Pix 515 (external) & ASA 5520 (internal) Firewall Combination Setup

   Hi flexxtx
         You can not setup different devices and different configurations as failover. I always suggest terminating VPN connections at the outermost device which s PIX in your case. But VPN peer availabilty in licenses will have an impact over choosing between these two. If you terminate VPN connections at PIX, all you have to do is adding routes for inside network to the outside int of ASA, and reverse route in ASA for VPN pool to inside interface of PIX.

Regards

Sorry that I didn't make it clear, but I have 2 ASA's for failover. The Pix is the external firewall. Do I use a different or same IP for the outside address on both firewalls?

  In your case, I wouldnt recommend assigning a core role to a device which does not have a failover. (PIX) Otherwise the failover of the device behind it will mean nothing if PIX is the external, in case of failure. If it is possible for you to make a change in architecture, I would suggest removing the PIX completely (may be used for other purposes too) and set ASA twins the core device, your external. And terminate VPNs at here, so in case of a failure in one device, failover will take place and your VPNs will still go on. If you terminate VPN at PIX, all VPN connectivity will go down in case of a failure .

Please disregard. I'm using the ASA 5520's instead/only. I get no receive packets when connected to VPN. using local authentication due to domain trust issues (splitting from former company). Also, I'm unable to ssh into ASA...

interface GigabitEthernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 67.133.191.129 255.255.255.240 standby 67.133.191.130
!
interface GigabitEthernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.34.1.254 255.255.255.0 standby 10.34.1.252
!
interface GigabitEthernet0/2
 description LAN/STATE Failover Interface
 speed 100
 duplex full
!
interface GigabitEthernet0/3
 description to AHM DMZ
 speed 100
 duplex full
 nameif DMZ
 security-level 50
 ip address 10.10.241.4 255.255.255.0 standby 10.10.241.5
!
!
access-list acl_dmz extended permit icmp any 10.10.0.0 255.255.0.0 echo-reply
access-list acl_dmz extended permit icmp any 10.10.0.0 255.255.0.0 unreachable
access-list acl_dmz extended permit icmp any 10.10.0.0 255.255.0.0 time-exceeded
access-list acl_dmz extended permit icmp any any
access-list acl_dmz extended permit tcp 10.10.241.0 255.255.255.0 any eq www
access-list acl_dmz extended permit tcp 10.10.241.0 255.255.255.0 any eq https
access-list acl_dmz extended permit tcp 10.10.241.0 255.255.255.0 any eq domain
access-list acl_dmz extended permit udp 10.10.241.0 255.255.255.0 any eq domain
access-list acl_dmz extended deny ip any any
access-list inside_nat0_outbound extended permit ip any 10.10.249.192 255.255.25
5.192
access-list vpn3000_splitTunnelAcl extended permit ip 10.0.0.0 255.0.0.0 any
ip local pool vpnpool 10.10.249.200-10.10.249.240 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/2
failover key *****
failover link failover GigabitEthernet0/2
failover interface ip failover 10.2.0.1 255.255.255.0 standby 10.2.0.2
icmp permit 10.10.0.0 255.255.0.0 inside
icmp permit 10.34.0.0 255.255.0.0 inside
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 67.133.191.135
global (DMZ) 1 10.10.241.125 netmask 255.255.255.0
nat (inside) 1 10.34.0.0 255.255.248.0
nat (inside) 1 10.10.0.0 255.255.0.0
nat (management) 1 0.0.0.0 0.0.0.0
static (inside,outside) 67.133.191.130 10.10.204.35 netmask 255.255.255.255
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz in interface DMZ
route outside 0.0.0.0 0.0.0.0 67.133.191.145 1
route inside 10.34.0.0 255.255.248.0 10.34.1.1 1
route inside 10.10.0.0 255.255.0.0 10.34.1.1 1
route inside 10.21.8.0 255.255.248.0 10.34.1.1 1
timeout xlate 3:00:00
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
group-policy vpn3000 internal
group-policy vpn3000 attributes
  vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn3000_splitTunnelAcl
 default-domain value americanhm.com
 webvpn
username ppandya password 0JKF6CYtt0rzwQXr encrypted privilege 0
username ppandya attributes
 vpn-group-policy vpn3000
 webvpn
username tdavis password yhxvoe29x/TmSBDo encrypted privilege 0
username tdavis attributes
 vpn-group-policy vpn3000
 webvpn
aaa authentication ssh console LOCAL
fragment chain 1 outside
fragment chain 1 inside
fragment chain 1 DMZ
fragment chain 1 management
service resetinbound
service resetoutside
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 ESP-3DES-SH
A ESP-AES-128-SHA ESP-AES-128-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400
isakmp nat-traversal  20
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group (outside) LOCAL
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
 address-pool vpnpool
 authentication-server-group (outside) LOCAL
 default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
 pre-shared-key *
tunnel-group ahmvpn type ipsec-ra
tunnel-group ahmvpn general-attributes
 address-pool vpnpool

correction

tunnel-group vpn3000 general-attributes
no address-pool vpnpool
address-pool vpn_pool

This is the pertinent part of my config. I have aythetication set up on a radius server, but should I authenticate a simpler way before? I keep getting error 413...

interface GigabitEthernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 67.133.191.129 255.255.255.240 standby 67.133.191.130
!
interface GigabitEthernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.34.1.254 255.255.255.0 standby 10.34.1.252  
!
object-group network Irving2_Users
  network-object 10.5.25.0 255.255.255.0
!
access-list vpn3000_splitTunnelAcl extended permit ip 10.0.0.0 255.0.0.0 10.5.25.0 255.255.255.0
access-list vpn3000_splitTunnelAcl extended permit ip 10.10.0.0 255.255.0.0 10.5.25.0 255.255.255.0
access-list vpn3000_splitTunnelAcl extended permit ip 10.21.8.0 255.255.248.0 10.5.25.0 255.255.255.0
access-list vpn3000_splitTunnelAcl extended permit ip 10.34.0.0 255.255.248.0 10.5.25.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip 10.10.241.0 255.255.255.0 10.5.25.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.5.25.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.34.0.0 255.255.248.0 10.5.25.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.21.8.0 255.255.248.0 10.5.25.0 255.255.255.0
access-list no-nat-vpn extended permit ip 10.5.25.0 255.255.255.0 10.0.0.0 255.0.0.0
ip local pool vpn_pool 10.5.25.1-10.5.25.254 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
 global (outside) 1 67.133.191.135
global (DMZ) 1 10.10.241.125 netmask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.34.0.0 255.255.248.0
nat (inside) 1 10.10.0.0 255.255.0.0
nat (DMZ) 0 access-list dmz_nat0_outbound
nat (management) 1 0.0.0.0 0.0.0.0
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz in interface DMZ
route outside 0.0.0.0 0.0.0.0 67.133.191.145 1
route inside 10.65.248.0 255.255.248.0 10.34.1.1 1
route inside 10.34.0.0 255.255.248.0 10.34.1.1 1
route inside 10.10.0.0 255.255.0.0 10.34.1.1 1
route inside 10.21.8.0 255.255.248.0 10.34.1.1 1
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server vpn3000 protocol radius
group-policy vpn3000 internal
group-policy vpn3000 attributes
 wins-server value 10.10.203.112 10.10.250.16
 dns-server value 10.10.203.112 10.10.250.16
 vpn-idle-timeout 20
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn3000_splitTunnelAcl
 default-domain value amexxxxxx.com
 webvpn
username netadm password O0KIySpDZGVAYuqX encrypted
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
service resetinbound
service resetoutside
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20
tunnel-group vpn3000 type ipsec-ra
tunnel-group vpn3000 general-attributes
 address-pool vpn_pool
 authentication-server-group vpn3000
 default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
 pre-shared-key *
no vpn-addr-assign dhcp
vpn-sessiondb max-session-limit 50

Completely wiped out configuration and configured via ASDM. A few issues were related to a combination of multiple domains & company turnover. VPN working fine now

1) Please read your original questions, and read the post where the question ended up
2) You obviously missed the nat0 statements in your config which is corrected in my above suggestion, and for sure you are running in your current config.

Please revise your question close decision
Regards

Force accepted.
Vee_Mod
Community Support Moderator