asked on
IPSEC between PIX 6.3 and asa 5520
Hi folks,
A pix 6.3 failed at a remote site so we placed a new one there. It had a IPSEC to our main data center.
I rebuilt the pix but cant get the ipsec to come up, everything else works in terms of access to the internet:
access-list inside_nat0_outbound extended permit ip 10.50.28.0 255.255.255.0 205.132.168.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 10.50.28.0 255.255.255.0 205.132.168.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set slcSet esp-3des esp-md5-hmac
sysopt connection permit-IPSec
crypto map outside_map 1 IPSec-isakmp
crypto map outside_map 1 match address outside_cryptomap_20
crypto map outside_map 1 set peer aa.aa.aa.aa
crypto map outside map 1 set transform-set slcSet
crypto map slcSet interface outside
isakmp enable outside
isakmp key something address aa.aa.aa.aa netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400
any help would be appreciated.
A pix 6.3 failed at a remote site so we placed a new one there. It had a IPSEC to our main data center.
I rebuilt the pix but cant get the ipsec to come up, everything else works in terms of access to the internet:
access-list inside_nat0_outbound extended permit ip 10.50.28.0 255.255.255.0 205.132.168.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 10.50.28.0 255.255.255.0 205.132.168.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set slcSet esp-3des esp-md5-hmac
sysopt connection permit-IPSec
crypto map outside_map 1 IPSec-isakmp
crypto map outside_map 1 match address outside_cryptomap_20
crypto map outside_map 1 set peer aa.aa.aa.aa
crypto map outside map 1 set transform-set slcSet
crypto map slcSet interface outside
isakmp enable outside
isakmp key something address aa.aa.aa.aa netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400
any help would be appreciated.
CiscoInternet Protocol Security
Last Comment
Ernie Beek
ASKER
logs are clean, debug command dont bring anything up
the ASA config:
kbe-hou-asa01# sh run isakmp
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 30
crypto ipsec transform-set baaSet esp-3des esp-md5-hmac
access-list saltlake extended permit ip aa.aa.aa.aa 255.255.255.0 10.50.28.0 255.255.255.0
access-list saltlake extended permit ip 10.234.0.0 255.255.0.0 10.50.28.0 255.255.255.0
access-list saltlake extended permit ip 10.252.128.80 255.255.255.252 10.50.28.0 255.255.255.0
crypto map BAAmap 80 match address saltlake
crypto map BAAmap 80 set peer aa.aa.aa.aa
crypto map BAAmap 80 set transform-set baaSet
tunnel-group 166.70.186.67 type ipsec-l2l
tunnel-group 166.70.186.67 ipsec-attributes
pre-shared-key <removed>
the ASA config:
kbe-hou-asa01# sh run isakmp
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 30
crypto ipsec transform-set baaSet esp-3des esp-md5-hmac
access-list saltlake extended permit ip aa.aa.aa.aa 255.255.255.0 10.50.28.0 255.255.255.0
access-list saltlake extended permit ip 10.234.0.0 255.255.0.0 10.50.28.0 255.255.255.0
access-list saltlake extended permit ip 10.252.128.80 255.255.255.252 10.50.28.0 255.255.255.0
crypto map BAAmap 80 match address saltlake
crypto map BAAmap 80 set peer aa.aa.aa.aa
crypto map BAAmap 80 set transform-set baaSet
tunnel-group 166.70.186.67 type ipsec-l2l
tunnel-group 166.70.186.67 ipsec-attributes
pre-shared-key <removed>
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Oh, and don't use the public address (aa.aa.aa.aa) in those ACL's.
Could you also post the config from the other firewall?