Solved

IPSEC between PIX 6.3 and asa 5520

Posted on 2012-03-15
4
359 Views
Last Modified: 2012-04-18
Hi folks,
A pix 6.3 failed at a remote site so we placed a new one there.  It had a IPSEC to our main data center.

I rebuilt the pix but cant get the ipsec to come up, everything else works in terms of access to the internet:

access-list inside_nat0_outbound extended permit ip 10.50.28.0 255.255.255.0 205.132.168.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 10.50.28.0 255.255.255.0 205.132.168.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set slcSet esp-3des esp-md5-hmac

sysopt connection permit-IPSec
crypto map outside_map 1 IPSec-isakmp
crypto map outside_map 1 match address outside_cryptomap_20
crypto map outside_map 1 set peer aa.aa.aa.aa
crypto map outside map 1 set transform-set slcSet
 
crypto map slcSet interface outside
isakmp enable outside
isakmp key something address aa.aa.aa.aa netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400

any help would be appreciated.
0
Comment
Question by:vburshteyn
  • 3
4 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37728628
Anything showing in the logs when trying to establish the tunnel?
Could you also post the config from the other firewall?
0
 

Author Comment

by:vburshteyn
ID: 37729062
logs are clean, debug command dont bring anything up

the ASA config:

kbe-hou-asa01# sh run isakmp
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30



crypto ipsec transform-set baaSet esp-3des esp-md5-hmac

access-list saltlake extended permit ip aa.aa.aa.aa  255.255.255.0 10.50.28.0 255.255.255.0
access-list saltlake extended permit ip 10.234.0.0 255.255.0.0 10.50.28.0 255.255.255.0
access-list saltlake extended permit ip 10.252.128.80 255.255.255.252 10.50.28.0 255.255.255.0

crypto map BAAmap 80 match address saltlake
crypto map BAAmap 80 set peer aa.aa.aa.aa
crypto map BAAmap 80 set transform-set baaSet

tunnel-group 166.70.186.67 type ipsec-l2l
tunnel-group 166.70.186.67 ipsec-attributes
pre-shared-key <removed>
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 37729215
First, make sure the accesslists match on both sides (but of course in opposite direction).

access-list outside_cryptomap_20 extended permit ip 10.50.28.0 255.255.255.0 205.132.168.0 255.255.255.0

access-list saltlake extended permit ip aa.aa.aa.aa  255.255.255.0 10.50.28.0 255.255.255.0
access-list saltlake extended permit ip 10.234.0.0 255.255.0.0 10.50.28.0 255.255.255.0
access-list saltlake extended permit ip 10.252.128.80 255.255.255.252 10.50.28.0 255.255.255.0


And the same for the ACL for the nat exempt (nat 0 statement).

See if that helps.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37729227
Oh, and don't use the public address (aa.aa.aa.aa) in those ACL's.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
This video discusses moving either the default database or any database to a new volume.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now