Solved

Site to Site between Cisco PIX and Cisco ASA

Posted on 2009-07-14
5
213 Views
Last Modified: 2012-05-07

I want to established the Site to Site tunnel with one client as i have Cisco PIX at my end and Cisco ASA at Remote end

Please find below the script at my End and let me know where i am missing.

name 172.XX.XX.5 LHI_LAN2 ( Server Address which remote client want to open)
name 172.XX.XX.6 LHI_LAN3 ( Server Address which remote client want to open)
name 172.XX.XX.7 LHI_LAN4 ( Server Address which remote client want to open)
name 12X.2XX.2XX.1XX VPN_Gateway ( Cisco ASA IP)



access-list 99 permit ip 10.X.0.0 255.255.0.0 172.XX.XX.5 255.255.255.255
access-list 99 permit ip 10.X.0.0 255.255.0.0 172.XX.XX.6 255.255.255.255
access-list 99 permit ip 10.X.0.0 255.255.0.0 172.XX.XX.7 255.255.255.255



access-list 60 permit ip 10.X.0.0 255.255.0.0 172.XX.XX.5 255.255.255.255
access-list 60 permit ip 10.X.0.0 255.255.0.0 172.XX.XX.6 255.255.255.255
access-list 60 permit ip 10.X.0.0 255.255.0.0 172.XX.XX.7 255.255.255.255

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


crypto map remote 60 ipsec-isakmp
crypto map remote 60 match address 60
crypto map remote 60 set peer 12X.2XX.2XX.1XX
crypto map remote 60 set transform-set  ESP-3DES-SHA
crypto map remote 60 set security-association lifetime seconds 28800 kilobytes 4608000

isakmp key  XXXXXXX address 12X.2XX.2XX.1XX netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50  hash sha
 isakmp policy 50 group 5
isakmp policy 50 lifetime 86400
0
Comment
Question by:Aariz
  • 2
  • 2
5 Comments
 
LVL 5

Expert Comment

by:yashinchalad
ID: 24848252
good enough....

we understand 99 as your nat 0 (nonat) and has
crypto map remote 60 interface <nameif outside>

(if its a new site to site you may need to apply map to interface)

please let me know if you need any help....
0
 

Author Comment

by:Aariz
ID: 24848319
I have fixed the issue here as NAT is not required because both the subnets are not identical.
0
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 500 total points
ID: 24868706
HI,
In the newer ASA you want to change the script:

crypto map remote 60 ipsec-isakmp
crypto map remote 60 match address 60
crypto map remote 60 set peer 12X.2XX.2XX.1XX
crypto map remote 60 set transform-set  ESP-3DES-SHA

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key ******



crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 5
 lifetime 86400
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24868715
crypto map remota interface outside
0
 

Author Closing Comment

by:Aariz
ID: 31603189
I dig more and resolve by my own
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question