 0x00000005
    SA   : 0x03C65918
    SPI  : 0x2D8579B0
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x000DE3CC
    SCB  : 0x03CB8B88
    Channel: 0x0172DD48
IPSEC: Completed outbound VPN context, SPI 0x2D8579B0
    VPN handle: 0x000A0FF4
IPSEC: Completed outbound inner rule, SPI 0x2D8579B0
    Rule ID: 0x03C5FB40
IPSEC: Completed outbound outer SPD rule, SPI 0x2D8579B0
    Rule ID: 0x03C71830
IPSEC: New inbound tunnel flow rule, SPI 0x203415E1
    Src addr: 10.1.2.0
    Src mask: 255.255.255.0
    Dst addr: 10.1.1.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x203415E1
    Rule ID: 0x03C64408
IPSEC: New inbound decrypt rule, SPI 0x203415E1
    Src addr: <PIX WAN IP>
    Src mask: 255.255.255.255
    Dst addr: <ASA WAN IP>
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x203415E1
    Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0x203415E1
    Rule ID: 0x035846A8
IPSEC: New inbound permit rule, SPI 0x203415E1
    Src addr: <PIX WAN IP>
    Src mask: 255.255.255.255
    Dst addr: <ASA WAN IP>
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x203415E1
    Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0x203415E1
    Rule ID: 0x03584898
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, Pitcher: received KEY_UPDATE, spi 0x203415e1
Jan 03 10:24:13 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, Starting P2 rekey timer: 27359 seconds.
Jan 03 10:24:13 [IKEv1]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, PHASE 2 COMPLETED (msgid=41322913)
Jan 03 10:24:25 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, Sending keep-alive of type DPD R-U-THERE (seq number 0x23d61fdc)
Jan 03 10:24:25 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, constructing blank hash payload
Jan 03 10:24:25 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, constructing qm hash payload
Jan 03 10:24:25 [IKEv1]: IP = <PIX WAN IP>, IKE_DECODE SENDING Message (msgid=f353c617) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 03 10:24:25 [IKEv1]: IP = <PIX WAN IP>, IKE_DECODE RECEIVED Message (msgid=a0d67894) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 03 10:24:25 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, processing hash payload
Jan 03 10:24:25 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, processing notify payload
Jan 03 10:24:25 [IKEv1 DEBUG]: Group = <PIX WAN IP>, IP = <PIX WAN IP>, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x23d61fdc)

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:

Select allOpen in new window

 

by: batry_boyPosted on 2008-01-04 at 12:30:43ID: 20585808

From line 203 of your code posted above, it looks like Phase 2 is completing which means that your tunnel should be up.  Still no output from the "sh cryp is sa" or "sh cryp ip sa" commands?

 

by: RishMasterPosted on 2008-01-10 at 13:40:00ID: 20631570

AF-SHE-FW-01# sh cryp is sa

There are no isakmp sas
AF-SHE-FW-01# sh cryp ip sa

There are no ipsec sas

 

by: batry_boyPosted on 2008-01-13 at 20:49:20ID: 20650976

I noticed that the hostname of the firewall you issued the "sh cryp" commands on above is different from the "ASA" hostname on your ASA...did you perform this command on the PIX?  If so, what do you see when you issue these commands on the ASA?  The reason I'm asking is because the debug output you posted is from the ASA which looks like the tunnel is being established.

 

by: RishMasterPosted on 2008-01-14 at 12:03:35ID: 20656171

Sorry, I renamed my ASA to AF-SHE-FW-01 and the PIX to AF-LED-FW-01...

 

by: batry_boyPosted on 2008-01-14 at 12:46:21ID: 20656576

Try adding an additional isakmp policy on the PIX specifying DH group 2 and 3DES...I've never used group 5 with a PIX before, it may be causing problems.  Also, if you get 3DES to work, then maybe later you can try it with AES, but for now let's just see if we can get the tunnel to come up at all.  You need to add the following commands to the PIX...the ASA already has equivalent statements:

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

 

by: RishMasterPosted on 2008-03-22 at 12:11:41ID: 21187404

Sorry for not responding.  They removed the PIX so I have to wait until we can go back out there to hook it back up.  I will follow up as soon as this gets done and I test your configuration lines.

 

by: RishMasterPosted on 2008-07-17 at 17:16:42ID: 22031510

Still waiting on the client...  Hope to have the PIX back online this month to complete the site-to-site...  He's in the process of changing ISPs.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...