• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 477
  • Last Modified:

site to site Cisco PIX 515 to ASA 5505 vpn not working

I think I'm having some ACL issues. Attached are the config files. Any ideas? I would like the remote 172.31.12.0 network to be able to access all of the 172.31.0.0 networks. I found a very similar setup here: http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23710489.html but we're running an earlier version of pix software...

pix
# sh crypto isakmp sa
Total     : 1
Embryonic : 1
        dst               src        state     pending     created
   2.2.2.2     1.1.1.1    MM_KEY_EXCH   0           0

asa
# sh crypto isakmp sa

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

2   IKE Peer: 1.1.1.1
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG6
pix.txt
asa.txt
0
adamshields
Asked:
adamshields
  • 15
  • 13
  • 3
3 Solutions
 
wilsjCommented:
add this to the end of your isakmp preshared key no-xauth no-config-mode.

isakmp key ******** address 2.2.2.2 netmask 255.255.255.255  no-xauth no-config-mode

Also change the networks it seems like there will be a conflict in allowing 172.31.12.0 255.255.255.0 to 172.31.0.0 255.255.0.0. If your network is 172.31.0.0 Then should do nat on both ends to clear this up.
0
 
adamshieldsAuthor Commented:
I modified the isakmp key and change the networks to be a little more specific but still no response from either end and still the same connection status.

ASA
access-list outside_1_cryptomap extended permit ip 172.31.1.0 255.255.255.0 172.31.12.0 255.255.255.0
access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list nonat extended permit ip 172.31.12.0 255.255.255.0 192.168.10.96 255.255.255.240
access-list nonat extended permit ip any 192.168.10.96 255.255.255.240
access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.31.1.0 255.255.255.0

PIX
access-list vpn_nonat permit ip 172.31.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list vpn_nonat permit ip 10.1.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list vpn_nonat permit ip 172.31.0.0 255.255.0.0 172.31.9.0 255.255.255.0
access-list vpn_nonat permit ip 10.1.0.0 255.255.0.0 172.31.9.0 255.255.255.0
access-list vpn_nonat permit ip 172.31.1.0 255.255.255.0 172.31.12.0 255.255.255.0
access-list DMZ permit icmp any any
access-list DMZ permit ip any any
access-list DMZ permit icmp any any echo
access-list DMZ permit icmp any any echo-reply
access-list ADAM_HOME permit ip 172.31.1.0 255.255.255.0 172.31.12.0 255.255.255.0
0
 
lrmooreCommented:
>ASA
>access-list outside_1_cryptomap extended permit ip 172.31.1.0 255.255.255.0 172.31.12.0 255.255.255.0
This is backwards. It should be mirror image of the PIX

access-list outside_1_cryptomap extended permit ip 172.31.12.0 255.255.255.0 172.31.1.0 255.255.255.0

Also try removing PFS on both sides.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
adamshieldsAuthor Commented:
I had just caught the access-list issue

Issued
no crypto map outside_map 1 set pfs group1
no crypto map map1 5 set pfs

still can not ping a host on either end of the network, I can vpn into the pix though with a cisco client and ping any of the hosts though....
0
 
adamshieldsAuthor Commented:
also now I can see that I'm connected just still can not ping:

# sh crypto isakmp sa

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: x.x.x.x
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
2   IKE Peer: 1.1.1.1
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE


# sh crypto isakmp sa
Total     : 2
Embryonic : 0
        dst               src        state     pending     created
   1.1.1.1     2.2.2.2    QM_IDLE         0           1
0
 
lrmooreCommented:
that's good progress
Post result of "show cry ip sa" and look for error counters
0
 
adamshieldsAuthor Commented:
I didn't see any errors but attached are the two listing.
pix-sanitized.txt
asa-sanitized.txt
0
 
wilsjCommented:
please post current config of both firewalls
0
 
lrmooreCommented:
Almost there..

local  ident (addr/mask/prot/port): (172.31.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.31.12.0/255.255.255.0/0/0)

I'll bet you have both of these lines in the PIX
access-list ADAM_HOME permit ip 172.31.0.0 255.255.0.0 172.31.12.0 255.255.255.0  <== REMOVE THIS
access-list ADAM_HOME permit ip 172.31.1.0 255.255.255.0 172.31.12.0 255.255.255.0
0
 
adamshieldsAuthor Commented:
wilsj, attached are the most recent configurations since some things have changed along the way.

lrmoore, I had removed the first line earlier and updated it to reflect the second one so that doesn't seem to be the problem.
asa.txt
pix.txt
0
 
wilsjCommented:
Everything seems to be correct. try this

deb icmp trace on both firewalls and see if you see the traffic. Make sure on both firewalls that the traffic is leaving un-natted.
0
 
adamshieldsAuthor Commented:
I'm not seeing any pongs to my ping packets when attempting to ping 1.0 from 12.0. I do not see request or reply's when attempting to contact 12.0 from 1.0. As a note I can log in with a Cisco clients and receive echo-request's and echo-reply's. Seems like return traffic is not being allowed.

PIX
5: ICMP echo-request from outside:172.31.12.5 to 172.31.1.4 ID=512 seq=38400 length=40
6: ICMP echo-request from outside:172.31.12.5 to 172.31.1.4 ID=512 seq=38656 length=40
7: ICMP echo-request from outside:172.31.12.5 to 172.31.1.4 ID=512 seq=38912 length=40
8: ICMP echo-request from outside:172.31.12.5 to 172.31.1.4 ID=512 seq=39168 length=40
ASA
ICMP echo request from inside:172.31.12.5 to outside:172.31.1.4 ID=512 seq=38400 len=32
ICMP echo request from inside:172.31.12.5 to outside:172.31.1.4 ID=512 seq=38656 len=32
ICMP echo request from inside:172.31.12.5 to outside:172.31.1.4 ID=512 seq=38912 len=32
ICMP echo request from inside:172.31.12.5 to outside:172.31.1.4 ID=512 seq=39168 len=32

0
 
wilsjCommented:
So you are seeing the reques on the Pix from the host behind the ASA. So the replies are not coming back from the pix to the ASA. Can host 172.31.1.4 ping it's gateway?

0
 
adamshieldsAuthor Commented:
Host 172.31.1.4 and 172.31.12.5 can ping there corresponding gateways.
0
 
wilsjCommented:
What is the IP address of the inside interface of the PIX and subnetmask?
0
 
wilsjCommented:
What is the IP address of the inside interface of the PIX and subnetmask?
0
 
wilsjCommented:
What is the IP address of the inside interface of the PIX and subnetmask?
0
 
adamshieldsAuthor Commented:
The pix is at a colo that is connected to the main network via mpls connection to main sites router.

ip address outside 1.1.1.1 255.255.255.252
ip address inside 10.1.9.2 255.255.255.252
0
 
wilsjCommented:
What is the IP address of the inside interface of the PIX and subnetmask?
0
 
wilsjCommented:
Ok can you do a

sh route on the pix and post here please.
0
 
adamshieldsAuthor Commented:
see below.
# sh route
 
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
 
Gateway of last resort is 71.16.126.153 to network 0.0.0.0
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 197:39:28, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 197:39:38, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 197:40:27, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1170:37:31, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1170:37:41, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1170:39:23, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1186:40:49, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1186:40:59, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1186:41:21, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1186:41:31, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1186:42:22, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1193:02:47, inside
 
     71.0.0.0 255.255.255.252 is subnetted, 1 subnets
C       71.16.126.152  is directly connected, outside
 
     172.31.0.0 255.255.0.0 is variably subnetted, 16 subnets, 2 masks
O IA    172.31.250.1 255.255.255.255 [110/90] via 10.1.9.1, 3:53:46, inside

Open in new window

0
 
wilsjCommented:
ok can you do sh route inside
0
 
adamshieldsAuthor Commented:
see below.
# sh route inside
 
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
 
Gateway of last resort is 71.16.126.153 to network 0.0.0.0
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 197:51:44, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 197:51:54, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 197:52:43, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1170:49:48, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1170:49:58, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1170:51:40, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1186:53:05, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1186:53:15, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1186:53:37, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1186:53:47, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1186:54:38, inside
 
O    255.255.255.255 255.255.255.255 [110/11] via 10.1.9.1, 1193:02:47, inside
 
     71.0.0.0 255.255.255.252 is subnetted, 1 subnets
     172.31.0.0 255.255.0.0 is variably subnetted, 16 subnets, 2 masks
O IA    172.31.250.1 255.255.255.255 [110/90] via 10.1.9.1, 4:06:02, inside
 
O IA    172.31.251.1 255.255.255.255 [110/76] via 10.1.9.1, 197:51:44, inside
 
O IA    172.31.254.1 255.255.255.255 [110/90] via 10.1.9.1, 169:05:36, inside
 
O IA    172.31.253.2 255.255.255.255 [110/43] via 10.1.9.1, 197:51:47, inside
 
O IA    172.31.252.1 255.255.255.255 [110/77] via 10.1.9.1, 169:05:32, inside
 
O IA    172.31.50.0 255.255.255.0 [110/76] via 10.1.9.1, 197:51:47, inside
 
O IA    172.31.40.0 255.255.255.0 [110/90] via 10.1.9.1, 169:05:37, inside
 
O IA    172.31.20.0 255.255.255.0 [110/77] via 10.1.9.1, 169:05:32, inside
 
O IA    172.31.30.0 255.255.255.0 [110/90] via 10.1.9.1, 4:06:06, inside
 
O E2    172.31.3.0 255.255.255.0 [110/1] via 10.1.9.1, 64:39:24, inside
 
O IA    172.31.2.0 255.255.255.0 [110/77] via 10.1.9.1, 169:05:32, inside
 
O IA    172.31.1.0 255.255.255.0 [110/43] via 10.1.9.1, 197:51:48, inside
 
O IA    172.31.5.0 255.255.255.0 [110/85] via 10.1.9.1, 197:51:49, inside
 
O IA    172.31.4.0 255.255.255.0 [110/99] via 10.1.9.1, 169:05:39, inside
 
O IA    172.31.10.0 255.255.255.0 [110/43] via 10.1.9.1, 197:51:49, inside
 
     10.0.0.0 255.0.0.0 is variably subnetted, 15 subnets, 2 masks
C       10.1.9.0 255.255.255.252 is directly connected, inside
 
O IA    10.1.3.0 255.255.255.252 [110/11] via 10.1.9.1, 64:39:21, inside
 
O IA    10.1.2.0 255.255.255.252 [110/11] via 10.1.9.1, 182:48:07, inside
 
O       10.1.1.0 255.255.255.0 [110/74] via 10.1.9.1, 197:51:49, inside
 
O       10.1.1.0 255.255.255.252 [110/42] via 10.1.9.1, 197:51:50, inside
 
O       10.1.5.0 255.255.255.252 [110/75] via 10.1.9.1, 197:51:50, inside
 
O IA    10.1.4.0 255.255.255.252 [110/11] via 10.1.9.1, 197:51:51, inside
 
O IA    10.10.20.0 255.255.255.0 [110/11187] via 10.1.9.1, 169:05:35, inside
 
O IA    10.20.10.0 255.255.255.0 [110/11153] via 10.1.9.1, 197:51:51, inside
 
O IA    10.10.30.0 255.255.255.0 [110/11200] via 10.1.9.1, 4:05:49, inside
 
O IA    10.30.10.0 255.255.255.0 [110/11153] via 10.1.9.1, 197:51:51, inside
 
O IA    10.10.40.0 255.255.255.0 [110/11200] via 10.1.9.1, 169:05:40, inside
 
O IA    10.40.10.0 255.255.255.0 [110/11153] via 10.1.9.1, 197:51:51, inside
 
O IA    10.50.10.0 255.255.255.0 [110/11153] via 10.1.9.1, 197:51:51, inside
 
O IA    10.10.50.0 255.255.255.0 [110/11186] via 10.1.9.1, 197:51:51, inside

Open in new window

0
 
adamshieldsAuthor Commented:
Do I need to add 12.0 to the ospf statement in the main router or the pix?
0
 
wilsjCommented:
not unless the ASA is participating in OSPF.

I haven't worked with MPLS before.

But usually on the PIX and ASA if the network that you want to route across a tunnel is on a different subnet than the inside interface you have to have a route for it.  i.e route inside 172.31.1.0 255.255.255.0 10.1.9.2 (inside interface)

If you do a sh run do you see anything like that on the PIX?
0
 
adamshieldsAuthor Commented:
There is a: route outside 0.0.0.0 0.0.0.0 1.1.1.1 but I don't see any inside routing statements.
0
 
wilsjCommented:
Ok. where is the 172.31.1.0/24 network coming from or which interface is it coming from. try this command

route inside 172.31.1.0 255.255.255.0 ip of the interface
0
 
adamshieldsAuthor Commented:
The 172.31.1.0 network is on the inside interface so I added:

route inside 172.31.1.0 255.255.255.0 10.1.9.2

I'm still not seeing reply's to the ICMP requests.

0
 
adamshieldsAuthor Commented:
ip route 172.31.12.0 255.255.255.0 10.1.9.2
ip route 192.168.2.0 255.255.255.0 10.1.9.2

there was a entry for the remote vpn clients that come through the pix in the main router so i added the 172.31.10.0 and that did it!!!!!!!!!!!!!!!!!!!!!!!
0
 
adamshieldsAuthor Commented:
Thank you for the help that led me to find the route that needed to be added to the core router!
0
 
wilsjCommented:
glad to help.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 15
  • 13
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now