We help IT Professionals succeed at work.

site-to-site VPN between ASA5510 and PIX525, Problem

hello experts
i am trying to build up VPN between ASA and PIX, after configure on both side, each LAN could not go to the other, i have check on ASA and PIX, isakmp and ipsec sa was established, not sure whats wrong in my configuration, need your help on this then. i will post the configurations on other pages.

thanks
Comment
Watch Question

Author

Commented:
PIX# sh run
: Saved
:
PIX Version 8.0(4)28
!
hostname PIX
domain-name ciscopix.com
enable password piOrULOo5tMFpYSX encrypted
passwd piOrULOo5tMFpYSX encrypted
names
dns-guard
!
interface Ethernet0
 duplex full
 nameif outside
 security-level 0
 ip address 202.106.1.138 255.255.255.252
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.137.18.3 255.255.255.0
!
interface Ethernet2
 nameif dmz1
 security-level 10
 ip address 202.106.0.93 255.255.255.252
!
interface Ethernet3
 shutdown
 nameif dmz2
 security-level 20
 no ip address
!
interface Ethernet4
 shutdown
 nameif dmz3
 security-level 30
 no ip address
!
interface Ethernet5
 duplex full
 nameif 3511
 security-level 0
 pppoe client vpdn group 3511
 ip address pppoe setroute
!
boot system flash:/pix804-28.bin
ftp mode passive
clock timezone gmt 8
dns server-group DefaultDNS
 domain-name ciscopix.com
access-list outside-acl extended permit ip host 61.144.17.117 host 202.106.0.94
access-list outside-acl extended permit ip host 218.1.103.170 host 202.106.0.94
access-list outside-acl extended permit ip host 217.167.252.35 host 202.106.0.94
access-list outside-acl extended permit ip host 62.23.36.201 host 202.106.0.94
access-list outside-acl extended permit ip host 80.5.89.189 host 202.106.0.94
access-list outside-acl extended permit ip host 217.206.137.210 host 202.106.0.94
access-list outside-acl extended permit tcp any host 202.106.0.94 eq pptp
access-list outside-acl extended permit ip host 210.77.128.38 host 202.106.0.94
access-list outside-acl extended permit ip host 12.45.14.18 host 202.106.0.94
access-list outside-acl extended permit ip host 218.107.48.148 host 202.106.0.94
access-list outside-acl extended permit icmp host 221.128.75.161 host 202.106.0.94
access-list outside-acl extended permit icmp host 221.128.85.50 host 202.106.0.94
access-list outside-acl extended permit ip host 221.10.51.254 host 202.106.0.94
access-list outside-acl extended permit ip host 61.219.20.201 host 202.106.0.94
access-list outside-acl extended permit ip host 221.128.85.50 host 202.106.0.94
access-list outside-acl extended permit ip host 12.45.14.19 host 202.106.0.94
access-list outside-acl extended permit ip host 12.151.115.234 host 202.106.0.94
access-list outside-acl extended permit ip host 125.215.234.209 host 202.106.0.94
access-list outside-acl extended permit tcp any host 202.106.0.69 eq https
access-list outside-acl extended permit tcp any host 202.106.0.69 eq smtp
access-list outside-acl extended permit ip host 203.94.134.30 host 202.106.0.94
access-list outside-acl extended permit ip host 89.234.16.39 host 202.106.0.94
access-list outside-acl extended permit ip host 74.205.84.38 host 202.106.0.94
access-list outside-acl extended permit ip host 210.13.87.170 host 202.106.0.94
access-list outside-acl extended permit ip host 116.120.80.4 host 202.106.0.94
access-list outside-acl extended permit ip host 210.174.104.114 host 202.106.0.94
access-list outside-acl extended permit ip host 122.248.141.2 host 202.106.0.94
access-list outside-acl extended permit tcp any host 202.106.0.66 eq www
access-list outside-acl extended permit tcp any host 202.106.0.67 eq www
access-list outside-acl extended permit tcp any host 202.106.0.68 eq www
access-list outside-acl extended permit tcp any host 202.106.0.69 eq www
access-list outside-acl extended permit ip host 210.13.72.226 host 202.106.0.94
access-list outside-acl extended permit ip host 118.122.114.15 host 202.106.0.94
access-list outside-acl extended permit tcp any host 202.106.0.69 eq 8888
access-list outside-acl extended permit ip host 203.82.42.138 host 202.106.0.94
access-list outside-acl extended permit ip host 94.236.5.84 host 202.106.0.94
access-list outside-acl extended permit ip host 58.185.45.180 host 202.106.0.94
access-list outside-acl extended permit tcp any host 202.106.0.65 eq www
access-list outside-acl extended permit ip host 119.6.23.178 host 202.106.0.94
access-list outside-acl extended permit ip any host 202.106.0.72
access-list outside-acl extended permit tcp any host 202.106.0.69 eq 8080
access-list outside-acl extended permit tcp any host 202.106.0.73 eq 3389
access-list outside-acl extended permit tcp any host 202.106.0.73 eq www
access-list outside-acl extended permit tcp any host 202.106.0.73 eq ftp-data
access-list outside-acl extended permit tcp any host 202.106.0.73 eq ftp
access-list outside-acl extended permit tcp any host 202.106.0.74 eq www
access-list outside-acl extended permit tcp any host 202.106.0.74 eq 8090
access-list outside-acl extended permit tcp any host 202.106.0.70 eq ftp-data
access-list outside-acl extended permit tcp any host 202.106.0.70 eq ftp
access-list outside-acl extended permit ip host 222.128.17.51 host 202.106.0.94
access-list outside-acl extended permit tcp any host 202.106.0.70 eq www
access-list outside-acl extended permit tcp any host 202.106.0.70 eq https
access-list outside-acl extended permit tcp any host 202.106.0.73 eq ssh
access-list outside-acl extended permit icmp any any
access-list outside-acl extended permit tcp any host 202.106.0.75 eq www
access-list outside-acl extended permit tcp any host 202.106.0.75 eq ssh
access-list outside-acl extended permit tcp any host 202.106.0.70 eq 3389
access-list outside-acl extended permit tcp any host 202.106.0.69 eq 8081
access-list outside-acl extended permit ip host 124.74.129.38 host 202.106.0.70
access-list outside-acl extended permit tcp any host 202.106.0.71 eq www
access-list test extended permit ip any any
access-list dmz_access_in extended permit icmp any any
access-list inside-acl extended permit ip any any
access-list inside-acl extended permit icmp any any
access-list dmz1-acl extended permit ip any any
access-list dmz1-acl extended permit icmp any any
access-list ADSL3511 extended permit ip 10.137.30.0 255.255.255.128 any
access-list VPN_REMOTE_ACL standard permit 10.0.0.0 255.0.0.0
access-list VPN_REMOTE_ACL standard permit 172.16.0.0 255.240.0.0
access-list VPN_REMOTE_ACL standard permit 192.168.0.0 255.255.0.0
access-list VPN_REMOTE_ACL standard permit host 119.225.56.146
access-list VPN_REMOTE_ACL standard permit host 119.225.55.254
access-list nonat extended permit ip 10.137.18.0 255.255.255.0 10.137.254.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 10.137.19.224 255.255.255.224
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 10.137.19.224 255.255.255.224
access-list nonat extended permit ip 172.16.0.0 255.240.0.0 10.137.19.224 255.255.255.224
access-list vlan22 extended permit ip 10.137.18.0 255.255.255.0 any
access-list vlan22 extended permit ip 10.137.17.128 255.255.255.192 any
access-list vlan22 extended permit ip 10.137.16.0 255.255.255.192 any
access-list vlan22 extended permit ip 10.137.17.0 255.255.255.128 any
access-list vlan22 extended permit ip 10.137.16.128 255.255.255.192 any
access-list vlan22 extended permit ip 10.137.16.192 255.255.255.192 any
access-list vlan22 extended permit ip 10.137.30.0 255.255.255.128 any
access-list vlan22 extended permit ip 10.137.30.192 255.255.255.192 any
access-list vlan22 extended permit ip 10.137.31.0 255.255.255.224 any
access-list vlan22 extended permit ip 10.137.31.128 255.255.255.128 any
access-list vlan22 extended permit ip 10.137.14.0 255.255.255.0 any
access-list vlan22 extended permit ip 10.137.19.0 255.255.255.128 any
access-list map11 extended permit ip 10.137.18.0 255.255.255.0 10.137.254.0 255.255.255.0
access-list map11 extended permit ip host 202.106.1.138 host 203.196.0.106
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu dmz3 1500
mtu 3511 1500
ip local pool Dellcom-IPPool 10.137.19.230-10.137.19.250 mask 255.255.255.224
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 202.106.0.80-202.106.0.90 netmask 255.255.255.224
global (outside) 1 202.106.0.79
global (outside) 1 interface
nat (outside) 1 10.137.19.224 255.255.255.224
nat (inside) 0 access-list nonat
nat (inside) 1 access-list vlan22
nat (dmz1) 0 202.106.0.93 255.255.255.255
nat (dmz1) 0 202.106.0.94 255.255.255.255
nat (dmz1) 0 202.106.0.92 255.255.255.252
static (inside,dmz1) 10.137.16.0 10.137.16.0 netmask 255.255.240.0
static (inside,outside) 202.106.0.69 10.137.18.100 netmask 255.255.255.255
static (inside,outside) 202.106.0.70 10.137.18.111 netmask 255.255.255.255
static (inside,outside) 202.106.0.66 10.137.18.18 netmask 255.255.255.255
static (inside,outside) 202.106.0.67 10.137.18.126 netmask 255.255.255.255
static (inside,outside) 202.106.0.68 10.137.18.250 netmask 255.255.255.255
static (inside,outside) 202.106.0.72 10.137.17.190 netmask 255.255.255.255
static (inside,outside) 202.106.0.65 10.137.18.252 netmask 255.255.255.255
static (inside,outside) 202.106.0.74 10.137.18.253 netmask 255.255.255.255
static (inside,outside) 202.106.0.75 10.137.18.116 netmask 255.255.255.255
static (inside,outside) 202.106.0.71 10.137.18.11 netmask 255.255.255.255
access-group outside-acl in interface outside
access-group inside-acl in interface inside
route outside 0.0.0.0 0.0.0.0 202.106.1.137 1
route inside 10.0.0.0 255.0.0.0 10.137.18.1 55
route outside 10.137.254.0 255.255.255.0 202.106.1.137 1
route inside 172.16.0.0 255.240.0.0 10.137.18.1 1
route inside 192.168.0.0 255.255.0.0 10.137.18.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server ACS-Group protocol radius
aaa-server ACS-Group (inside) host 10.11.2.33
 timeout 15
 key *****
 radius-common-pw *****
aaa-server ACS-Group (inside) host 192.168.1.240
 timeout 15
 key *****
 radius-common-pw *****
http server enable
http 10.0.0.0 255.0.0.0 inside
snmp-server host inside 10.137.18.111 community ipsosbj
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set Dellcom esp-3des esp-sha-hmac
crypto ipsec transform-set CHINA1 esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
crypto ipsec df-bit clear-df inside
crypto dynamic-map dyn_map 20 set reverse-route
crypto dynamic-map outside_dyn_map 20 set transform-set Dellcom
crypto map outside-map 11 match address map11
crypto map outside-map 11 set pfs
crypto map outside-map 11 set connection-type answer-only
crypto map outside-map 11 set peer 203.196.0.106
crypto map outside-map 11 set transform-set CHINA1
crypto map outside-map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside-map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 11
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto isakmp nat-traversal 32
vpn-addr-assign local reuse-delay 60
telnet 10.0.0.0 255.0.0.0 inside
telnet 192.168.0.0 255.255.0.0 inside
telnet 172.16.0.0 255.240.0.0 inside
telnet timeout 60
ssh timeout 5
ssh version 1
console timeout 0
vpdn group 3511 request dialout pppoe
vpdn group 3511 localname 300000029838
vpdn group 3511 ppp authentication pap
vpdn username 300000029838 password *********
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.11.1.33
group-policy Dellcom internal
group-policy Dellcom attributes
 banner value You have connected to a Private Network.
 banner value
 banner value Authorized users only.
 banner value
 banner value Unauthorized access may be subject to civil and criminal legal action.
 dns-server value 10.137.8.26
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_REMOTE_ACL
 default-domain value td.domain
 address-pools value Dellcom-IPPool
 ipv6-address-pools none
username admin password yptIuiz0fZRas6PY encrypted privilege 15
tunnel-group Dellcom type remote-access
tunnel-group Dellcom general-attributes
 address-pool Dellcom-IPPool
 default-group-policy Dellcom
tunnel-group Dellcom ipsec-attributes
 pre-shared-key *
tunnel-group 203.196.0.106 type ipsec-l2l
tunnel-group 203.196.0.106 general-attributes
tunnel-group 203.196.0.106 ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d9df79ecdf7ee99d5550dba35c991b97
: end
PIX#      
PIX# exit

Logoff

Author

Commented:
ASA# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ASA
enable password piOrULOo5tMFpYSX encrypted
passwd piOrULOo5tMFpYSX encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 203.196.0.106 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.137.254.3 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone GMT 8
object network obj-10.137.254.21
 host 10.137.254.21
object network obj-10.137.253.0
 subnet 10.137.253.0 255.255.255.0
object network obj-10.137.254.0
 subnet 10.137.254.0 255.255.255.0
object network obj-10.137.254.11
 host 10.137.254.11
object network obj-10.137.18.0
 subnet 10.137.18.0 255.255.255.0
object network 10.137.254.0
 subnet 10.137.254.0 255.255.255.0
object network 10.137.18.0
 subnet 10.137.18.0 255.255.255.0
access-list VPN_REMOTE_ACL standard permit 10.137.254.0 255.255.255.0
access-list outside-acl extended permit ip host 202.106.1.138 host 10.137.254.11
access-list outside-acl extended permit ip 202.106.0.64 255.255.255.224 host 10.137.254.11
access-list outside-acl extended permit ip 122.248.141.0 255.255.255.224 host 10.137.254.11
access-list outside-acl extended permit ip host 122.248.139.148 host 10.137.254.11
access-list outside-acl extended permit ip host 59.151.58.58 host 10.137.254.11
access-list outside-acl extended permit tcp any host 10.137.254.11 eq www
access-list outside-acl extended permit tcp host 114.80.70.26 host 10.137.254.11 eq 1688
access-list map11 extended permit ip object 10.137.254.0 object 10.137.18.0
access-list map11 extended permit ip host 203.196.0.106 host 202.106.1.138
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool Dellcom-IPPool 10.137.253.2-10.137.253.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static 10.137.254.0 10.137.254.0 destination static 10.137.18.0 10.137.18.0
nat (inside,any) source static any any destination static obj-10.137.253.0 obj-10.137.253.0 no-proxy-arp
!
object network obj-10.137.254.21
 nat (inside,outside) static 203.196.0.108 service tcp https https
object network obj-10.137.254.0
 nat (inside,outside) dynamic interface
object network obj-10.137.254.11
 nat (inside,outside) static 203.196.0.107
access-group outside-acl in interface outside
route outside 0.0.0.0 0.0.0.0 203.196.0.105 10
route inside 10.0.0.0 255.0.0.0 10.137.254.1 5
route outside 10.137.18.0 255.255.255.0 203.196.0.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set Dellcom esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set CHINA1 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec df-bit clear-df outside
crypto ipsec df-bit clear-df inside
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set Dellcom
crypto dynamic-map dyn_map 20 set reverse-route
crypto map outside-map 11 match address map11
crypto map outside-map 11 set pfs
crypto map outside-map 11 set connection-type originate-only
crypto map outside-map 11 set peer 202.106.1.138
crypto map outside-map 11 set ikev1 transform-set CHINA1
crypto map outside-map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside-map interface outside
crypto isakmp nat-traversal 32
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 11
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 20
ssh version 2
console timeout 20
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy Dellcom internal
group-policy Dellcom attributes
 banner value You have connected to a Private Network.
 banner value
 banner value Authorized users only.
 banner value
 banner value Unauthorized access may be subject to civil and criminal legal action.
 dns-server value 10.137.8.26
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_REMOTE_ACL
 default-domain value td.domain
 address-pools value Dellcom-IPPool
 ipv6-address-pools none
username bbzzadm password vkhRWfGCFuoFiQ7i encrypted
username pclt password 5qkNCZMjFfsn0bWE encrypted
username admin password yptIuiz0fZRas6PY encrypted privilege 15
tunnel-group Dellcom type remote-access
tunnel-group Dellcom general-attributes
 address-pool Dellcom-IPPool
 default-group-policy Dellcom
tunnel-group Dellcom ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 202.106.1.138 type ipsec-l2l
tunnel-group 202.106.1.138 ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate nocheck
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:31250533f46c96b797c4b884ae9e053a
: end        
ASA#  
ASA#
ASA# exit

Logoff

Top Expert 2011

Commented:
You would need an access-list on both devices to allow your internal subnets, for example on PIX

access-list outside-acl extended permit ip 10.137.254.0 255.255.255.0 10.137.18.0 255.255.255.0

And on ASA

access-list outside-acl extended permit ip  10.137.18.0 255.255.255.0 10.137.254.0 255.255.255.0

Author

Commented:
hello
just try it, but did help, any other solutions?

thanks
Top Expert 2011

Commented:
Can you issue the following command on ASA and post result here?

packet-tracer input outside tcp 10.137.18.4 80 10.137.254.4 80 detailed

Author

Commented:
and following is the isakmp and ipsec sa information from both side

PIX# sh cry ip sa
interface: outside
    Crypto map tag: outside-map, seq num: 11, local addr: 202.106.1.138

      access-list map11 permit ip host 202.106.1.138 host 203.196.0.106
      local ident (addr/mask/prot/port): (202.106.1.138/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (203.196.0.106/255.255.255.255/0/0)
      current_peer: 203.196.0.106

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 202.106.1.138, remote crypto endpt.: 203.196.0.106

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 09886135

    inbound esp sas:
      spi: 0xC7EF5B99 (3354352537)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
PIX# sh cry is sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 203.196.0.106
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
PIX#


ASA# sh cry ip sa
interface: outside
    Crypto map tag: outside-map, seq num: 11, local addr: 203.196.0.106

      access-list OO_temp_outside-map11 extended permit ip host 203.196.0.106 host 202.106.1.138
      local ident (addr/mask/prot/port): (203.196.0.106/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (202.106.1.138/255.255.255.255/0/0)
      current_peer: 202.106.1.138

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 203.196.0.106/0, remote crypto endpt.: 202.106.1.138/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: C7EF5B99
      current inbound spi : 09886135

    inbound esp sas:
      spi: 0x09886135 (159932725)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
ASA# sh cry is sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
 
1   IKE Peer: 202.106.1.138
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs
ASA#

Author

Commented:
hello, here is the result you need, on phase 8 is deny, but i am not sure which acl should put it in.

thanks

ASA# packet-tracer input outside tcp 10.137.18.4 80 10.137.254.4$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad76afc8, priority=1, domain=permit, deny=false
        hits=719862, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=outside, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static 10.137.254.0 10.137.254.0 destination static 10.137.18.0 10.137.18.0
Additional Information:
NAT divert to egress interface inside
Untranslate 10.137.254.4/80 to 10.137.254.4/80

Phase: 3      
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-acl in interface outside
access-list outside-acl extended permit ip 10.137.18.0 255.255.255.0 10.137.254.0 255.255.255.0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xae220fd8, priority=13, domain=permit, deny=false
        hits=0, user_data=0xaa86a880, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=10.137.18.0, mask=255.255.255.0, port=0
        dst ip/id=10.137.254.0, mask=255.255.255.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad76ecd0, priority=0, domain=inspect-ip-options, deny=true
        hits=13740, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xadffef10, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=13319, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static 10.137.254.0 10.137.254.0 destination static 10.137.18.0 10.137.18.0
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xae21bb80, priority=6, domain=nat-reverse, deny=false
        hits=1, user_data=0xad38c898, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=10.137.18.0, mask=255.255.255.0, port=0
        dst ip/id=10.137.254.0, mask=255.255.255.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=inside

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xad792aa8, priority=0, domain=inspect-ip-options, deny=true
        hits=11526, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 out id=0xae2bf290, priority=70, domain=encrypt, deny=false
        hits=1, user_data=0x0, cs_id=0xae215768, reverse, flags=0x0, protocol=0
        src ip/id=10.137.254.0, mask=255.255.255.0, port=0
        dst ip/id=10.137.18.0, mask=255.255.255.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=outside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA#
Top Expert 2011
Commented:
Since you have 0 encrypts and decrypts and your crypto-map access-lists are ok make sure your internal routing works. ASA and PIX do not receive packets for encryption

Author

Commented:
thank you info me check internal routing, that is a stupid issue, the testing laptop does have multiple nic and some routes on it is wrong, after i change another laptop, then i can ping each other.