Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 374
  • Last Modified:

Cannot get VPN tunnel to work between Cisco ASA5510 and PIX 506 (500pts to winner)

Hello all, I am sure I am close, but I am missing something.  I have a Cisco ASA5510 that does client VPNs with radius authentication as well as 1 end for a VPN tunnel to a Pix 506.  The client vpn works great, and there are no issues.  People can vpn in using the cisco client, hit all internal resources, etc.  The device tunnel is a different story.  I cannot get traffic to go accross the vpn tunnel between the ASA and the 506 from either side.  I have verified that clients behind both firewalls can get to the internet.  My configs are below.  Your help is greatly appreciated.

THe lan side of the ASA is 192.168.1.0.  The lan side of the PIx506 is 10.20.30.0

ASA5510 (Main site that has client vpn as well as tunnel to506)

hostname sb
domain-name business.com
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 83.83.41.133 255.255.255.248
!
interface Ethernet0/2
 description internal
 speed 100
 duplex full
 nameif Inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.20.30.0 255.255.255.0
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list sb_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any 10.2.2.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 10.20.30.0 255.255.255.0
access-list 102 extended permit icmp 10.20.30.0 255.255.255.0 192.168.1.0 255.255.255.0
!
ip local pool ippool 10.2.2.1-10.2.2.254 mask 255.255.255.0
global (outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 83.83.41.134 1
aaa-server sbVPN protocol radius
aaa-server sbVPN host exchange
 timeout 5
 key XXXXXXXXXXXXXX
group-policy sbVPN internal
group-policy sbVPN attributes
 wins-server value 192.168.1.10 192.168.1.15
 dns-server value 192.168.1.10 192.168.1.15
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value sb_splitTunnelAcl
 default-domain value sb.local
username admin password xxxxxxxxxxxxxxxxxxxx encrypted
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 201.113.230.97
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group sbVPN type ipsec-ra
tunnel-group sbVPN general-attributes
 address-pool ippool
 authentication-server-group sbVPN
 authorization-server-group sbVPN
 accounting-server-group sbVPN
 default-group-policy sbVPN
 strip-realm
 strip-group
tunnel-group sbVPN ipsec-attributes
 pre-shared-key *
tunnel-group 201.113.230.97 type ipsec-l2l
tunnel-group 201.113.230.97 ipsec-attributes
 pre-shared-key *




PIX2 Relevant Config

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname SB2PIX506
domain-name business2.com
names        
access-list 101 permit icmp 65.58.43.128 255.255.255.192 host 201.113.230.97 echo
access-list 100 permit ip 10.20.30.0 255.255.255.0 192.168.1.0 255.255.255.0
ip address outside 201.113.230.97 255.255.255.0
ip address inside 10.20.30.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 100
route outside 0.0.0.0 0.0.0.0 201.113.230.1 1
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 83.83.41.133
crypto map mymap 10 set transform-set ESP-3DES-SHA
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 83.83.41.133 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

0
ddftech
Asked:
ddftech
1 Solution
 
Cyclops3590Commented:
0
 
billwhartonCommented:
Try doing a 'show sysopt' on the asa and see if permit-ipsec comes up as being turned on
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now