Solved

IPSEC between PIX 6.3 and asa 5520

Posted on 2012-03-15
4
361 Views
Last Modified: 2012-04-18
Hi folks,
A pix 6.3 failed at a remote site so we placed a new one there.  It had a IPSEC to our main data center.

I rebuilt the pix but cant get the ipsec to come up, everything else works in terms of access to the internet:

access-list inside_nat0_outbound extended permit ip 10.50.28.0 255.255.255.0 205.132.168.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 10.50.28.0 255.255.255.0 205.132.168.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set slcSet esp-3des esp-md5-hmac

sysopt connection permit-IPSec
crypto map outside_map 1 IPSec-isakmp
crypto map outside_map 1 match address outside_cryptomap_20
crypto map outside_map 1 set peer aa.aa.aa.aa
crypto map outside map 1 set transform-set slcSet
 
crypto map slcSet interface outside
isakmp enable outside
isakmp key something address aa.aa.aa.aa netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400

any help would be appreciated.
0
Comment
Question by:vburshteyn
  • 3
4 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37728628
Anything showing in the logs when trying to establish the tunnel?
Could you also post the config from the other firewall?
0
 

Author Comment

by:vburshteyn
ID: 37729062
logs are clean, debug command dont bring anything up

the ASA config:

kbe-hou-asa01# sh run isakmp
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30



crypto ipsec transform-set baaSet esp-3des esp-md5-hmac

access-list saltlake extended permit ip aa.aa.aa.aa  255.255.255.0 10.50.28.0 255.255.255.0
access-list saltlake extended permit ip 10.234.0.0 255.255.0.0 10.50.28.0 255.255.255.0
access-list saltlake extended permit ip 10.252.128.80 255.255.255.252 10.50.28.0 255.255.255.0

crypto map BAAmap 80 match address saltlake
crypto map BAAmap 80 set peer aa.aa.aa.aa
crypto map BAAmap 80 set transform-set baaSet

tunnel-group 166.70.186.67 type ipsec-l2l
tunnel-group 166.70.186.67 ipsec-attributes
pre-shared-key <removed>
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 37729215
First, make sure the accesslists match on both sides (but of course in opposite direction).

access-list outside_cryptomap_20 extended permit ip 10.50.28.0 255.255.255.0 205.132.168.0 255.255.255.0

access-list saltlake extended permit ip aa.aa.aa.aa  255.255.255.0 10.50.28.0 255.255.255.0
access-list saltlake extended permit ip 10.234.0.0 255.255.0.0 10.50.28.0 255.255.255.0
access-list saltlake extended permit ip 10.252.128.80 255.255.255.252 10.50.28.0 255.255.255.0


And the same for the ACL for the nat exempt (nat 0 statement).

See if that helps.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37729227
Oh, and don't use the public address (aa.aa.aa.aa) in those ACL's.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ACS 5.4 "management" proc stuck in Restarting 2 40
Cisco Prime and Maps 3 36
VTP / VLANs and Sub-Interfaces 4 31
eigrp in site-to-site vpn 4 17
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now