LiberatingInsight
asked on
Cisco ASA to Cisco PIX VPN
I have a client that has a Cisco ASA 5505 in their main office. I am trying to configure it to create a Point to Point VPN to a remote office with a Cisco PIX 501. The 501 is running 6.3.5. Here is the configs that I have so far. It isn't working so I must be missing something:
Cisco ASA at main office....
ASA Version 7.2(4)
!
hostname arrow-asa
domain-name xxxxx.local
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.8.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.0
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name hsba.local
access-list outside_1_cryptomap extended permit ip 10.1.8.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.8.0 255.255.255.0 10.1.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.1.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer XXX.XXX.XXX.XXX
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.1.8.0 255.255.255.0 inside
telnet timeout 5
ssh 10.1.8.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
__________________________ __________ __________ __________ _____
Cisco PIX at remote office
PIX Version 6.3(5)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
names
access-list outside_1_cryptomap permit ip 10.1.10.0 255.255.255.0 10.1.8.0 255.255.255.0
access-list inside_nat0_outbound permit ip 10.1.10.0 255.255.255.0 10.1.8.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.0
ip address inside 10.1.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside_nat0_outbound in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 ipsec-isakmp
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer xxx.xxx.xxx.xxx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 10.1.10.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 10.1.10.100-10.1.10.130 inside
dhcpd dns 10.1.8.7 72.240.13.5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Need help ASAP. I'm at the remote office and need to get this VPN up before I leave!
Thanks for your help.
Cisco ASA at main office....
ASA Version 7.2(4)
!
hostname arrow-asa
domain-name xxxxx.local
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.8.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.0
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name hsba.local
access-list outside_1_cryptomap extended permit ip 10.1.8.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.8.0 255.255.255.0 10.1.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.1.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer XXX.XXX.XXX.XXX
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.1.8.0 255.255.255.0 inside
telnet timeout 5
ssh 10.1.8.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
__________________________
Cisco PIX at remote office
PIX Version 6.3(5)
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
names
access-list outside_1_cryptomap permit ip 10.1.10.0 255.255.255.0 10.1.8.0 255.255.255.0
access-list inside_nat0_outbound permit ip 10.1.10.0 255.255.255.0 10.1.8.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.0
ip address inside 10.1.10.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside_nat0_outbound in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 ipsec-isakmp
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer xxx.xxx.xxx.xxx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
telnet 10.1.10.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 10.1.10.100-10.1.10.130 inside
dhcpd dns 10.1.8.7 72.240.13.5
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Need help ASAP. I'm at the remote office and need to get this VPN up before I leave!
Thanks for your help.
I have not had a chance to check both configs yet (will get back to you in an hour) but have you cleared the IPsec SA?
on PIX:
pix# config t
pix(config)# clear crypto ipsec sa
on ASA:
tear down the IPSec connection, which also clears the security associations related to phase 2:
ASA# clear crypto ipsec sa
clear the security associations related to phase 1 as follows:
ASA# clear crypto isakmp sa
on PIX:
pix# config t
pix(config)# clear crypto ipsec sa
on ASA:
tear down the IPSec connection, which also clears the security associations related to phase 2:
ASA# clear crypto ipsec sa
clear the security associations related to phase 1 as follows:
ASA# clear crypto isakmp sa
Your Diffie-Hellman groups are not the same:
Group 2 is used on PIX:
isakmp policy 1 group 2
Group 1 is used on ASA:
crypto map outside_map 1 set pfs group1
you can either set these to the same number or remove the entry completely.
-Craig
Group 2 is used on PIX:
isakmp policy 1 group 2
Group 1 is used on ASA:
crypto map outside_map 1 set pfs group1
you can either set these to the same number or remove the entry completely.
-Craig
ASKER
I changed the PIX to Group 1 to match the ASA. I also cleared the IPSec SA on both the PIX and the ASA. Now if I try to ping the other side and do a "sh isakmp sa" I see the tunnel start but get a "MM_NO_STATE".
Thoughts???
Thoughts???
This specific error MM_NO_STATE generally means a problem with Phase 1.
You need to clear the IPsec SA again, send some interesting traffic through and watch the debug logs intently...
It could be something so simple and we're not seeing it in the config but the logs should show what it is.
Any chance of you performing the process above and then pasting your debug logs?
-Craig
You need to clear the IPsec SA again, send some interesting traffic through and watch the debug logs intently...
It could be something so simple and we're not seeing it in the config but the logs should show what it is.
Any chance of you performing the process above and then pasting your debug logs?
-Craig
ASKER
I get this...
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= External IP of PIX, remote= External IP of ASA,
local_proxy= 10.1.10.0/255.255.255.0/0/ 0 (type=4),
remote_proxy= 10.1.8.0/255.255.255.0/0/0 (type=4)
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= External IP of PIX, remote= External IP of ASA,
local_proxy= 10.1.10.0/255.255.255.0/0/
remote_proxy= 10.1.8.0/255.255.255.0/0/0
ASKER
I just went through and changed the isakmp key on both the ASA and the PIX to verify that they were the same. Still no luck.
ASKER
I rebooted the ASA and when it was coming up here is what I got on the PIX...
ISAKMP (0): beginning Main Mode exchangesh isakmp sa
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): retransmitting phase 1 (2)...
crypto_isakmp_process_bloc k:src:96.2 46.141.122 , dest:XXX.XXX.XXX.XXX spt:500 dpt:500
return status is IKMP_NO_ERR_NO_TRANSIPSEC( key_engine ): request timer fired: count = 1,
(identity) local= XXX.XXX.XXX.XXX, remote= XXX.XXX.XXX.XXX,
local_proxy= 10.1.10.0/255.255.255.0/0/ 0 (type=4),
remote_proxy= 10.1.8.0/255.255.255.0/0/0 (type=4)
ISAKMP (0): deleting SA: src XXX.XXX.XXX.XXX, dst XXX.XXX.XXX.XXX
ISADB: reaper checking SA 0xac9cb4, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for XXX.XXX.XXX.XXX/500 not found - peers:0
ISAKMP (0): beginning Main Mode exchangesh isakmp sa
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): retransmitting phase 1 (2)...
crypto_isakmp_process_bloc
return status is IKMP_NO_ERR_NO_TRANSIPSEC(
(identity) local= XXX.XXX.XXX.XXX, remote= XXX.XXX.XXX.XXX,
local_proxy= 10.1.10.0/255.255.255.0/0/
remote_proxy= 10.1.8.0/255.255.255.0/0/0
ISAKMP (0): deleting SA: src XXX.XXX.XXX.XXX, dst XXX.XXX.XXX.XXX
ISADB: reaper checking SA 0xac9cb4, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for XXX.XXX.XXX.XXX/500 not found - peers:0
add this line to your ASA config: (just noticed this is present on our configs)
crypto isakmp identity address
crypto isakmp identity address
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I ended up reloading the config on the ASA from a command line based on a config that was working on a PIX 501 to PIX 501 VPN that I had setup. Everything seems to be working except I cannot SSH in to either the PIX or the ASA from the outside. Also I can not ping across the network but traffic does flow. So ICMP is being blocked somehow.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
first do a "debug crypto isakmp" this to get a sence of if it's phase1 or 2 that going wrong
if isakmp is ok, then u need to do a "debug crypto ipsec" and see what that says
try to dumb down every thing that can go wrong, u can remove pfs, try a simple shared key like 123
also to be sure u have a clean slate, when u are faultfinding and changing things, remove and reapply the cryptomap on the outside interface, just to make sure. i know ASA can be troublesome this way.