Solved

Site to Site between Cisco PIX and Cisco ASA

Posted on 2009-07-14
5
210 Views
Last Modified: 2012-05-07

I want to established the Site to Site tunnel with one client as i have Cisco PIX at my end and Cisco ASA at Remote end

Please find below the script at my End and let me know where i am missing.

name 172.XX.XX.5 LHI_LAN2 ( Server Address which remote client want to open)
name 172.XX.XX.6 LHI_LAN3 ( Server Address which remote client want to open)
name 172.XX.XX.7 LHI_LAN4 ( Server Address which remote client want to open)
name 12X.2XX.2XX.1XX VPN_Gateway ( Cisco ASA IP)



access-list 99 permit ip 10.X.0.0 255.255.0.0 172.XX.XX.5 255.255.255.255
access-list 99 permit ip 10.X.0.0 255.255.0.0 172.XX.XX.6 255.255.255.255
access-list 99 permit ip 10.X.0.0 255.255.0.0 172.XX.XX.7 255.255.255.255



access-list 60 permit ip 10.X.0.0 255.255.0.0 172.XX.XX.5 255.255.255.255
access-list 60 permit ip 10.X.0.0 255.255.0.0 172.XX.XX.6 255.255.255.255
access-list 60 permit ip 10.X.0.0 255.255.0.0 172.XX.XX.7 255.255.255.255

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


crypto map remote 60 ipsec-isakmp
crypto map remote 60 match address 60
crypto map remote 60 set peer 12X.2XX.2XX.1XX
crypto map remote 60 set transform-set  ESP-3DES-SHA
crypto map remote 60 set security-association lifetime seconds 28800 kilobytes 4608000

isakmp key  XXXXXXX address 12X.2XX.2XX.1XX netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50  hash sha
 isakmp policy 50 group 5
isakmp policy 50 lifetime 86400
0
Comment
Question by:Aariz
  • 2
  • 2
5 Comments
 
LVL 5

Expert Comment

by:yashinchalad
ID: 24848252
good enough....

we understand 99 as your nat 0 (nonat) and has
crypto map remote 60 interface <nameif outside>

(if its a new site to site you may need to apply map to interface)

please let me know if you need any help....
0
 

Author Comment

by:Aariz
ID: 24848319
I have fixed the issue here as NAT is not required because both the subnets are not identical.
0
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 500 total points
ID: 24868706
HI,
In the newer ASA you want to change the script:

crypto map remote 60 ipsec-isakmp
crypto map remote 60 match address 60
crypto map remote 60 set peer 12X.2XX.2XX.1XX
crypto map remote 60 set transform-set  ESP-3DES-SHA

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key ******



crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 5
 lifetime 86400
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24868715
crypto map remota interface outside
0
 

Author Closing Comment

by:Aariz
ID: 31603189
I dig more and resolve by my own
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now