[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 361
  • Last Modified:

Site to Site VPN issue between Cisco ASA5510 and PIX506 (500pts to winner)

Hello all, I am sure I am close, but I am missing something.  I have a Cisco ASA5510 that does client VPNs with radius authentication as well as 1 end for a VPN tunnel to a Pix 506.  The client vpn works great, and there are no issues.  People can vpn in using the cisco client, hit all internal resources, etc.  The device tunnel is a different story.  I cannot get traffic to go accross the vpn tunnel between the ASA and the 506 from either side.  I have verified that clients behind both firewalls can get to the internet.  My configs are below.  Your help is greatly appreciated.

THe lan side of the ASA is 192.168.1.0.  The lan side of the PIx506 is 10.20.30.0

ASA5510 (Main site that has client vpn as well as tunnel to506)

hostname sb
domain-name business.com
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 83.83.41.133 255.255.255.248
!
interface Ethernet0/2
 description internal
 speed 100
 duplex full
 nameif Inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.20.30.0 255.255.255.0
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list sb_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any 10.2.2.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 10.20.30.0 255.255.255.0
access-list 102 extended permit icmp 10.20.30.0 255.255.255.0 192.168.1.0 255.255.255.0
!
ip local pool ippool 10.2.2.1-10.2.2.254 mask 255.255.255.0
global (outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 83.83.41.134 1
aaa-server sbVPN protocol radius
aaa-server sbVPN host exchange
 timeout 5
 key XXXXXXXXXXXXXX
group-policy sbVPN internal
group-policy sbVPN attributes
 wins-server value 192.168.1.10 192.168.1.15
 dns-server value 192.168.1.10 192.168.1.15
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value sb_splitTunnelAcl
 default-domain value sb.local
username admin password xxxxxxxxxxxxxxxxxxxx encrypted
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 201.113.230.97
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group sbVPN type ipsec-ra
tunnel-group sbVPN general-attributes
 address-pool ippool
 authentication-server-group sbVPN
 authorization-server-group sbVPN
 accounting-server-group sbVPN
 default-group-policy sbVPN
 strip-realm
 strip-group
tunnel-group sbVPN ipsec-attributes
 pre-shared-key *
tunnel-group 201.113.230.97 type ipsec-l2l
tunnel-group 201.113.230.97 ipsec-attributes
 pre-shared-key *




PIX2 Relevant Config

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname SB2PIX506
domain-name business2.com
names        
access-list 101 permit icmp 65.58.43.128 255.255.255.192 host 201.113.230.97 echo
access-list 100 permit ip 10.20.30.0 255.255.255.0 192.168.1.0 255.255.255.0
ip address outside 201.113.230.97 255.255.255.0
ip address inside 10.20.30.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 100
route outside 0.0.0.0 0.0.0.0 201.113.230.1 1
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 100
crypto map mymap 10 set peer 83.83.41.133
crypto map mymap 10 set transform-set ESP-3DES-SHA
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 83.83.41.133 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
0
ddftech
Asked:
ddftech
  • 5
  • 3
  • 3
  • +1
2 Solutions
 
Cyclops3590Commented:
on the asa type
ciscoasa#show access-list outside_cryptomap_20
on the 506 type
pixfirewall#show access-list 100

just want to make sure there is a hitcount so we know that traffic is getting that far atleast
0
 
ddftechAuthor Commented:
Yah, the hit counts are there.  When I ping from the 192.168.1.0 (lan behind ASA) to the 10.20.30.0 the access list 100 on the P506 hit count goes up.  The access-list outside_cryptomap_20 on the ASA hit count does not go up.

0
 
Cyclops3590Commented:
sure you got that right.  if you're behind the asa adn the acl 100 on the 506 goes up, then the outside_cryptomap_20 would have to go up.

try running some captures on each inside interface to see if the packet is going to the other side
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
ddftechAuthor Commented:
One thing I noticed is that on the ASA, the isakmp policy is 10 where as all the crypto map is labeled 20.  Do these need to match?

I see an icmp creation and teardown when I ping from 192.168.1.62 to 10.20.30.2
0
 
Cyclops3590Commented:
try changing that.  i didn't think they had to, but i'd have to look that up again to be certain.

i know at least when I make crypto entries, the priority numbers match between the different firewalls but I've usually done that for ease of association than anything.
0
 
ddftechAuthor Commented:
I tried doing the 20 instead of 10, and it simply said that the policy was superseded by 10.  I don't think that does anything
0
 
stressedout2004Commented:
The isakmp policy priority does not have to match and is something local. I don't see anything on the posted configuration that would prevent the traffic to pass over the tunnel.  Is access-list 102 applied on anything in the ASA?
If you do "sh crypto ipsec sa" on the ASA, do you see any encrypt, at the same time on the PIX do you see any decrypt?

Telnet/SSH into both devices and turn on the following debug on both sides:

debug icmp trace
logging monitor 7
logging on
term mon

Now to test, try to ping first the ASA's inside interface to make sure the debug is working, then try pinging a host behind the PIX 506. You should be able to see a ping an outbound ping on the ASA going to the remote network, on the PIX 506 you should be able to see an inbound ping from the host behind the ASA. We need to know where the packet is going or stopping provided the tunnel is up. (Which I assume you verified already.)

0
 
billwhartonCommented:
On the ASA, enter this command 'show sysopt' and check to see if this statement comes up in the output
sysopt connection permit-ipsec
0
 
ddftechAuthor Commented:
The sysopt connection permit-ipsec is a default on command in the ASA as I recall.  Unless you disable it, it won't show up in the conf.  

When I do  a show isakmp sa, it does not list the site to site tunnel.  It only lists tunnels that are open with vpn clients.  That leads me to believe that the tunnel is not up.  Any thoughts?  

show isakmp sa output on ASA:

 Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 109.72.207.226
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE


Show IPSec sa output:

interface: outside
    Crypto map tag: outside_dyn_map, seq num: 20, local addr: 83.83.41.133

      access-list outside_cryptomap_dyn_20 permit ip any 10.2.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.2.2.5/255.255.255.255/0/0)
      current_peer: 109.72.207.226, username: user23xxxxx
      dynamic allocated peer ip: 10.2.2.5

      #pkts encaps: 236399, #pkts encrypt: 236399, #pkts digest: 236399
      #pkts decaps: 150429, #pkts decrypt: 150429, #pkts verify: 150429
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 236399, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 83.83.41.133, remote crypto endpt.: 109.72.207.226

      path mtu 1500, ipsec overhead 60, media mtu 1500
      current outbound spi: 69D86CE9

    inbound esp sas:
      spi: 0xAC7AEBF1 (2893736945)
         transform: esp-3des esp-sha-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 14, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 19803
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x69D86CE9 (1775791337)
         transform: esp-3des esp-sha-hmac
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 14, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 19800
         IV size: 8 bytes
         replay detection support: Y
0
 
billwhartonCommented:
If that's the case, your tunnel hasn't been created. Try sending ICMP pings to initiate a tunnel

0
 
stressedout2004Commented:
Turn on the debugs to see what's happening with the IKE and IPSEC negotiation between the tunnel.
Do the debugs when there is no VPN Client user connecting. It would be harder to read the debugs
if a VPN Client will be connecting as well.

debug crypto ipsec
debug crypto isa



0
 
ddftechAuthor Commented:
I actually figured the issue late last night (I think anyway since it is working).  I had configured the ASA to accept client vpn connections a couple of weeks before configuring it to do the site to site.  I believe that the sysopt connection permit-ipsec command needed to be re-applied to account for the site to site that I put in after the fact.  As soon as I re-applied that statement, everything started working.  I'll split some points for the help.
0
 
billwhartonCommented:
hurray

i spent 30 minutes looking at your config the other day and was 100% sure it was sysopt related. I'm happy that was part of the problem and thanks for the points
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 5
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now