site to site Cisco PIX 515 to ASA 5505 vpn not working

I think I'm having some ACL issues. Attached are the config files. Any ideas? I would like the remote 172.31.12.0 network to be able to access all of the 172.31.0.0 networks. I found a very similar setup here: http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23710489.html but we're running an earlier version of pix software...

pix
# sh crypto isakmp sa
Total     : 1
Embryonic : 1
        dst               src        state     pending     created
   2.2.2.2     1.1.1.1    MM_KEY_EXCH   0           0

asa
# sh crypto isakmp sa

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

2   IKE Peer: 1.1.1.1
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG6
pix.txt
asa.txt
LVL 3
adamshieldsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wilsjCommented:
add this to the end of your isakmp preshared key no-xauth no-config-mode.

isakmp key ******** address 2.2.2.2 netmask 255.255.255.255  no-xauth no-config-mode

Also change the networks it seems like there will be a conflict in allowing 172.31.12.0 255.255.255.0 to 172.31.0.0 255.255.0.0. If your network is 172.31.0.0 Then should do nat on both ends to clear this up.
adamshieldsAuthor Commented:
I modified the isakmp key and change the networks to be a little more specific but still no response from either end and still the same connection status.

ASA
access-list outside_1_cryptomap extended permit ip 172.31.1.0 255.255.255.0 172.31.12.0 255.255.255.0
access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list nonat extended permit ip 172.31.12.0 255.255.255.0 192.168.10.96 255.255.255.240
access-list nonat extended permit ip any 192.168.10.96 255.255.255.240
access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.31.1.0 255.255.255.0

PIX
access-list vpn_nonat permit ip 172.31.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list vpn_nonat permit ip 10.1.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list vpn_nonat permit ip 172.31.0.0 255.255.0.0 172.31.9.0 255.255.255.0
access-list vpn_nonat permit ip 10.1.0.0 255.255.0.0 172.31.9.0 255.255.255.0
access-list vpn_nonat permit ip 172.31.1.0 255.255.255.0 172.31.12.0 255.255.255.0
access-list DMZ permit icmp any any
access-list DMZ permit ip any any
access-list DMZ permit icmp any any echo
access-list DMZ permit icmp any any echo-reply
access-list ADAM_HOME permit ip 172.31.1.0 255.255.255.0 172.31.12.0 255.255.255.0
lrmooreCommented:
>ASA
>access-list outside_1_cryptomap extended permit ip 172.31.1.0 255.255.255.0 172.31.12.0 255.255.255.0
This is backwards. It should be mirror image of the PIX

access-list outside_1_cryptomap extended permit ip 172.31.12.0 255.255.255.0 172.31.1.0 255.255.255.0

Also try removing PFS on both sides.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

adamshieldsAuthor Commented:
I had just caught the access-list issue

Issued
no crypto map outside_map 1 set pfs group1
no crypto map map1 5 set pfs

still can not ping a host on either end of the network, I can vpn into the pix though with a cisco client and ping any of the hosts though....
adamshieldsAuthor Commented:
also now I can see that I'm connected just still can not ping:

# sh crypto isakmp sa

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: x.x.x.x
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
2   IKE Peer: 1.1.1.1
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE


# sh crypto isakmp sa
Total     : 2
Embryonic : 0
        dst               src        state     pending     created
   1.1.1.1     2.2.2.2    QM_IDLE         0           1
lrmooreCommented:
that's good progress
Post result of "show cry ip sa" and look for error counters
adamshieldsAuthor Commented:
I didn't see any errors but attached are the two listing.
pix-sanitized.txt
asa-sanitized.txt
wilsjCommented:
please post current config of both firewalls
lrmooreCommented:
Almost there..

local  ident (addr/mask/prot/port): (172.31.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.31.12.0/255.255.255.0/0/0)

I'll bet you have both of these lines in the PIX
access-list ADAM_HOME permit ip 172.31.0.0 255.255.0.0 172.31.12.0 255.255.255.0  <== REMOVE THIS
access-list ADAM_HOME permit ip 172.31.1.0 255.255.255.0 172.31.12.0 255.255.255.0
adamshieldsAuthor Commented:
wilsj, attached are the most recent configurations since some things have changed along the way.

lrmoore, I had removed the first line earlier and updated it to reflect the second one so that doesn't seem to be the problem.
asa.txt
pix.txt
wilsjCommented:
Everything seems to be correct. try this

deb icmp trace on both firewalls and see if you see the traffic. Make sure on both firewalls that the traffic is leaving un-natted.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
adamshieldsAuthor Commented:
I'm not seeing any pongs to my ping packets when attempting to ping 1.0 from 12.0. I do not see request or reply's when attempting to contact 12.0 from 1.0. As a note I can log in with a Cisco clients and receive echo-request's and echo-reply's. Seems like return traffic is not being allowed.

PIX
5: ICMP echo-request from outside:172.31.12.5 to 172.31.1.4 ID=512 seq=38400 length=40
6: ICMP echo-request from outside:172.31.12.5 to 172.31.1.4 ID=512 seq=38656 length=40
7: ICMP echo-request from outside:172.31.12.5 to 172.31.1.4 ID=512 seq=38912 length=40
8: ICMP echo-request from outside:172.31.12.5 to 172.31.1.4 ID=512 seq=39168 length=40
ASA
ICMP echo request from inside:172.31.12.5 to outside:172.31.1.4 ID=512 seq=38400 len=32
ICMP echo request from inside:172.31.12.5 to outside:172.31.1.4 ID=512 seq=38656 len=32
ICMP echo request from inside:172.31.12.5 to outside:172.31.1.4 ID=512 seq=38912 len=32
ICMP echo request from inside:172.31.12.5 to outside:172.31.1.4 ID=512 seq=39168 len=32

wilsjCommented:
So you are seeing the reques on the Pix from the host behind the ASA. So the replies are not coming back from the pix to the ASA. Can host 172.31.1.4 ping it's gateway?

adamshieldsAuthor Commented:
Host 172.31.1.4 and 172.31.12.5 can ping there corresponding gateways.
wilsjCommented:
What is the IP address of the inside interface of the PIX and subnetmask?
wilsjCommented:
What is the IP address of the inside interface of the PIX and subnetmask?
wilsjCommented:
What is the IP address of the inside interface of the PIX and subnetmask?
adamshieldsAuthor Commented:
The pix is at a colo that is connected to the main network via mpls connection to main sites router.

ip address outside 1.1.1.1 255.255.255.252
ip address inside 10.1.9.2 255.255.255.252
wilsjCommented:
What is the IP address of the inside interface of the PIX and subnetmask?
wilsjCommented:
Ok can you do a

sh route on the pix and post here please.
adamshieldsAuthor Commented:
see below.
# sh route
 
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
 
Gateway of last resort is 71.16.126.153 to network 0.0.0.0
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 197:39:28, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 197:39:38, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 197:40:27, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1170:37:31, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1170:37:41, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1170:39:23, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1186:40:49, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1186:40:59, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1186:41:21, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1186:41:31, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1186:42:22, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1193:02:47, inside
 
     71.0.0.0 255.255.255.252 is subnetted, 1 subnets
C       71.16.126.152  is directly connected, outside
 
     172.31.0.0 255.255.0.0 is variably subnetted, 16 subnets, 2 masks
O IA    172.31.250.1 255.255.255.255 [110/90] via 10.1.9.1, 3:53:46, inside

Open in new window

wilsjCommented:
ok can you do sh route inside
adamshieldsAuthor Commented:
see below.
# sh route inside
 
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
 
Gateway of last resort is 71.16.126.153 to network 0.0.0.0
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 197:51:44, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 197:51:54, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 197:52:43, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1170:49:48, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1170:49:58, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1170:51:40, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1186:53:05, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1186:53:15, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1186:53:37, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1186:53:47, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1186:54:38, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1193:02:47, inside
 
     71.0.0.0 255.255.255.252 is subnetted, 1 subnets
     172.31.0.0 255.255.0.0 is variably subnetted, 16 subnets, 2 masks
O IA    172.31.250.1 255.255.255.255 [110/90] via 10.1.9.1, 4:06:02, inside
 
O IA    172.31.251.1 255.255.255.255 [110/76] via 10.1.9.1, 197:51:44, inside
 
O IA    172.31.254.1 255.255.255.255 [110/90] via 10.1.9.1, 169:05:36, inside
 
O IA    172.31.253.2 255.255.255.255 [110/43] via 10.1.9.1, 197:51:47, inside
 
O IA    172.31.252.1 255.255.255.255 [110/77] via 10.1.9.1, 169:05:32, inside
 
O IA    172.31.50.0 255.255.255.0 [110/76] via 10.1.9.1, 197:51:47, inside
 
O IA    172.31.40.0 255.255.255.0 [110/90] via 10.1.9.1, 169:05:37, inside
 
O IA    172.31.20.0 255.255.255.0 [110/77] via 10.1.9.1, 169:05:32, inside
 
O IA    172.31.30.0 255.255.255.0 [110/90] via 10.1.9.1, 4:06:06, inside
 
O E2    172.31.3.0 255.255.255.0 [110/1] via 10.1.9.1, 64:39:24, inside
 
O IA    172.31.2.0 255.255.255.0 [110/77] via 10.1.9.1, 169:05:32, inside
 
O IA    172.31.1.0 255.255.255.0 [110/43] via 10.1.9.1, 197:51:48, inside
 
O IA    172.31.5.0 255.255.255.0 [110/85] via 10.1.9.1, 197:51:49, inside
 
O IA    172.31.4.0 255.255.255.0 [110/99] via 10.1.9.1, 169:05:39, inside
 
O IA    172.31.10.0 255.255.255.0 [110/43] via 10.1.9.1, 197:51:49, inside
 
     10.0.0.0 255.0.0.0 is variably subnetted, 15 subnets, 2 masks
C       10.1.9.0 255.255.255.252 is directly connected, inside
 
O IA    10.1.3.0 255.255.255.252 [110/11] via 10.1.9.1, 64:39:21, inside
 
O IA    10.1.2.0 255.255.255.252 [110/11] via 10.1.9.1, 182:48:07, inside
 
O       10.1.1.0 255.255.255.0 [110/74] via 10.1.9.1, 197:51:49, inside
 
O       10.1.1.0 255.255.255.252 [110/42] via 10.1.9.1, 197:51:50, inside
 
O       10.1.5.0 255.255.255.252 [110/75] via 10.1.9.1, 197:51:50, inside
 
O IA    10.1.4.0 255.255.255.252 [110/11] via 10.1.9.1, 197:51:51, inside
 
O IA    10.10.20.0 255.255.255.0 [110/11187] via 10.1.9.1, 169:05:35, inside
 
O IA    10.20.10.0 255.255.255.0 [110/11153] via 10.1.9.1, 197:51:51, inside
 
O IA    10.10.30.0 255.255.255.0 [110/11200] via 10.1.9.1, 4:05:49, inside
 
O IA    10.30.10.0 255.255.255.0 [110/11153] via 10.1.9.1, 197:51:51, inside
 
O IA    10.10.40.0 255.255.255.0 [110/11200] via 10.1.9.1, 169:05:40, inside
 
O IA    10.40.10.0 255.255.255.0 [110/11153] via 10.1.9.1, 197:51:51, inside
 
O IA    10.50.10.0 255.255.255.0 [110/11153] via 10.1.9.1, 197:51:51, inside
 
O IA    10.10.50.0 255.255.255.0 [110/11186] via 10.1.9.1, 197:51:51, inside

Open in new window

adamshieldsAuthor Commented:
Do I need to add 12.0 to the ospf statement in the main router or the pix?
wilsjCommented:
not unless the ASA is participating in OSPF.

I haven't worked with MPLS before.

But usually on the PIX and ASA if the network that you want to route across a tunnel is on a different subnet than the inside interface you have to have a route for it.  i.e route inside 172.31.1.0 255.255.255.0 10.1.9.2 (inside interface)

If you do a sh run do you see anything like that on the PIX?
adamshieldsAuthor Commented:
There is a: route outside 0.0.0.0 0.0.0.0 1.1.1.1 but I don't see any inside routing statements.
wilsjCommented:
Ok. where is the 172.31.1.0/24 network coming from or which interface is it coming from. try this command

route inside 172.31.1.0 255.255.255.0 ip of the interface
adamshieldsAuthor Commented:
The 172.31.1.0 network is on the inside interface so I added:

route inside 172.31.1.0 255.255.255.0 10.1.9.2

I'm still not seeing reply's to the ICMP requests.

adamshieldsAuthor Commented:
ip route 172.31.12.0 255.255.255.0 10.1.9.2
ip route 192.168.2.0 255.255.255.0 10.1.9.2

there was a entry for the remote vpn clients that come through the pix in the main router so i added the 172.31.10.0 and that did it!!!!!!!!!!!!!!!!!!!!!!!
adamshieldsAuthor Commented:
Thank you for the help that led me to find the route that needed to be added to the core router!
wilsjCommented:
glad to help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.