• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 736
  • Last Modified:

trying to connect Cisco ASA 5505 site to site VPN to a PIX 515

Hey guys,

I have an old PIX 515 that i trying to connect to a ASA 5505.  The PIX has an older version of IOS and I am going to upgrade it in the near future, but if anyone can help me get these guys talking that would be great.  I know the PIX is working because there are several netgears connected site to site and working fine.  The PIX is a spaghetti mess, i know.  I have inherited it and am in the process of cleaning it up.  Hopefully, one of you guys can help me wade through this mess.

PIX config (MAIN OFFICE)

Main Office

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password zOWlB72JQNsZH323 encrypted
passwd zOWlB72JQNsZH323 encrypted
hostname SEPA-FW
domain-name sepa
clock timezone est -5
clock summer-time edt recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 10.10.80.0 SGHOA
name 192.168.1.0 SEGHOA
name 192.168.155.252 jmj
name 192.168.16.7 EMAIL
name 68.152.91.108 EMAILAPP
name 68.152.91.107 VOIP
name 10.10.90.0 CLIENTSVC
name 192.168.16.40 IPPHONE
name 10.10.100.0 Aiken
name 10.10.91.0 AIKEN2
name 10.10.85.0 CLIENTSERVICES
name 192.168.18.0 CLSERV
name 66.45.27.43 DIGICHART1
name 66.45.27.55 DIGICHART2
name 192.168.16.52 NEOINTEGRATE
name 10.10.11.1 Perry
name 10.10.11.0 PerryDS
name 192.168.1.210 SEGAHOA
name 10.10.21.0 VIDALIADS
name 74.164.143.66 VIIDALIA
name 10.10.41.0 SEPAPARKWOOD2
name 204.145.248.179 MEADOWS
name 204.145.248.0 MEADOWSSUB
name 10.10.61.0 SEPAPKWOOD2
name 204.145.247.0 MEADOWSSUB2
name 10.10.71.0 WWILLIAMSONVPN
name 192.168.88.0 vjackson
name 10.10.30.0 sepakwd
name 192.168.16.0 InsideSEPA
name 71.251.204.22 ELLKAYFTP
name 192.168.9.0 Augusta
name 192.168.8.0 P-GA-ATH-01
name 10.10.101.0 TEST
object-group network internal
  description Internal Networks  
  network-object 192.168.14.0 255.255.255.0
  network-object 192.168.16.0 255.255.255.0
  network-object 10.0.200.0 255.255.255.0
object-group icmp-type grp-icmp
  description ICMP Functional Protocol Group
  icmp-object echo
  icmp-object echo-reply
  icmp-object unreachable
  icmp-object time-exceeded
object-group service DMZ_Server tcp
  port-object range https https
  port-object range 224 224
access-list inside permit icmp object-group internal any object-group grp-icmp
access-list inside permit icmp 192.168.254.0 255.255.255.0 any object-group grp-icmp
access-list inside permit ip object-group internal any
access-list inside permit ip 192.168.254.0 255.255.255.0 any
access-list inside deny ip any any
access-list clientvpn permit ip 192.168.16.0 255.255.255.0 192.168.254.0 255.255.255.0
access-list external permit icmp any any
access-list external permit tcp any host 68.152.91.98 eq telnet
access-list external permit tcp any host 68.152.91.98 eq citrix-ica
access-list external permit tcp any host 68.152.91.99 eq www
access-list external permit tcp any host 68.152.91.99 eq https
access-list external permit tcp any host 68.152.91.99 eq 6000
access-list external permit tcp any host 68.152.91.101 eq pcanywhere-data
access-list external permit udp any host 68.152.91.101 eq pcanywhere-status
access-list external permit tcp any host 68.152.91.101 eq pop3
access-list external permit tcp any host 68.152.91.101 eq smtp
access-list external permit tcp any host 68.152.91.106
access-list external permit udp any host 68.152.91.106
access-list external permit icmp any host 68.152.91.106
access-list external permit tcp any host 68.152.91.101 eq https
access-list external permit tcp any host 68.152.91.101 eq www
access-list external permit icmp 151.198.60.0 255.255.254.0 host 68.152.91.98 echo
access-list external permit icmp any host 68.152.91.98 echo-reply
access-list external permit tcp any host 68.152.91.102
access-list external permit tcp any host 68.152.91.108
access-list external deny ip any any
access-list test permit ip host 68.152.91.98 157.174.228.0 255.255.255.0
access-list quest permit ip host 192.168.16.92 156.30.21.128 255.255.255.128
access-list quest permit ip host 192.168.16.66 156.30.21.128 255.255.255.128
access-list quest permit ip host 10.0.200.40 156.30.21.128 255.255.255.128
access-list quest permit ip host 10.0.200.42 156.30.21.128 255.255.255.128
access-list quest permit ip host 68.152.91.100 156.30.21.128 255.255.255.128
access-list quest permit ip 156.30.21.128 255.255.255.128 any
access-list quest permit ip host 68.152.91.98 156.30.21.128 255.255.255.128
access-list PALATKA permit ip object-group internal 10.10.10.0 255.255.255.0
access-list PALATKA permit ip 192.168.16.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list PALATKA permit ip 192.168.16.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list SAVANNAH permit ip object-group internal 10.10.20.0 255.255.255.0
access-list SAVANNAH permit ip 192.168.254.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list outside_cryptomap_29 permit ip object-group internal 10.10.30.0 255.255.255.0
access-list outside_cryptomap_29 permit ip 192.168.254.0 255.255.255.0 10.10.30.0 255.255.255.0
access-list WHG permit ip object-group internal 10.10.40.0 255.255.255.0
access-list WHG permit ip 192.168.254.0 255.255.255.0 10.10.40.0 255.255.255.0
access-list Warner permit ip object-group internal 10.10.50.0 255.255.255.0
access-list Warner permit ip 192.168.254.0 255.255.255.0 10.10.50.0 255.255.255.0
access-list outside_cryptomap_69 permit ip host 192.168.16.190 host 192.168.155.252
access-list vpntraffic permit ip object-group internal 10.10.10.0 255.255.255.0
access-list vpntraffic permit ip object-group internal 10.10.40.0 255.255.255.0
access-list vpntraffic permit ip object-group internal 10.10.50.0 255.255.255.0
access-list vpntraffic permit ip object-group internal 192.168.254.0 255.255.255.0
access-list vpntraffic permit ip object-group internal host 192.168.9.1
access-list vpntraffic permit ip object-group internal host 192.168.9.2
access-list vpntraffic permit ip object-group internal 10.10.20.0 255.255.255.0
access-list vpntraffic permit ip host 192.168.16.190 host 207.178.139.65
access-list vpntraffic permit ip host 192.168.16.190 host 207.178.204.147
access-list vpntraffic permit ip 192.168.254.0 255.255.255.0 10.10.30.0 255.255.255.0
access-list vpntraffic permit ip object-group internal 10.10.30.0 255.255.255.0
access-list vpntraffic permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpntraffic permit ip object-group internal 192.168.1.0 255.255.255.0
access-list vpntraffic permit ip host 192.168.16.190 host 192.168.155.252
access-list vpntraffic permit ip 192.168.16.0 255.255.255.0 10.10.91.0 255.255.255.0
access-list vpntraffic permit ip host 192.168.16.52 host 66.45.27.43
access-list vpntraffic permit ip host 192.168.16.52 host 66.45.27.55
access-list vpntraffic permit ip 192.168.16.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list vpntraffic permit ip host 192.168.16.52 host 192.168.1.210
access-list vpntraffic permit ip 192.168.16.0 255.255.255.0 10.10.21.0 255.255.255.0
access-list vpntraffic permit ip 192.168.16.0 255.255.255.0 10.10.90.0 255.255.255.0
access-list vpntraffic permit ip 192.168.16.0 255.255.255.0 204.145.247.0 255.255.255.0
access-list vpntraffic permit ip 192.168.16.0 255.255.255.0 10.10.61.0 255.255.255.0
access-list vpntraffic permit ip 192.168.16.0 255.255.255.0 192.168.88.0 255.255.255.0
access-list vpntraffic permit ip 192.168.16.0 255.255.255.0 10.10.31.0 255.255.255.0
access-list vpntraffic permit ip 192.168.16.0 255.255.255.0 host 68.152.159.213
access-list vpntraffic permit ip 192.168.16.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list vpntraffic permit ip 192.168.16.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list vpntraffic permit ip 192.168.16.0 255.255.255.0 10.10.101.0 255.255.255.0
access-list atlas_asp_vpn permit ip host 192.168.16.190 host 207.178.139.65
access-list atlas_support_vpn permit ip host 192.168.16.190 host 207.178.204.147
access-list outside_cryptomap_49 permit ip object-group internal 192.168.1.0 255.255.255.0
access-list outside_cryptomap_49 permit ip 192.168.254.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_89 permit ip 192.168.16.0 255.255.255.0 10.10.90.0 255.255.255.0
access-list outside_cryptomap_109 permit ip 192.168.16.0 255.255.255.0 10.10.91.0 255.255.255.0
access-list outside_cryptomap_129 permit ip host 192.168.16.52 host 66.45.27.43
access-list outside_cryptomap_129 permit ip host 192.168.16.52 host 66.45.27.55
access-list outside_cryptomap_149 permit ip 192.168.16.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list outside_cryptomap_169 permit ip object-group internal host 192.168.1.210
access-list outside_cryptomap_169 permit ip host 192.168.16.52 host 192.168.1.210
access-list outside_cryptomap_189 permit ip 192.168.16.0 255.255.255.0 10.10.21.0 255.255.255.0
access-list outside_cryptomap_309 permit ip 192.168.16.0 255.255.255.0 10.10.31.0 255.255.255.0
access-list outside_cryptomap_269 permit ip 192.168.16.0 255.255.255.0 10.10.61.0 255.255.255.0
access-list outside_cryptomap_249 permit ip 192.168.16.0 255.255.255.0 204.145.247.0 255.255.255.0
access-list outside_cryptomap_289 permit ip 192.168.16.0 255.255.255.0 192.168.88.0 255.255.255.0
access-list outside_cryptomap_319 permit ip 192.168.16.0 255.255.255.0 192.168.9.0 255.255.255.0
access-list 120 permit tcp any host 71.251.204.22
access-list outside_cryptomap_339 permit ip 192.168.16.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list outside_cryptomap_359 permit ip 192.168.16.0 255.255.255.0 10.10.101.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging console critical
logging buffered debugging
logging queue 1024
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 68.152.91.98 255.255.255.224
ip address inside 192.168.16.1 255.255.255.0
ip address dmz 172.16.1.1 255.255.255.0
ip audit name Attack attack action alarm
ip audit name attack info action alarm
ip audit info action alarm
ip audit attack action alarm
ip local pool IPPOOL 192.168.254.100-192.168.254.200 mask 255.255.255.0
ip local pool remote_support 192.168.9.1-192.168.9.2
pdm location 68.152.91.98 255.255.255.255 outside
pdm location 10.0.200.0 255.255.255.0 inside
pdm location 192.168.14.0 255.255.255.0 inside
pdm location 192.168.16.3 255.255.255.255 inside
pdm location 192.168.16.67 255.255.255.255 inside
pdm location 192.168.16.201 255.255.255.255 inside
pdm location 192.168.254.0 255.255.255.0 inside
pdm location 151.198.60.0 255.255.254.0 outside
pdm location 192.168.254.0 255.255.255.0 outside
pdm location 192.168.16.92 255.255.255.255 inside
pdm location 10.10.10.0 255.255.255.0 outside
pdm location 10.10.20.0 255.255.255.0 outside
pdm location 10.10.30.0 255.255.255.0 outside
pdm location 10.10.40.0 255.255.255.0 outside
pdm location 10.10.50.0 255.255.255.0 outside
pdm location 10.10.60.0 255.255.255.0 outside
pdm location 156.30.21.128 255.255.255.128 outside
pdm location 192.168.9.1 255.255.255.255 outside
pdm location 192.168.9.2 255.255.255.255 outside
pdm location 192.168.16.12 255.255.255.255 inside
pdm location 192.168.16.27 255.255.255.255 inside
pdm location 172.16.1.106 255.255.255.255 dmz
pdm location 12.13.154.0 255.255.255.0 outside
pdm location 192.168.16.190 255.255.255.255 inside
pdm location 207.178.139.65 255.255.255.255 outside
pdm location 207.178.204.147 255.255.255.255 outside
pdm location 10.10.30.0 255.255.255.255 outside
pdm location 192.168.16.230 255.255.255.255 inside
pdm location 68.152.91.104 255.255.255.248 outside
pdm location 68.152.91.0 255.255.255.0 outside
pdm location 10.10.80.0 255.255.255.0 outside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.155.252 255.255.255.255 outside
pdm location 192.168.16.7 255.255.255.255 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 68.152.91.101 255.255.255.255 outside
pdm location 68.152.91.107 255.255.255.255 outside
pdm location 68.152.91.108 255.255.255.255 outside
pdm location 10.10.90.0 255.255.255.0 outside
pdm location 192.168.16.40 255.255.255.255 inside
pdm location 10.10.100.0 255.255.255.0 outside
pdm location 10.10.91.0 255.255.255.0 outside
pdm location 10.10.85.0 255.255.255.0 outside
pdm location 192.168.18.0 255.255.255.0 outside
pdm location 192.168.16.52 255.255.255.255 inside
pdm location 66.45.27.43 255.255.255.255 outside
pdm location 66.45.27.55 255.255.255.255 outside
pdm location 10.10.11.1 255.255.255.255 outside
pdm location 10.10.11.0 255.255.255.0 outside
pdm location 192.168.1.210 255.255.255.255 outside
pdm location 10.10.21.0 255.255.255.0 outside
pdm location 74.164.143.66 255.255.255.255 outside
pdm location 10.10.41.0 255.255.255.0 outside
pdm location 204.145.248.179 255.255.255.255 outside
pdm location 192.168.16.0 255.255.255.255 inside
pdm location 204.145.248.0 255.255.255.0 outside
pdm location 10.10.61.0 255.255.255.0 outside
pdm location 204.145.247.0 255.255.255.0 outside
pdm location 192.168.16.9 255.255.255.255 inside
pdm location 192.168.16.2 255.255.255.255 inside
pdm location 10.10.71.0 255.255.255.0 outside
pdm location 192.168.88.0 255.255.255.0 outside
pdm location 10.10.31.0 255.255.255.0 outside
pdm location 192.168.16.0 255.255.255.0 outside
pdm location 192.168.10.0 255.255.255.0 outside
pdm location 71.251.204.22 255.255.255.255 outside
pdm location 192.168.9.0 255.255.255.0 outside
pdm location 192.168.8.0 255.255.255.0 outside
pdm location 10.10.101.0 255.255.255.0 inside
pdm location 10.10.101.0 255.255.255.0 outside
pdm group internal inside
pdm logging critical 100
no pdm history enable
arp timeout 14400
global (outside) 100 interface
nat (inside) 0 access-list vpntraffic
nat (inside) 100 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface citrix-ica 192.168.16.67 citrix-ica netmask 255.255.255.255 0 0
static (inside,outside) 10.10.200.40 192.168.16.92 netmask 255.255.255.255 0 0
static (inside,outside) 68.152.91.101 192.168.16.9 netmask 255.255.255.255 0 0
static (inside,outside) 68.152.91.100 192.168.16.201 netmask 255.255.255.255 0 0
static (inside,outside) 68.152.91.99 192.168.16.3 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.200.40 192.168.16.92 netmask 255.255.255.255 0 0
static (inside,outside) 68.152.91.102 192.168.16.12 netmask 255.255.255.255 0 0
static (dmz,outside) 68.152.91.106 172.16.1.106 netmask 255.255.255.255 0 0
static (inside,outside) 68.152.91.107 192.168.16.230 netmask 255.255.255.255 0 0
static (inside,outside) 68.152.91.108 192.168.16.7 dns netmask 255.255.255.255 0 0
access-group external in interface outside
route outside 0.0.0.0 0.0.0.0 68.152.91.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 192.168.16.2 timeout 10
aaa-server LOCAL protocol local
aaa authorization command LOCAL
http server enable
http 12.13.154.0 255.255.255.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection timewait
sysopt connection permit-ipsec
sysopt noproxyarp inside
sysopt noproxyarp dmz
crypto ipsec transform-set quest esp-3des esp-sha-hmac
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
crypto ipsec transform-set VPNSET esp-3des esp-sha-hmac
crypto ipsec transform-set rtpset1 ah-md5-hmac esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set MEADOWS ah-sha-hmac esp-3des esp-sha-hmac
crypto dynamic-map DYNMAP 10 set transform-set VPNSET
crypto map CRYPMAP 1 ipsec-isakmp
crypto map CRYPMAP 1 match address PALATKA
crypto map CRYPMAP 1 set peer 74.168.44.90
crypto map CRYPMAP 1 set transform-set ESP-3DES-SHA
crypto map CRYPMAP 2 ipsec-isakmp
crypto map CRYPMAP 2 match address SAVANNAH
crypto map CRYPMAP 2 set peer 72.242.42.18
crypto map CRYPMAP 2 set transform-set rtpset
crypto map CRYPMAP 4 ipsec-isakmp
crypto map CRYPMAP 4 match address WHG
crypto map CRYPMAP 4 set peer 68.208.195.3
crypto map CRYPMAP 4 set transform-set rtpset
crypto map CRYPMAP 5 ipsec-isakmp
crypto map CRYPMAP 5 match address Warner
crypto map CRYPMAP 5 set pfs group2
crypto map CRYPMAP 5 set peer 72.242.42.218
crypto map CRYPMAP 5 set transform-set ESP-AES-128-MD5
crypto map CRYPMAP 5 set security-association lifetime seconds 14400 kilobytes 10000
crypto map CRYPMAP 7 ipsec-isakmp
crypto map CRYPMAP 7 match address quest
crypto map CRYPMAP 7 set pfs group2
crypto map CRYPMAP 7 set peer 216.203.80.110
crypto map CRYPMAP 7 set transform-set quest
crypto map CRYPMAP 7 set security-association lifetime seconds 14400 kilobytes 10000
crypto map CRYPMAP 8 ipsec-isakmp
crypto map CRYPMAP 8 match address atlas_asp_vpn
crypto map CRYPMAP 8 set peer 207.178.138.104
crypto map CRYPMAP 8 set transform-set VPNSET
crypto map CRYPMAP 8 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map CRYPMAP 9 ipsec-isakmp
crypto map CRYPMAP 9 match address atlas_support_vpn
crypto map CRYPMAP 9 set peer 207.178.204.146
crypto map CRYPMAP 9 set transform-set VPNSET
crypto map CRYPMAP 9 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map CRYPMAP 29 ipsec-isakmp
crypto map CRYPMAP 29 match address outside_cryptomap_29
crypto map CRYPMAP 29 set peer 72.149.117.138
crypto map CRYPMAP 29 set transform-set ESP-3DES-MD5
crypto map CRYPMAP 49 ipsec-isakmp
crypto map CRYPMAP 49 match address outside_cryptomap_49
crypto map CRYPMAP 49 set peer 207.203.51.99
crypto map CRYPMAP 49 set transform-set ESP-3DES-SHA
crypto map CRYPMAP 69 ipsec-isakmp
crypto map CRYPMAP 69 match address outside_cryptomap_69
crypto map CRYPMAP 69 set peer 209.220.249.91
crypto map CRYPMAP 69 set transform-set ESP-3DES-MD5
crypto map CRYPMAP 69 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map CRYPMAP 89 ipsec-isakmp
crypto map CRYPMAP 89 match address outside_cryptomap_89
crypto map CRYPMAP 89 set peer 74.189.79.50
crypto map CRYPMAP 89 set transform-set ESP-3DES-SHA
crypto map CRYPMAP 109 ipsec-isakmp
crypto map CRYPMAP 109 match address outside_cryptomap_109
crypto map CRYPMAP 109 set peer 74.168.66.114
crypto map CRYPMAP 109 set transform-set ESP-3DES-SHA
crypto map CRYPMAP 129 ipsec-isakmp
crypto map CRYPMAP 129 match address outside_cryptomap_129
crypto map CRYPMAP 129 set peer 66.45.26.108
crypto map CRYPMAP 129 set transform-set ESP-3DES-SHA
crypto map CRYPMAP 149 ipsec-isakmp
crypto map CRYPMAP 149 match address outside_cryptomap_149
crypto map CRYPMAP 149 set peer 207.144.102.36
crypto map CRYPMAP 149 set transform-set ESP-3DES-SHA
crypto map CRYPMAP 169 ipsec-isakmp
crypto map CRYPMAP 169 match address outside_cryptomap_169
crypto map CRYPMAP 169 set peer 207.203.51.98
crypto map CRYPMAP 169 set transform-set ESP-3DES-SHA
crypto map CRYPMAP 189 ipsec-isakmp
crypto map CRYPMAP 189 match address outside_cryptomap_189
crypto map CRYPMAP 189 set peer 74.164.143.66
crypto map CRYPMAP 189 set transform-set ESP-3DES-SHA
crypto map CRYPMAP 249 ipsec-isakmp
crypto map CRYPMAP 249 match address outside_cryptomap_249
crypto map CRYPMAP 249 set peer 72.158.65.137
crypto map CRYPMAP 249 set transform-set ESP-3DES-SHA
crypto map CRYPMAP 269 ipsec-isakmp
crypto map CRYPMAP 269 match address outside_cryptomap_269
crypto map CRYPMAP 269 set peer 70.154.12.138
crypto map CRYPMAP 269 set transform-set quest
crypto map CRYPMAP 289 ipsec-isakmp
crypto map CRYPMAP 289 match address outside_cryptomap_289
crypto map CRYPMAP 289 set peer 10.10.90.1
crypto map CRYPMAP 289 set transform-set ESP-3DES-MD5
crypto map CRYPMAP 309 ipsec-isakmp
crypto map CRYPMAP 309 match address outside_cryptomap_309
crypto map CRYPMAP 309 set peer 65.13.196.139
crypto map CRYPMAP 309 set transform-set ESP-3DES-SHA
crypto map CRYPMAP 319 ipsec-isakmp
crypto map CRYPMAP 319 match address outside_cryptomap_319
crypto map CRYPMAP 319 set peer 65.82.218.57
crypto map CRYPMAP 319 set transform-set ESP-3DES-MD5
crypto map CRYPMAP 339 ipsec-isakmp
crypto map CRYPMAP 339 match address outside_cryptomap_339
crypto map CRYPMAP 339 set peer 97.81.67.178
crypto map CRYPMAP 339 set transform-set ESP-3DES-MD5
crypto map CRYPMAP 359 ipsec-isakmp
crypto map CRYPMAP 359 match address outside_cryptomap_359
crypto map CRYPMAP 359 set peer 74.223.97.148
crypto map CRYPMAP 359 set transform-set ESP-3DES-MD5
crypto map CRYPMAP client configuration address respond
crypto map CRYPMAP client authentication RADIUS LOCAL
crypto map CRYPMAP interface outside
isakmp enable outside
isakmp key ******** address 68.208.195.3 netmask 255.255.255.255 no-xauth
isakmp key ******** address 216.203.80.110 netmask 255.255.255.255 no-xauth
isakmp key ******** address 72.242.42.18 netmask 255.255.255.255 no-xauth
isakmp key ******** address 207.178.204.146 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 207.178.138.104 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 72.149.117.138 netmask 255.255.255.255 no-xauth
isakmp key ******** address 207.203.51.99 netmask 255.255.255.255 no-xauth
isakmp key ******** address 209.220.249.91 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 72.242.42.218 netmask 255.255.255.255 no-xauth
isakmp key ******** address 74.189.79.50 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 74.168.66.114 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 66.45.26.108 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 207.144.102.36 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 207.203.51.98 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 74.164.143.66 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 74.168.44.90 netmask 255.255.255.255 no-xauth
isakmp key ******** address 72.158.65.137 netmask 255.255.255.255 no-config-mode
isakmp key ******** address 70.154.12.138 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 75.145.15.129 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 10.10.90.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 192.168.16.254 netmask 255.255.255.255
isakmp key ******** address 68.157.165.38 netmask 255.255.255.255 no-xauth
isakmp key ******** address 65.13.196.139 netmask 255.255.255.255 no-xauth
isakmp key ******** address 65.82.218.57 netmask 255.255.255.0 no-xauth no-config-mode
isakmp key ******** address 97.81.67.178 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 74.223.97.148 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 3600 60
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 3 authentication pre-share
isakmp policy 3 encryption 3des
isakmp policy 3 hash sha
isakmp policy 3 group 2
isakmp policy 3 lifetime 86400
isakmp policy 7 authentication pre-share
isakmp policy 7 encryption 3des
isakmp policy 7 hash md5
isakmp policy 7 group 2
isakmp policy 7 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup VPNCLIENT address-pool ippool
vpngroup VPNCLIENT dns-server 192.168.16.2
vpngroup VPNCLIENT wins-server 192.168.16.2
vpngroup VPNCLIENT split-tunnel clientvpn
vpngroup VPNCLIENT idle-time 1800
vpngroup VPNCLIENT password ********
vpngroup remoteadmin address-pool remote_support
vpngroup remoteadmin dns-server 192.168.16.2
vpngroup remoteadmin wins-server 192.168.16.2
vpngroup remoteadmin idle-time 1800
vpngroup remoteadmin password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 12.13.154.0 255.255.255.0 outside
ssh timeout 10
management-access inside
console timeout 30
username jhunter password 8ocmHk5rZz.ORUiF encrypted privilege 2
username bpilcher password y7r1ngF8.kf6WomI encrypted privilege 2
username MITS password mBcWDXi240462Ql9 encrypted privilege 15
username support password 4QbgansKhHCKF30h encrypted privilege 15
username jmira password x4o2Tzd9lNj2.A.z encrypted privilege 2
username jcunningham password 2ZFLjyUyPGZSZZFB encrypted privilege 2
username AKessel password CbAScREAQ0vsuCx/ encrypted privilege 15
username mfries password 0OiRjflkqQYWveG5 encrypted privilege 2
username VJackson password iCrtUFYnyP.Q9ozw encrypted privilege 15
terminal width 80
banner login ***************************************************************
banner login    *  This system is intended for business use only.  All data   *
banner login    *  considered confidential and proprietory. Unauthorized use, *
banner login    *  modification, destruction, or disclosure of information    *
banner login    *  supported by this system will result in prosecution.       *
banner login    ***************************************************************
Cryptochecksum:e4533a918a018969bae8a0d8abb1e36e
: end



ASA 5505 (REMOTE OFFICE)

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(4)
!
hostname P-GA-ATH-01
domain-name sepamed.local
enable password zOWlB72JQNsZH323 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.101.15 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 74.223.97.148 255.255.255.240
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name sepamed.local
access-list outside_1_cryptomap extended permit ip 10.10.101.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.101.0 255.255.255.0 192.168.16.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 74.223.97.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.10.101.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 68.152.91.98
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.10.101.16-10.10.101.47 inside
dhcpd enable inside
!

tunnel-group 68.152.91.98 type ipsec-l2l
tunnel-group 68.152.91.98 ipsec-attributes
 pre-shared-key *
tunnel-group-map default-group 68.152.91.98
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c81e02b9563f5869604e607b004fdf01
: end
0
joemoondawg
Asked:
joemoondawg
  • 7
  • 5
1 Solution
 
lrmooreCommented:
The configurations appear to be correct.
From "show cry is sa" on the ASA what do you see?
0
 
joemoondawgAuthor Commented:

**From "show cry is sa" on the ASA what do you see?**

"There are no isakemp sas"
0
 
lrmooreCommented:
Set up a contuous ping from host on side A to a host on side B
Then issue that command several times until you see something.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
joemoondawgAuthor Commented:
I did a continuous ping for about 90 secs and did several sh cry is sa commands and got the same response

there are no isakemp sas


could this be a IOS version issue?  


Oh, and by the way.  I can ping the outside interface of the MAIN OFFICE pix from the REMOTE OFFICE asa
0
 
joemoondawgAuthor Commented:
FYI,  I did a continuous ping from the MAIn site pix to the REMOTE SITE asa and did the sh cry is sa and it showed all my other vpn connections, but not this one.



VENT:  How in the world can we have other remote sites that are PIX 501s and some even Netgear VPN firewalls that establish the VPN tunnel with the MAIN pix 515 just fine, but this ASA which is a Cisco product just points at me and calls me names?  This has to be the ASA's IOS version just refusing to cooperate with the older IOS.  Am I wasting my time trying to get the ASA to talk to the pix?
0
 
lrmooreCommented:
They are very compatible.
What to you see with "show access-list" ?
Do you see hitcounters increasing on both the nonat acl entry and on the crypto map acl entry?
On both sides? Sounds almost like the traffic is not hitting the box at all.
On which side did you initiate the ping?
0
 
joemoondawgAuthor Commented:
MAIN OFFICE: PIX
Sh access-list

access-list inside line 2 permit icmp 192.168.254.0 255.255.255.0 any time-excee
ded (hitcnt=0)
access-list inside line 3 permit ip object-group internal any
access-list inside line 3 permit ip 192.168.14.0 255.255.255.0 any (hitcnt=0)
access-list inside line 3 permit ip 192.168.16.0 255.255.255.0 any (hitcnt=0)
access-list inside line 3 permit ip 10.0.200.0 255.255.255.0 any (hitcnt=0)
access-list inside line 4 permit ip 192.168.254.0 255.255.255.0 any (hitcnt=0)
access-list inside line 5 deny ip any any (hitcnt=0)
access-list clientvpn; 1 elements
access-list clientvpn line 1 permit ip 192.168.16.0 255.255.255.0 192.168.254.0
255.255.255.0 (hitcnt=0)
access-list external; 20 elements
access-list external line 1 permit icmp any any (hitcnt=276348)
access-list external line 2 permit tcp any host 68.152.91.98 eq telnet (hitcnt=0
)
access-list external line 3 permit tcp any host 68.152.91.98 eq citrix-ica (hitc
nt=0)
access-list external line 4 permit tcp any host 68.152.91.99 eq www (hitcnt=690)

access-list external line 5 permit tcp any host 68.152.91.99 eq https (hitcnt=18
2)
access-list external line 6 permit tcp any host 68.152.91.99 eq 6000 (hitcnt=5)
access-list external line 7 permit tcp any host 68.152.91.101 eq pcanywhere-data
 (hitcnt=0)
access-list external line 8 permit udp any host 68.152.91.101 eq pcanywhere-stat
us (hitcnt=1)
access-list external line 9 permit tcp any host 68.152.91.101 eq pop3 (hitcnt=63
)
access-list external line 10 permit tcp any host 68.152.91.101 eq smtp (hitcnt=2
649)
access-list external line 11 permit tcp any host 68.152.91.106 (hitcnt=9816)
access-list external line 12 permit udp any host 68.152.91.106 (hitcnt=235)
access-list external line 13 permit icmp any host 68.152.91.106 (hitcnt=0)
access-list external line 14 permit tcp any host 68.152.91.101 eq https (hitcnt=
1179136)
access-list external line 15 permit tcp any host 68.152.91.101 eq www (hitcnt=51
1)
access-list external line 16 permit icmp 151.198.60.0 255.255.254.0 host 68.152.
91.98 echo (hitcnt=0)
access-list external line 17 permit icmp any host 68.152.91.98 echo-reply (hitcn
t=0)
access-list external line 18 permit tcp any host 68.152.91.102 (hitcnt=69882)
access-list external line 19 permit tcp any host 68.152.91.108 (hitcnt=1955854)
access-list external line 20 deny ip any any (hitcnt=82739)
access-list test; 1 elements
access-list test line 1 permit ip host 68.152.91.98 157.174.228.0 255.255.255.0
(hitcnt=0)
access-list quest; 7 elements
access-list quest line 1 permit ip host 192.168.16.92 156.30.21.128 255.255.255.
128 (hitcnt=0)
access-list quest line 2 permit ip host 192.168.16.66 156.30.21.128 255.255.255.
128 (hitcnt=0)
access-list quest line 3 permit ip host 10.0.200.40 156.30.21.128 255.255.255.12
8 (hitcnt=25031)
access-list quest line 4 permit ip host 10.0.200.42 156.30.21.128 255.255.255.12
8 (hitcnt=0)
access-list quest line 5 permit ip host 68.152.91.100 156.30.21.128 255.255.255.
128 (hitcnt=0)
access-list quest line 6 permit ip 156.30.21.128 255.255.255.128 any (hitcnt=5)
access-list quest line 7 permit ip host 68.152.91.98 156.30.21.128 255.255.255.1
28 (hitcnt=0)
access-list PALATKA; 5 elements
access-list PALATKA line 1 permit ip object-group internal 10.10.10.0 255.255.25
5.0
access-list PALATKA line 1 permit ip 192.168.14.0 255.255.255.0 10.10.10.0 255.2
55.255.0 (hitcnt=0)
access-list PALATKA line 1 permit ip 192.168.16.0 255.255.255.0 10.10.10.0 255.2
55.255.0 (hitcnt=275381)
access-list PALATKA line 1 permit ip 10.0.200.0 255.255.255.0 10.10.10.0 255.255
.255.0 (hitcnt=0)
access-list PALATKA line 2 permit ip 192.168.16.0 255.255.255.0 10.10.10.0 255.2
55.255.0 (hitcnt=0)
access-list PALATKA line 3 permit ip 192.168.16.0 255.255.255.0 192.168.10.0 255
.255.255.0 (hitcnt=59475)
access-list SAVANNAH; 4 elements
access-list SAVANNAH line 1 permit ip object-group internal 10.10.20.0 255.255.2
55.0
access-list SAVANNAH line 1 permit ip 192.168.14.0 255.255.255.0 10.10.20.0 255.
255.255.0 (hitcnt=0)
access-list SAVANNAH line 1 permit ip 192.168.16.0 255.255.255.0 10.10.20.0 255.
255.255.0 (hitcnt=703055)
access-list SAVANNAH line 1 permit ip 10.0.200.0 255.255.255.0 10.10.20.0 255.25
5.255.0 (hitcnt=0)
access-list SAVANNAH line 2 permit ip 192.168.254.0 255.255.255.0 10.10.20.0 255
.255.255.0 (hitcnt=0)
access-list outside_cryptomap_29; 4 elements
access-list outside_cryptomap_29 line 1 permit ip object-group internal 10.10.30
.0 255.255.255.0
access-list outside_cryptomap_29 line 1 permit ip 192.168.14.0 255.255.255.0 10.
10.30.0 255.255.255.0 (hitcnt=0)
access-list outside_cryptomap_29 line 1 permit ip 192.168.16.0 255.255.255.0 10.
10.30.0 255.255.255.0 (hitcnt=36)
access-list outside_cryptomap_29 line 1 permit ip 10.0.200.0 255.255.255.0 10.10
.30.0 255.255.255.0 (hitcnt=0)
access-list outside_cryptomap_29 line 2 permit ip 192.168.254.0 255.255.255.0 10
.10.30.0 255.255.255.0 (hitcnt=0)
access-list WHG; 4 elements
access-list WHG line 1 permit ip object-group internal 10.10.40.0 255.255.255.0
access-list WHG line 1 permit ip 192.168.14.0 255.255.255.0 10.10.40.0 255.255.2
55.0 (hitcnt=0)
access-list WHG line 1 permit ip 192.168.16.0 255.255.255.0 10.10.40.0 255.255.2
55.0 (hitcnt=292440)
access-list WHG line 1 permit ip 10.0.200.0 255.255.255.0 10.10.40.0 255.255.255
.0 (hitcnt=0)
access-list WHG line 2 permit ip 192.168.254.0 255.255.255.0 10.10.40.0 255.255.
255.0 (hitcnt=0)
access-list Warner; 4 elements
access-list Warner line 1 permit ip object-group internal 10.10.50.0 255.255.255
.0
access-list Warner line 1 permit ip 192.168.14.0 255.255.255.0 10.10.50.0 255.25
5.255.0 (hitcnt=0)
access-list Warner line 1 permit ip 192.168.16.0 255.255.255.0 10.10.50.0 255.25
5.255.0 (hitcnt=535996)
access-list Warner line 1 permit ip 10.0.200.0 255.255.255.0 10.10.50.0 255.255.
255.0 (hitcnt=0)
access-list Warner line 2 permit ip 192.168.254.0 255.255.255.0 10.10.50.0 255.2
55.255.0 (hitcnt=0)
access-list outside_cryptomap_69; 1 elements
access-list outside_cryptomap_69 line 1 permit ip host 192.168.16.190 host 192.1
68.155.252 (hitcnt=275408)
access-list vpntraffic; 47 elements
access-list vpntraffic line 1 permit ip object-group internal 10.10.10.0 255.255
.255.0
access-list vpntraffic line 1 permit ip 192.168.14.0 255.255.255.0 10.10.10.0 25
5.255.255.0 (hitcnt=0)
access-list vpntraffic line 1 permit ip 192.168.16.0 255.255.255.0 10.10.10.0 25
5.255.255.0 (hitcnt=390391)
access-list vpntraffic line 1 permit ip 10.0.200.0 255.255.255.0 10.10.10.0 255.
255.255.0 (hitcnt=0)
access-list vpntraffic line 2 permit ip object-group internal 10.10.40.0 255.255
.255.0
access-list vpntraffic line 2 permit ip 192.168.14.0 255.255.255.0 10.10.40.0 25
5.255.255.0 (hitcnt=0)
access-list vpntraffic line 2 permit ip 192.168.16.0 255.255.255.0 10.10.40.0 25
5.255.255.0 (hitcnt=399101)
access-list vpntraffic line 2 permit ip 10.0.200.0 255.255.255.0 10.10.40.0 255.
255.255.0 (hitcnt=0)
access-list vpntraffic line 3 permit ip object-group internal 10.10.50.0 255.255
.255.0
access-list vpntraffic line 3 permit ip 192.168.14.0 255.255.255.0 10.10.50.0 25
5.255.255.0 (hitcnt=0)
access-list vpntraffic line 3 permit ip 192.168.16.0 255.255.255.0 10.10.50.0 25
5.255.255.0 (hitcnt=777269)
access-list vpntraffic line 3 permit ip 10.0.200.0 255.255.255.0 10.10.50.0 255.
255.255.0 (hitcnt=0)
access-list vpntraffic line 4 permit ip object-group internal 192.168.254.0 255.
255.255.0
access-list vpntraffic line 4 permit ip 192.168.14.0 255.255.255.0 192.168.254.0
 255.255.255.0 (hitcnt=0)
access-list vpntraffic line 4 permit ip 192.168.16.0 255.255.255.0 192.168.254.0
 255.255.255.0 (hitcnt=30)
access-list vpntraffic line 4 permit ip 10.0.200.0 255.255.255.0 192.168.254.0 2
55.255.255.0 (hitcnt=0)
access-list vpntraffic line 5 permit ip object-group internal host 192.168.9.1
access-list vpntraffic line 5 permit ip 192.168.14.0 255.255.255.0 host 192.168.
9.1 (hitcnt=0)
access-list vpntraffic line 5 permit ip 192.168.16.0 255.255.255.0 host 192.168.
9.1 (hitcnt=264)
access-list vpntraffic line 5 permit ip 10.0.200.0 255.255.255.0 host 192.168.9.
1 (hitcnt=0)
access-list vpntraffic line 6 permit ip object-group internal host 192.168.9.2
access-list vpntraffic line 6 permit ip 192.168.14.0 255.255.255.0 host 192.168.
9.2 (hitcnt=0)
access-list vpntraffic line 6 permit ip 192.168.16.0 255.255.255.0 host 192.168.
9.2 (hitcnt=11)
access-list vpntraffic line 6 permit ip 10.0.200.0 255.255.255.0 host 192.168.9.
2 (hitcnt=0)
access-list vpntraffic line 7 permit ip object-group internal 10.10.20.0 255.255
.255.0
access-list vpntraffic line 7 permit ip 192.168.14.0 255.255.255.0 10.10.20.0 25
5.255.255.0 (hitcnt=0)
access-list vpntraffic line 7 permit ip 192.168.16.0 255.255.255.0 10.10.20.0 25
5.255.255.0 (hitcnt=902912)
access-list vpntraffic line 7 permit ip 10.0.200.0 255.255.255.0 10.10.20.0 255.
255.255.0 (hitcnt=0)
access-list vpntraffic line 8 permit ip host 192.168.16.190 host 207.178.139.65
(hitcnt=611045)
access-list vpntraffic line 9 permit ip host 192.168.16.190 host 207.178.204.147
 (hitcnt=8547)
access-list vpntraffic line 10 permit ip 192.168.254.0 255.255.255.0 10.10.30.0
255.255.255.0 (hitcnt=0)
access-list vpntraffic line 11 permit ip object-group internal 10.10.30.0 255.25
5.255.0
access-list vpntraffic line 11 permit ip 192.168.14.0 255.255.255.0 10.10.30.0 2
55.255.255.0 (hitcnt=0)
access-list vpntraffic line 11 permit ip 192.168.16.0 255.255.255.0 10.10.30.0 2
55.255.255.0 (hitcnt=8)
access-list vpntraffic line 11 permit ip 10.0.200.0 255.255.255.0 10.10.30.0 255
.255.255.0 (hitcnt=0)
access-list vpntraffic line 12 permit ip 192.168.254.0 255.255.255.0 192.168.1.0
 255.255.255.0 (hitcnt=0)
access-list vpntraffic line 13 permit ip object-group internal 192.168.1.0 255.2
55.255.0
access-list vpntraffic line 13 permit ip 192.168.14.0 255.255.255.0 192.168.1.0
255.255.255.0 (hitcnt=0)
access-list vpntraffic line 13 permit ip 192.168.16.0 255.255.255.0 192.168.1.0
255.255.255.0 (hitcnt=477508)
access-list vpntraffic line 13 permit ip 10.0.200.0 255.255.255.0 192.168.1.0 25
5.255.255.0 (hitcnt=0)
access-list vpntraffic line 14 permit ip host 192.168.16.190 host 192.168.155.25
2 (hitcnt=271667)
access-list vpntraffic line 15 permit ip 192.168.16.0 255.255.255.0 10.10.91.0 2
55.255.255.0 (hitcnt=807285)
access-list vpntraffic line 16 permit ip host 192.168.16.52 host 66.45.27.43 (hi
tcnt=8336)
access-list vpntraffic line 17 permit ip host 192.168.16.52 host 66.45.27.55 (hi
tcnt=3651)
access-list vpntraffic line 18 permit ip 192.168.16.0 255.255.255.0 10.10.11.0 2
55.255.255.0 (hitcnt=735960)
access-list vpntraffic line 19 permit ip host 192.168.16.52 host 192.168.1.210 (
hitcnt=0)
access-list vpntraffic line 20 permit ip 192.168.16.0 255.255.255.0 10.10.21.0 2
55.255.255.0 (hitcnt=39299)
access-list vpntraffic line 21 permit ip 192.168.16.0 255.255.255.0 10.10.90.0 2
55.255.255.0 (hitcnt=67558)
access-list vpntraffic line 22 permit ip 192.168.16.0 255.255.255.0 204.145.247.
0 255.255.255.0 (hitcnt=274544)
access-list vpntraffic line 23 permit ip 192.168.16.0 255.255.255.0 10.10.61.0 2
55.255.255.0 (hitcnt=49422)
access-list vpntraffic line 24 permit ip 192.168.16.0 255.255.255.0 192.168.88.0
 255.255.255.0 (hitcnt=20)
access-list vpntraffic line 25 permit ip 192.168.16.0 255.255.255.0 10.10.31.0 2
55.255.255.0 (hitcnt=55340)
access-list vpntraffic line 26 permit ip 192.168.16.0 255.255.255.0 host 68.152.
159.213 (hitcnt=3)
access-list vpntraffic line 27 permit ip 192.168.16.0 255.255.255.0 192.168.9.0
255.255.255.0 (hitcnt=33349)
access-list vpntraffic line 28 permit ip 192.168.16.0 255.255.255.0 192.168.8.0
255.255.255.0 (hitcnt=0)
access-list vpntraffic line 29 permit ip 192.168.16.0 255.255.255.0 10.10.101.0
255.255.255.0 (hitcnt=357)
access-list atlas_asp_vpn; 1 elements
access-list atlas_asp_vpn line 1 permit ip host 192.168.16.190 host 207.178.139.
65 (hitcnt=1495091)
access-list atlas_support_vpn; 1 elements
access-list atlas_support_vpn line 1 permit ip host 192.168.16.190 host 207.178.
204.147 (hitcnt=4302)
access-list outside_cryptomap_49; 4 elements
access-list outside_cryptomap_49 line 1 permit ip object-group internal 192.168.
1.0 255.255.255.0
access-list outside_cryptomap_49 line 1 permit ip 192.168.14.0 255.255.255.0 192
.168.1.0 255.255.255.0 (hitcnt=0)
access-list outside_cryptomap_49 line 1 permit ip 192.168.16.0 255.255.255.0 192
.168.1.0 255.255.255.0 (hitcnt=25180)
access-list outside_cryptomap_49 line 1 permit ip 10.0.200.0 255.255.255.0 192.1
68.1.0 255.255.255.0 (hitcnt=0)
access-list outside_cryptomap_49 line 2 permit ip 192.168.254.0 255.255.255.0 19
2.168.1.0 255.255.255.0 (hitcnt=0)
access-list outside_cryptomap_89; 1 elements
access-list outside_cryptomap_89 line 1 permit ip 192.168.16.0 255.255.255.0 10.
10.90.0 255.255.255.0 (hitcnt=386629)
access-list outside_cryptomap_109; 1 elements
access-list outside_cryptomap_109 line 1 permit ip 192.168.16.0 255.255.255.0 10
.10.91.0 255.255.255.0 (hitcnt=451587)
access-list outside_cryptomap_129; 2 elements
access-list outside_cryptomap_129 line 1 permit ip host 192.168.16.52 host 66.45
.27.43 (hitcnt=9369)
access-list outside_cryptomap_129 line 2 permit ip host 192.168.16.52 host 66.45
.27.55 (hitcnt=4689)
access-list outside_cryptomap_149; 1 elements
access-list outside_cryptomap_149 line 1 permit ip 192.168.16.0 255.255.255.0 10
.10.11.0 255.255.255.0 (hitcnt=401191)
access-list outside_cryptomap_169; 4 elements
access-list outside_cryptomap_169 line 1 permit ip object-group internal host 19
2.168.1.210
access-list outside_cryptomap_169 line 1 permit ip 192.168.14.0 255.255.255.0 ho
st 192.168.1.210 (hitcnt=0)
access-list outside_cryptomap_169 line 1 permit ip 192.168.16.0 255.255.255.0 ho
st 192.168.1.210 (hitcnt=0)
access-list outside_cryptomap_169 line 1 permit ip 10.0.200.0 255.255.255.0 host
 192.168.1.210 (hitcnt=0)
access-list outside_cryptomap_169 line 2 permit ip host 192.168.16.52 host 192.1
68.1.210 (hitcnt=0)
access-list outside_cryptomap_189; 1 elements
access-list outside_cryptomap_189 line 1 permit ip 192.168.16.0 255.255.255.0 10
.10.21.0 255.255.255.0 (hitcnt=41778)
access-list outside_cryptomap_309; 1 elements
access-list outside_cryptomap_309 line 1 permit ip 192.168.16.0 255.255.255.0 10
.10.31.0 255.255.255.0 (hitcnt=375724)
access-list outside_cryptomap_269; 1 elements
access-list outside_cryptomap_269 line 1 permit ip 192.168.16.0 255.255.255.0 10
.10.61.0 255.255.255.0 (hitcnt=241335)
access-list outside_cryptomap_249; 1 elements
access-list outside_cryptomap_249 line 1 permit ip 192.168.16.0 255.255.255.0 20
4.145.247.0 255.255.255.0 (hitcnt=210248)
access-list outside_cryptomap_289; 1 elements
access-list outside_cryptomap_289 line 1 permit ip 192.168.16.0 255.255.255.0 19
2.168.88.0 255.255.255.0 (hitcnt=52)
access-list outside_cryptomap_319; 1 elements
access-list outside_cryptomap_319 line 1 permit ip 192.168.16.0 255.255.255.0 19
2.168.9.0 255.255.255.0 (hitcnt=18944)
access-list 120; 1 elements
access-list 120 line 1 permit tcp any host 71.251.204.22 (hitcnt=0)
access-list outside_cryptomap_339; 1 elements
access-list outside_cryptomap_339 line 1 permit ip 192.168.16.0 255.255.255.0 19
2.168.8.0 255.255.255.0 (hitcnt=0)
access-list outside_cryptomap_359; 1 elements
access-list outside_cryptomap_359 line 1 permit ip 192.168.16.0 255.255.255.0 10
.10.101.0 255.255.255.0 (hitcnt=359)
SEPA-FW#

REMOTE OFFICE: ASA

Sh Access-list

Result of the command: "sh access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside_1_cryptomap; 1 elements
access-list outside_1_cryptomap line 1 extended permit ip 10.10.101.0 255.255.255.0 192.168.16.0 255.255.255.0 (hitcnt=1) 0xb7460b97
access-list inside_nat0_outbound; 1 elements
access-list inside_nat0_outbound line 1 extended permit ip 10.10.101.0 255.255.255.0 192.168.16.0 255.255.255.0 (hitcnt=0) 0x11195c39
0
 
joemoondawgAuthor Commented:
i have done the continous ping on both sides
0
 
joemoondawgAuthor Commented:
they act like they are not even trying to connect.  what are the best commands for me to see if i can find some error messages that can give me a clue?
0
 
lrmooreCommented:
>access-list outside_cryptomap_359 line 1 permit ip 192.168.16.0 255.255.255.0 10.10.101.0 255.255.255.0 (hitcnt=359)
>access-list vpntraffic line 29 permit ip 192.168.16.0 255.255.255.0 10.10.101.0 255.255.255.0 (hitcnt=357)

Looks like the PIX side is good

They're not even hitting the acls on the ASA side.
This is usually indicator of routing issues on that end. Verify the default gateway of the host you are testing with and make sure it points to the ASA.
0
 
lrmooreCommented:
Concentrate on the ASA side and the routing there.
0
 
joemoondawgAuthor Commented:
lrmoore,

I really appreciate your help.  I had my client powercycle the pix at the MAIN OFFICE and presto everything started working.   I normally would have tried this as one of my first trouble shooting steps, but these guys are high availability and we have a very small window to powercycle.   Plus, everything else was working fine so I just didn't think it'd help.  Evidently something was just jammed up in that PIX.   The magic reboot strikes again!
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now