Solved

Cisco Site to Site VPN ASA5510 to Pix501

Posted on 2009-03-30
2
503 Views
Last Modified: 2012-05-06
Having problems getting the site to site function working, does anyone see anything wrong with the configs?
:
ASA Version 7.0(7)
!
hostname CBFirewall
domain-name cbridges.com
enable password wRuOqDY/llmxUISg encrypted
names
name 192.168.54.0 OSC
name 192.168.51.0 CC
name 192.168.53.0 CFE
name 192.168.50.0 EV
name 192.168.40.0 COLO
name 192.168.52.0 Admin
name 192.168.40.22 MX
name 192.168.55.0 Payson
name 192.168.56.0 Globe
name 192.168.40.12 VPM
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 162.42.243.13 255.255.255.248
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.40.254 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd wRuOqDY/llmxUISg encrypted
ftp mode passive
clock timezone MST -7
dns domain-lookup Outside
dns domain-lookup Inside
dns name-server 192.168.40.14
dns name-server 205.171.3.65
dns name-server 205.171.2.65
access-list Inside_access_in extended permit tcp host 192.168.40.11 any eq smtp
access-list Inside_access_in extended permit tcp host VPM any eq smtp
access-list Inside_access_in extended permit tcp host 192.168.40.25 any
access-list Inside_access_in extended permit tcp host 192.168.40.14 any
access-list Inside_access_in extended deny tcp any any eq smtp
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit udp any any
access-list Inside_access_in extended permit icmp any any
access-list Inside_access_in extended permit ip COLO 255.255.255.0 192.168.57.0 255.255.255.0
access-list Outside_access_in extended permit ip any any
access-list Outside_access_in extended permit tcp any any
access-list Outside_access_in extended permit tcp any eq smtp host 162.42.243.13 eq smtp
access-list Outside_access_in extended permit tcp any eq https host 162.42.243.14 eq https
access-list Outside_access_in extended permit tcp host 70.103.186.108 eq 1433 any
access-list Outside_access_in extended deny ip host 239.192.152.143 any
access-list Outside_access_in extended permit ip COLO 255.255.255.0 192.168.57.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging host Inside 192.168.52.251
logging permit-hostdown
mtu Outside 1500
mtu Inside 1500
mtu management 1500
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp 162.42.243.14 https 192.168.40.25 https netmask 255.255.255.255
static (Inside,Outside) tcp 162.42.243.14 smtp VPM smtp netmask 255.255.255.255
static (Inside,Outside) 162.42.243.12 MX netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 162.42.243.9 1
route Inside Payson 255.255.255.0 192.168.40.1 2
route Inside OSC 255.255.255.0 192.168.40.1 2
route Inside CFE 255.255.255.0 192.168.40.1 2
route Inside CC 255.255.255.0 192.168.40.1 2
route Inside EV 255.255.255.0 192.168.40.1 2
route Inside Admin 255.255.255.0 192.168.40.1 1
route Inside Globe 255.255.255.0 192.168.40.1 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http CFE 255.255.255.0 Inside
http CC 255.255.255.0 Inside
http Admin 255.255.255.0 Inside
http OSC 255.255.255.0 Inside
http EV 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface Outside
isakmp identity address
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 28800
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 60 retry 5
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 60 retry 5
tunnel-group 63.230.233.133 type ipsec-l2l
tunnel-group 63.230.233.133 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 60 retry 5
telnet CFE 255.255.255.0 Inside
telnet OSC 255.255.255.0 Inside
telnet COLO 255.255.255.0 Inside
telnet CC 255.255.255.0 Inside
telnet EV 255.255.255.0 Inside
telnet Admin 255.255.255.0 Inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:b2bb28bb5d57438a82efa5d08d607462
: end
CBFirewall#
 
 
==================================================
 
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.40.0 Co-Lo
access-list inside_outbound_nat0_acl permit ip 192.168.57.0 255.255.255.0 Co-Lo 255.255.255.0 
access-list outside_cryptomap_20 permit ip 192.168.57.0 255.255.255.0 Co-Lo 255.255.255.0 
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.168.57.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 162.42.243.13 255.255.255.255 outside
pdm location 192.168.57.0 255.255.255.255 inside
pdm location Co-Lo 255.255.255.0 inside
pdm location Co-Lo 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route inside Co-Lo 255.255.255.0 162.42.243.13 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http 192.168.57.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 162.42.243.13
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 162.42.243.13 netmask 255.255.255.255 no-xauth no-config-mode 
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 162.42.243.13 255.255.255.255 outside
telnet 192.168.57.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname narbha
vpdn group pppoe_group ppp authentication pap
vpdn username narbha password ********* 
dhcpd address 192.168.57.100-192.168.57.199 inside
dhcpd dns 205.171.3.65 205.171.2.65
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:f963ab0d5036311f57bb3d7e6c687bf0
: end
[OK]

Open in new window

0
Comment
Question by:cbridgesaz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 24028732
If this is a site to site vpn, then the ASA is missing most of the code you will need.   Nonats, crypto ACL, no peer, etc....

Check this article from cisco for a step by step on setting up the VPN.   Try it, test it, then post back if you have any questions on the config.  

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

Good luck
0
 
LVL 5

Accepted Solution

by:
yashinchalad earned 500 total points
ID: 24036495

@ ASA:
seems, NoNat is missing, assume its Inside_access_in, then add the following.
nat (inside) 0 access-list Inside_access_in

access-list outside_cryptomap extended permit ip COLO 255.255.255.0 192.168.57.0 255.255.255.0

isakmp key ******** address <PIX end outside IP> netmask 255.255.255.255 no-xauth no-config-mode
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address outside_cryptomap
crypto map outside_map 10 set peer <PIX end outside IP>
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside

 check for phase 1 and phase 2 build ups through sh or debug.
0

Featured Post

How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Resource timeout across a VPN 9 70
DHCP default-router command 1 32
VPN Server Configuration in windows 7 7 75
Fortigate SSL-VPN Split Tunneling question 4 59
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question