Solved

Cisco Site to Site VPN ASA5510 to Pix501

Posted on 2009-03-30
2
491 Views
Last Modified: 2012-05-06
Having problems getting the site to site function working, does anyone see anything wrong with the configs?
:

ASA Version 7.0(7)

!

hostname CBFirewall

domain-name cbridges.com

enable password wRuOqDY/llmxUISg encrypted

names

name 192.168.54.0 OSC

name 192.168.51.0 CC

name 192.168.53.0 CFE

name 192.168.50.0 EV

name 192.168.40.0 COLO

name 192.168.52.0 Admin

name 192.168.40.22 MX

name 192.168.55.0 Payson

name 192.168.56.0 Globe

name 192.168.40.12 VPM

dns-guard

!

interface Ethernet0/0

 nameif Outside

 security-level 0

 ip address 162.42.243.13 255.255.255.248

!

interface Ethernet0/1

 nameif Inside

 security-level 100

 ip address 192.168.40.254 255.255.255.0

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

 management-only

!

passwd wRuOqDY/llmxUISg encrypted

ftp mode passive

clock timezone MST -7

dns domain-lookup Outside

dns domain-lookup Inside

dns name-server 192.168.40.14

dns name-server 205.171.3.65

dns name-server 205.171.2.65

access-list Inside_access_in extended permit tcp host 192.168.40.11 any eq smtp

access-list Inside_access_in extended permit tcp host VPM any eq smtp

access-list Inside_access_in extended permit tcp host 192.168.40.25 any

access-list Inside_access_in extended permit tcp host 192.168.40.14 any

access-list Inside_access_in extended deny tcp any any eq smtp

access-list Inside_access_in extended permit ip any any

access-list Inside_access_in extended permit udp any any

access-list Inside_access_in extended permit icmp any any

access-list Inside_access_in extended permit ip COLO 255.255.255.0 192.168.57.0 255.255.255.0

access-list Outside_access_in extended permit ip any any

access-list Outside_access_in extended permit tcp any any

access-list Outside_access_in extended permit tcp any eq smtp host 162.42.243.13 eq smtp

access-list Outside_access_in extended permit tcp any eq https host 162.42.243.14 eq https

access-list Outside_access_in extended permit tcp host 70.103.186.108 eq 1433 any

access-list Outside_access_in extended deny ip host 239.192.152.143 any

access-list Outside_access_in extended permit ip COLO 255.255.255.0 192.168.57.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

logging host Inside 192.168.52.251

logging permit-hostdown

mtu Outside 1500

mtu Inside 1500

mtu management 1500

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

nat (Inside) 1 0.0.0.0 0.0.0.0

static (Inside,Outside) tcp 162.42.243.14 https 192.168.40.25 https netmask 255.255.255.255

static (Inside,Outside) tcp 162.42.243.14 smtp VPM smtp netmask 255.255.255.255

static (Inside,Outside) 162.42.243.12 MX netmask 255.255.255.255

access-group Outside_access_in in interface Outside

access-group Inside_access_in in interface Inside

route Outside 0.0.0.0 0.0.0.0 162.42.243.9 1

route Inside Payson 255.255.255.0 192.168.40.1 2

route Inside OSC 255.255.255.0 192.168.40.1 2

route Inside CFE 255.255.255.0 192.168.40.1 2

route Inside CC 255.255.255.0 192.168.40.1 2

route Inside EV 255.255.255.0 192.168.40.1 2

route Inside Admin 255.255.255.0 192.168.40.1 1

route Inside Globe 255.255.255.0 192.168.40.1 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http CFE 255.255.255.0 Inside

http CC 255.255.255.0 Inside

http Admin 255.255.255.0 Inside

http OSC 255.255.255.0 Inside

http EV 255.255.255.0 Inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface Outside

isakmp identity address

isakmp enable Outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 28800

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 28800

tunnel-group DefaultL2LGroup ipsec-attributes

 isakmp keepalive threshold 60 retry 5

tunnel-group DefaultRAGroup ipsec-attributes

 isakmp keepalive threshold 60 retry 5

tunnel-group 63.230.233.133 type ipsec-l2l

tunnel-group 63.230.233.133 ipsec-attributes

 pre-shared-key *

 isakmp keepalive threshold 60 retry 5

telnet CFE 255.255.255.0 Inside

telnet OSC 255.255.255.0 Inside

telnet COLO 255.255.255.0 Inside

telnet CC 255.255.255.0 Inside

telnet EV 255.255.255.0 Inside

telnet Admin 255.255.255.0 Inside

telnet 192.168.1.0 255.255.255.0 management

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

Cryptochecksum:b2bb28bb5d57438a82efa5d08d607462

: end

CBFirewall#
 
 

==================================================
 

Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.40.0 Co-Lo

access-list inside_outbound_nat0_acl permit ip 192.168.57.0 255.255.255.0 Co-Lo 255.255.255.0 

access-list outside_cryptomap_20 permit ip 192.168.57.0 255.255.255.0 Co-Lo 255.255.255.0 

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside pppoe setroute

ip address inside 192.168.57.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 162.42.243.13 255.255.255.255 outside

pdm location 192.168.57.0 255.255.255.255 inside

pdm location Co-Lo 255.255.255.0 inside

pdm location Co-Lo 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route inside Co-Lo 255.255.255.0 162.42.243.13 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server TACACS+ max-failed-attempts 3 

aaa-server TACACS+ deadtime 10 

aaa-server RADIUS protocol radius 

aaa-server RADIUS max-failed-attempts 3 

aaa-server RADIUS deadtime 10 

aaa-server LOCAL protocol local 

http server enable

http 192.168.57.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 162.42.243.13

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 162.42.243.13 netmask 255.255.255.255 no-xauth no-config-mode 

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet 162.42.243.13 255.255.255.255 outside

telnet 192.168.57.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname narbha

vpdn group pppoe_group ppp authentication pap

vpdn username narbha password ********* 

dhcpd address 192.168.57.100-192.168.57.199 inside

dhcpd dns 205.171.3.65 205.171.2.65

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:f963ab0d5036311f57bb3d7e6c687bf0

: end

[OK]

Open in new window

0
Comment
Question by:cbridgesaz
2 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 24028732
If this is a site to site vpn, then the ASA is missing most of the code you will need.   Nonats, crypto ACL, no peer, etc....

Check this article from cisco for a step by step on setting up the VPN.   Try it, test it, then post back if you have any questions on the config.  

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

Good luck
0
 
LVL 5

Accepted Solution

by:
yashinchalad earned 500 total points
ID: 24036495

@ ASA:
seems, NoNat is missing, assume its Inside_access_in, then add the following.
nat (inside) 0 access-list Inside_access_in

access-list outside_cryptomap extended permit ip COLO 255.255.255.0 192.168.57.0 255.255.255.0

isakmp key ******** address <PIX end outside IP> netmask 255.255.255.255 no-xauth no-config-mode
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address outside_cryptomap
crypto map outside_map 10 set peer <PIX end outside IP>
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside

 check for phase 1 and phase 2 build ups through sh or debug.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now