Cisco ASA to Cisco PIX VPN

I have a client that has a Cisco ASA 5505 in their main office.  I am trying to configure it to create a Point to Point VPN to a remote office with a Cisco PIX 501.  The 501 is running 6.3.5.  Here is the configs that I have so far.  It isn't working so I must be missing something:

Cisco ASA at main office....
ASA Version 7.2(4)
!
hostname arrow-asa
domain-name xxxxx.local
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.8.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XXX.XXX.XXX.XXX 255.255.255.0
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name hsba.local
access-list outside_1_cryptomap extended permit ip 10.1.8.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.8.0 255.255.255.0 10.1.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.1.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer XXX.XXX.XXX.XXX
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.1.8.0 255.255.255.0 inside
telnet timeout 5
ssh 10.1.8.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context

_____________________________________________________________
Cisco PIX at remote office

PIX Version 6.3(5)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
names
access-list outside_1_cryptomap permit ip 10.1.10.0 255.255.255.0 10.1.8.0 255.255.255.0
access-list inside_nat0_outbound permit ip 10.1.10.0 255.255.255.0 10.1.8.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.0
ip address inside 10.1.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside_nat0_outbound in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 ipsec-isakmp
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer xxx.xxx.xxx.xxx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 10.1.10.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 10.1.10.100-10.1.10.130 inside
dhcpd dns 10.1.8.7 72.240.13.5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80



Need help ASAP.  I'm at the remote office and need to get this VPN up before I leave!

Thanks for your help.
LiberatingInsightAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sidetrackedCommented:
try to do a debug

first do a "debug crypto isakmp" this to get a sence of if it's phase1 or 2 that going wrong

if isakmp is ok, then u need to do a "debug crypto ipsec" and see what that says

try to dumb down every thing that can go wrong, u can remove pfs, try a simple shared key like 123

also to be sure u have a clean slate, when u are faultfinding and changing things, remove and reapply the cryptomap on the outside interface, just to make sure. i know ASA can be troublesome this way.
0
chouckhamCommented:
I have not had a chance to check both configs yet (will get back to you in an hour) but have you cleared the IPsec SA?


on PIX:

pix# config t
pix(config)# clear crypto ipsec sa


on ASA:

tear down the IPSec connection, which also clears the security associations related to phase 2:
ASA# clear crypto ipsec sa

clear the security associations related to phase 1 as follows:
ASA# clear crypto isakmp sa
0
chouckhamCommented:
Your Diffie-Hellman groups are not the same:

Group 2 is used on PIX:
isakmp policy 1 group 2


Group 1 is used on ASA:
crypto map outside_map 1 set pfs group1


you can either set these to the same number or remove the entry completely.


-Craig
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

LiberatingInsightAuthor Commented:
I changed the PIX to Group 1 to match the ASA.  I also cleared the IPSec SA on both the PIX and the ASA.  Now if I try to ping the other side and do a "sh isakmp sa" I see the tunnel start but get a "MM_NO_STATE".
Thoughts???
0
chouckhamCommented:
This specific error MM_NO_STATE generally means a problem with Phase 1.

You need to clear the IPsec SA again, send some interesting traffic through and watch the debug logs intently...

It could be something so simple and we're not seeing it in the config but the logs should show what it is.

Any chance of you performing the process above and then pasting your debug logs?


-Craig
0
LiberatingInsightAuthor Commented:
I get this...

 IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= External IP of PIX, remote= External IP of ASA,
    local_proxy= 10.1.10.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.1.8.0/255.255.255.0/0/0 (type=4)
0
LiberatingInsightAuthor Commented:
I just went through and changed the isakmp key on both the ASA and the PIX to verify that they were the same.  Still no luck.
0
LiberatingInsightAuthor Commented:
I rebooted the ASA and when it was coming up here is what I got on the PIX...

ISAKMP (0): beginning Main Mode exchangesh isakmp sa
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): retransmitting phase 1 (2)...
crypto_isakmp_process_block:src:96.246.141.122, dest:XXX.XXX.XXX.XXX spt:500 dpt:500
return status is IKMP_NO_ERR_NO_TRANSIPSEC(key_engine): request timer fired: count = 1,
  (identity) local= XXX.XXX.XXX.XXX, remote= XXX.XXX.XXX.XXX,
    local_proxy= 10.1.10.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.1.8.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): deleting SA: src XXX.XXX.XXX.XXX, dst XXX.XXX.XXX.XXX
ISADB: reaper checking SA 0xac9cb4, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for XXX.XXX.XXX.XXX/500 not found - peers:0
0
chouckhamCommented:
add this line to your ASA config: (just noticed this is present on our configs)

crypto isakmp identity address
0
Texas_BillyCommented:
Your DH groups were fine, they were both group 2, based on the configs you posted.  The commands specifying  DH are
ASA:  group 2 (in your isakmp policy)
PIX:  isakmp policy 1 group 2

You do, however, have a mismatch in your PFS group, from what I can tell.  When you do a show run on these devices and you view your crypto map in the output, you'll see "set pfs" but it won't show you the group you selected.  On your ASA, you showed us that you set group 1, you didn't show us that on your PIX.  If, on your PIX, you enabled PFS at the GUI, but didn't specify a group, it defaulted to group 2.  So if you want your PIX to use PFS group 1 like you have configured on the ASA, change that in the PIX isakmp policy.  A better model is to change the ASA to use "set pfs group2" in your crypto map and let them both use group 2.  Hope this helps.

--TX
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LiberatingInsightAuthor Commented:
I ended up reloading the config on the ASA from a command line based on a config that was working on a PIX 501 to PIX 501 VPN that I had setup.  Everything seems to be working except I cannot SSH in to either the PIX or the ASA from the outside.  Also I can not ping across the network but traffic does flow.  So ICMP is being blocked somehow.
0
chouckhamCommented:
For ICMP add the following lines:

ASA
access-list inside_nat0_outbound extended permit icmp 10.1.8.0 255.255.255.0 10.1.10.0 255.255.255.0

PIX
access-list inside_nat0_outbound permit icmp 10.1.10.0 255.255.255.0 10.1.8.0 255.255.255.0


For the SSH - is it possible that during your configurations your domain or hostname have changed on the devices? If so you will need to generate your RSA Keys again..

ASA
crypto key generate rsa modulus 1024

PIX
ca gen rsa key 1024
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.