Solved

IPSEC between PIX 6.3 and asa 5520

Posted on 2012-03-15
4
363 Views
Last Modified: 2012-04-18
Hi folks,
A pix 6.3 failed at a remote site so we placed a new one there.  It had a IPSEC to our main data center.

I rebuilt the pix but cant get the ipsec to come up, everything else works in terms of access to the internet:

access-list inside_nat0_outbound extended permit ip 10.50.28.0 255.255.255.0 205.132.168.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 10.50.28.0 255.255.255.0 205.132.168.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set slcSet esp-3des esp-md5-hmac

sysopt connection permit-IPSec
crypto map outside_map 1 IPSec-isakmp
crypto map outside_map 1 match address outside_cryptomap_20
crypto map outside_map 1 set peer aa.aa.aa.aa
crypto map outside map 1 set transform-set slcSet
 
crypto map slcSet interface outside
isakmp enable outside
isakmp key something address aa.aa.aa.aa netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400

any help would be appreciated.
0
Comment
Question by:vburshteyn
  • 3
4 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37728628
Anything showing in the logs when trying to establish the tunnel?
Could you also post the config from the other firewall?
0
 

Author Comment

by:vburshteyn
ID: 37729062
logs are clean, debug command dont bring anything up

the ASA config:

kbe-hou-asa01# sh run isakmp
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30



crypto ipsec transform-set baaSet esp-3des esp-md5-hmac

access-list saltlake extended permit ip aa.aa.aa.aa  255.255.255.0 10.50.28.0 255.255.255.0
access-list saltlake extended permit ip 10.234.0.0 255.255.0.0 10.50.28.0 255.255.255.0
access-list saltlake extended permit ip 10.252.128.80 255.255.255.252 10.50.28.0 255.255.255.0

crypto map BAAmap 80 match address saltlake
crypto map BAAmap 80 set peer aa.aa.aa.aa
crypto map BAAmap 80 set transform-set baaSet

tunnel-group 166.70.186.67 type ipsec-l2l
tunnel-group 166.70.186.67 ipsec-attributes
pre-shared-key <removed>
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 37729215
First, make sure the accesslists match on both sides (but of course in opposite direction).

access-list outside_cryptomap_20 extended permit ip 10.50.28.0 255.255.255.0 205.132.168.0 255.255.255.0

access-list saltlake extended permit ip aa.aa.aa.aa  255.255.255.0 10.50.28.0 255.255.255.0
access-list saltlake extended permit ip 10.234.0.0 255.255.0.0 10.50.28.0 255.255.255.0
access-list saltlake extended permit ip 10.252.128.80 255.255.255.252 10.50.28.0 255.255.255.0


And the same for the ACL for the nat exempt (nat 0 statement).

See if that helps.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37729227
Oh, and don't use the public address (aa.aa.aa.aa) in those ACL's.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
BGP Code 12 47
cisco sg 200 trunking 4 26
DMVPN Spoke Connectivity Issue 1 25
Help with a subnetting question 7 48
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question