Link to home
Start Free TrialLog in
Avatar of KTN-IT
KTN-ITFlag for United States of America

asked on

VPN problems between Cisco ASA 5505 and PIX 515e

At out company, we had a Cisco PIX 506e firewall that we were using to create a VPN with our company in Japan.  Over there, they have a Cisco PIX 515e.  But our 506e went out on us, so I bought a Cisco ASA 5505 to replace it.  I tried to enter the config from the old PIX 506e into the new ASA 5505 as best I could, but I am still having some glitchy problems with our VPN connection.

Could someone look at my configs and tell me why they might not be talking to each other correctly?  I'll post them below.

I've already done almost every bit of troubleshooting I can imagine, and here's what I think may possibly be causing the problem:
1. The ASA 7.2 is not compatible with the PIX 6.2
2. The ASA does not like the PIX's "conduit" command
3. Some kind of access-list problem.  ASA does not allow protocols like "access-list 101 permit icmp any any," but the PIX does.
Avatar of KTN-IT
KTN-IT
Flag of United States of America image

ASKER

Here is my new Cisco ASA 5505 config, translated from the old PIX 506E:

ASA Version 7.2(2)
!
terminal width 60
hostname pixfirewall   <--I was trying to impersonate a PIX, but I don't think this matters...
domain-name ciscopix.com
enable password prettyplease encrypted
names
!
interface Vlan100
 nameif outside
 security-level 0
 ip address aa.aaa.aa.145 255.255.255.248
!
interface Vlan200
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 100
 switchport protected
!
interface Ethernet0/1
 switchport access vlan 200
 switchport protected
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
passwd abcdefg encrypted
ftp mode passive
clock timezone EST -5
dns server-group DefaultDNS
 domain-name ciscopix.com
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit tcp any any eq pptp
access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.1.1.0 255.255.255.0
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.1.1.0 255.255.255.0
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.1.2.0 255.255.255.0
access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.1.2.0 255.255.255.0
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.1.3.0 255.255.255.0
access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.1.3.0 255.255.255.0
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.1.4.0 255.255.255.0
access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.1.4.0 255.255.255.0
pager lines 20
logging buffered debugging
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) aa.aaa.aa.149 192.168.2.10 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 aa.aaa.aa.150 1
route inside 192.168.0.0 255.255.255.0 192.168.2.254 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:10
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
crypto ipsec transform-set p2policy esp-des esp-md5-hmac
crypto map kwsk 1 match address 101
crypto map kwsk 1 set peer jjj.jjj.jj.240
crypto map kwsk 1 set transform-set p2policy
crypto map kwsk interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
tunnel-group jjj.jjj.jj.240 type ipsec-l2l
tunnel-group jjj.jjj.jj.240 ipsec-attributes
 pre-shared-key *
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 50
ssh timeout 5
console timeout 0
dhcpd ping_timeout 750
!
dhcpd address 192.168.2.100-192.168.2.150 inside
!

!
class-map inspect_default
class-map class_sip_udp
 match port udp eq sip
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sip
  inspect http
  inspect ils
  inspect esmtp
 class class_sip_udp
  inspect sip
!
service-policy global_policy global
prompt hostname context
Avatar of KTN-IT

ASKER

Here is the PIX 515E config in Japan:

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 jnx security10
enable password abracadabra encrypted
passwd opensesame encrypted
hostname xx-fw
domain-name intra.xx
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 80 permit icmp any any
access-list 80 permit ip any any
access-list 101 permit ip 192.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.1.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.1.2.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.1.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.1.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.1.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 permit ip 192.1.4.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit icmp any any
pager lines 24
logging on
logging trap debugging
logging host inside 192.1.1.251
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu jnx 1500
ip address outside pppoe setroute
ip address inside 192.1.1.253 255.255.255.0
ip address jnx xxx.xxx.xxx.238 255.255.255.248
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 yyy.yyy.yy.242
global (jnx) 1 xxx.xxx.xxx.241
nat (inside) 0 access-list 101
nat (inside) 1 192.1.1.0 255.255.255.0 0 0
nat (inside) 1 192.1.2.0 255.255.255.0 0 0
nat (inside) 1 192.1.3.0 255.255.255.0 0 0
nat (inside) 1 192.1.4.0 255.255.255.0 0 0
static (inside,outside) yyy.yyy.yy.243 192.1.1.251 netmask 255.255.255.255 0 0
static (inside,jnx) xxx.xxx.xxx.242 192.1.1.251 netmask 255.255.255.255 0 0
access-group 80 in interface inside
conduit permit icmp any any
conduit permit tcp host yyy.yyy.yy.243 eq telnet host bbb.bbb.bb.2
conduit permit tcp host xxx.xxx.xxx.242 eq telnet zzz.zzz.zzz.224 255.255.255.248
conduit permit ip 192.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
conduit permit ip 192.1.2.0 255.255.255.0 192.168.2.0 255.255.255.0
conduit permit ip 192.1.3.0 255.255.255.0 192.168.2.0 255.255.255.0
conduit permit ip 192.1.4.0 255.255.255.0 192.168.2.0 255.255.255.0
route jnx ccc.cc.248.0 255.255.255.0 xxx.xxx.xxx.233 1
route inside 192.1.2.0 255.255.255.0 192.1.1.254 1
route inside 192.1.3.0 255.255.255.0 192.1.1.254 1
route inside 192.1.4.0 255.255.255.0 192.1.1.254 1
route jnx eee.ee.eee.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx fff.ff.23.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ggg.ggg.20.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx hhh.hhh.119.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.130.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.131.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.132.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.133.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.134.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.135.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.136.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.137.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.140.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.141.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.142.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.143.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.144.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.145.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.146.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.147.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx xxx.xxx.xxx.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.149.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx zzz.zzz.zzz.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx ddd.ddd.151.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx iii.iii.110.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.216.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.217.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.218.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.219.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.220.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.221.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx jjj.j.222.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx kkk.kk.160.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx kkk.kk.164.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.224.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.225.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.226.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.228.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.229.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.230.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx mmm.mmm.231.0 255.255.255.0 xxx.xxx.xxx.233 1
route jnx lll.lll.97.0 255.255.255.0 xxx.xxx.xxx.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
crypto ipsec transform-set test1 esp-des esp-md5-hmac
crypto map kwsk 1 ipsec-isakmp
crypto map kwsk 1 match address 101
crypto map kwsk 1 set peer aa.aaa.aa.145
crypto map kwsk 1 set transform-set test1
crypto map kwsk interface outside
isakmp enable outside
isakmp key ******** address aa.aaa.aa.145 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet 192.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
vpdn group kwsk request dialout pppoe
vpdn group kwsk localname c086111116@xyz.com
vpdn group kwsk ppp authentication pap
vpdn username c086111116@xyz.com password ********
terminal width 80
Avatar of theeter
theeter

First off, never use the same acl for your interesting traffic and your nat exemption. Use separate acl's for each. For instance...

nat (inside) 0 access-list 101
access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.1.1.0 255.255.255.0
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.1.1.0 255.255.255.0
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.1.2.0 255.255.255.0
access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.1.2.0 255.255.255.0
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.1.3.0 255.255.255.0
access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.1.3.0 255.255.255.0
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.1.4.0 255.255.255.0
access-list 101 extended permit ip 192.168.2.0 255.255.255.0 192.1.4.0 255.255.255.0

crypto map kwsk 1 match address 102
access-list 102 extended permit ip 192.168.2.0 255.255.255.0 192.1.1.0 255.255.255.0
access-list 102 extended permit ip 192.168.1.0 255.255.255.0 192.1.1.0 255.255.255.0
access-list 102 extended permit ip 192.168.1.0 255.255.255.0 192.1.2.0 255.255.255.0
access-list 102 extended permit ip 192.168.2.0 255.255.255.0 192.1.2.0 255.255.255.0
access-list 102 extended permit ip 192.168.1.0 255.255.255.0 192.1.3.0 255.255.255.0
access-list 102 extended permit ip 192.168.2.0 255.255.255.0 192.1.3.0 255.255.255.0
access-list 102 extended permit ip 192.168.1.0 255.255.255.0 192.1.4.0 255.255.255.0
access-list 102 extended permit ip 192.168.2.0 255.255.255.0 192.1.4.0 255.255.255.0

Also, the same thing for the pix.
Avatar of KTN-IT

ASKER

Thanks for your comment, theeter.

First, let me say that when I was using the PIX 506e our VPN worked fine, and it only had one access-list for nat and VPN.

Next, I currently only have control over the ASA firewall I have here at my location.  I do not have access to edit the PIX 515e across the ocean.  I would have to ask someone to make edits to the 515e config.

Third, your example splits nat and VPN traffic into two identical access-lists.  What does it matter - in terms of connectivity, not security - if I have only one access-list?

Thanks.
It is specifically recommended by cisco.

"Do not use ACLs twice. Even if your NAT Exemption ACL and crypto ACL specify the same traffic, use two different access lists."

I'm not sure if this will fix your issue, but it would be a good place to start and was the first thing I noticed.
ASKER CERTIFIED SOLUTION
Avatar of KTN-IT
KTN-IT
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial