Solved

IPSEC between PIX 6.3 and asa 5520

Posted on 2012-03-15
4
367 Views
Last Modified: 2012-04-18
Hi folks,
A pix 6.3 failed at a remote site so we placed a new one there.  It had a IPSEC to our main data center.

I rebuilt the pix but cant get the ipsec to come up, everything else works in terms of access to the internet:

access-list inside_nat0_outbound extended permit ip 10.50.28.0 255.255.255.0 205.132.168.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 10.50.28.0 255.255.255.0 205.132.168.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set slcSet esp-3des esp-md5-hmac

sysopt connection permit-IPSec
crypto map outside_map 1 IPSec-isakmp
crypto map outside_map 1 match address outside_cryptomap_20
crypto map outside_map 1 set peer aa.aa.aa.aa
crypto map outside map 1 set transform-set slcSet
 
crypto map slcSet interface outside
isakmp enable outside
isakmp key something address aa.aa.aa.aa netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400

any help would be appreciated.
0
Comment
Question by:vburshteyn
  • 3
4 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37728628
Anything showing in the logs when trying to establish the tunnel?
Could you also post the config from the other firewall?
0
 

Author Comment

by:vburshteyn
ID: 37729062
logs are clean, debug command dont bring anything up

the ASA config:

kbe-hou-asa01# sh run isakmp
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30



crypto ipsec transform-set baaSet esp-3des esp-md5-hmac

access-list saltlake extended permit ip aa.aa.aa.aa  255.255.255.0 10.50.28.0 255.255.255.0
access-list saltlake extended permit ip 10.234.0.0 255.255.0.0 10.50.28.0 255.255.255.0
access-list saltlake extended permit ip 10.252.128.80 255.255.255.252 10.50.28.0 255.255.255.0

crypto map BAAmap 80 match address saltlake
crypto map BAAmap 80 set peer aa.aa.aa.aa
crypto map BAAmap 80 set transform-set baaSet

tunnel-group 166.70.186.67 type ipsec-l2l
tunnel-group 166.70.186.67 ipsec-attributes
pre-shared-key <removed>
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 37729215
First, make sure the accesslists match on both sides (but of course in opposite direction).

access-list outside_cryptomap_20 extended permit ip 10.50.28.0 255.255.255.0 205.132.168.0 255.255.255.0

access-list saltlake extended permit ip aa.aa.aa.aa  255.255.255.0 10.50.28.0 255.255.255.0
access-list saltlake extended permit ip 10.234.0.0 255.255.0.0 10.50.28.0 255.255.255.0
access-list saltlake extended permit ip 10.252.128.80 255.255.255.252 10.50.28.0 255.255.255.0


And the same for the ACL for the nat exempt (nat 0 statement).

See if that helps.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37729227
Oh, and don't use the public address (aa.aa.aa.aa) in those ACL's.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question