Help Needed - Cisco ASA 5510 to PIX506E VPN

[eMailDude]

Hi, I am a Active Directory / eMail / server guy who's inherited a rather complex Cisco infrastructure to manage (other guy left, they won't replace him) and I have a question about site-to-site VPN.

We have 3 offices, the main office has a Cisco ASA 5510 running version 8 and two smaller offices with PIX 506E version 6. My boss wants me to do a site-to-site VPN between the 3 locations, with HQ as the hub. The 2 remote offices have the outside interface of the PIX connected directly to the Cisco router that AT&T provided and manages, however the HQ office has a FatPipe Warp between the Cisco router and the ASA. The FatPipe is doing NAT for 3 different internet circuits and the IP address between the FatPipe and the ASA is a 172.16 address, so effectively I'm going to be double-natting (I've been researching).

I believe I am going to need the NAT transparency option enabled in the ASA, based on the docs from Cisco.

I've located all the Cisco documentation on performing a site to site VPN between PIX and ASA, but all the documentation assumes the firewall outside interface connects directly to the public side.

My question is this (and I am sure I might have others):

When I configure the VPN connection from a remote office it is asking for the public IP on the other end. I assume I need to assign one of my public IPs in the FatPipe and map it to an internal IP (172 address), or should I be mapping that public IP to the ASA's outside interface?

internet (99.x.x.x) --- fatpipe (lan 172.16.0.1) --- asa ( outside 172.16.0.250 : inside 192.168.0.250) --- inside network

thanks in advance for any help you can provide.

Jim

 

[eMailDude]

Yikes - big time typo, diagram should look as follows:

internet (5.6.7.8) --- fatpipe (lan 192.168.0.1) --- asa ( outside 192.168.0.100 : inside 172.16.0.1) --- inside network

Here's the ASA config:

ASA Version 8.2(1)
!
hostname asa-hq
domain-name domain.com
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.0.100 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.31.1.1 255.255.255.0
!
interface Ethernet0/2
nameif inside2
security-level 100
ip address 10.0.10.1 255.255.254.0
!
interface Ethernet0/3
shutdown
no nameif
security-level 0
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inbound extended permit tcp any host 192.168.0.20 eq https
access-list inbound extended permit tcp any host 192.168.0.20 eq www
access-list inbound extended permit tcp any host 192.168.0.22 eq 3389
access-list inbound extended permit tcp any host 192.168.0.23 eq 3389
access-list inbound extended permit tcp any host 192.168.0.10 eq www
access-list inbound extended permit tcp any host 192.168.0.10 eq https
access-list inbound extended permit udp any host 192.168.0.10 eq domain
access-list inbound extended permit tcp any host 192.168.0.21 eq pptp
access-list inbound extended permit gre any host 192.168.0.21
access-list inbound extended permit tcp any host 192.168.0.24 eq www
access-list inbound extended permit tcp any host 192.168.0.24 eq https
access-list inbound extended permit udp any host 192.168.0.24 eq domain
access-list inside2_nat0_outbound extended permit ip 10.0.10.0 255.255.254.0 172.31.1.0 255.255.255.0
access-list inside2_nat0_outbound extended permit ip interface inside2 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.31.1.0 255.255.255.0 10.0.10.0 255.255.254.0
access-list inside_nat0_outbound extended permit ip 10.0.10.0 255.255.254.0 any
access-list inside2_access_in extended permit ip any any
access-list outside2_access_in extended permit tcp any host 12.70.171.115 eq 3389
access-list outside_1_cryptomap extended permit ip 10.0.10.0 255.255.254.0 172.16.0.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm informational
logging host inside2 10.0.11.200
mtu outside 1500
mtu inside 1500
mtu inside2 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any inside2
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside2) 0 access-list inside2_nat0_outbound
nat (inside2) 1 0.0.0.0 0.0.0.0
static (inside2,outside) 192.168.0.22 10.0.11.210 netmask 255.255.255.255
static (inside2,outside) 192.168.0.20 10.0.11.211 netmask 255.255.255.255
static (inside2,outside) 192.168.0.23 10.0.11.200 netmask 255.255.255.255
static (inside2,outside) 192.168.0.21 10.0.11.180 netmask 255.255.255.255
static (inside2,outside) 192.168.0.10 10.0.11.160 netmask 255.255.255.255
access-group inbound in interface outside
access-group inside2_access_in in interface inside2
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 10.0.10.2 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside2
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 1.2.3.4
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 inside2
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside2
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 4.2.2.2
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 ipsec-attributes
pre-shared-key *
!
!


and the PIX config

:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix-remote
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.10.0 HQ
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.255.0 HQ 255
.255.254.0
access-list outside_cryptomap_20 permit ip 172.16.0.0 255.255.255.0 HQ 255.255
.254.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 1.2.3.4 255.255.255.248
ip address inside 172.16.0.219 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm location HQ 255.255.254.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 172.16.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 5.6.7.8
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 5.6.7.8 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80

I used the VPN wizard on both the PIX and ASA thru PDM and ASDM. The GUI on both sides shows there is no VPN connection and I've tried doing the SH CRYPTO ISAKMP SA returns there are no SAS.

I have to assume my problem is due to the ASA sitting behind that FatPipe and the NAT being done there, any help would be greatly appreciated.

Thanks.

 

[unclerico]

why don't you just purchase the VPN add-on for the fatpipe product and terminate the L2L connection there??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[eMailDude]

I wasn't aware there was such an animal, networking's not "normally" my thing.

Assuming it isn't free, I probably won't be allowed to buy it.

Any idea how to terminate the L2L on the ASA with the FatPipe in the way? I've assigned a public IP and I'm NATting that to the outside interface IP configured on the ASA, but I get no traffic, nothing in the logs to indicate any kind of connection is being attempted and no SAS on the ASA.

 

[Supergrrover]

set up the pixs as the vpn servers

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[eMailDude]

I think I have, I'm just having issues with the ASA behind the fatpipe (combines multiple T1s), it does nat for the public IP ranges to 192.168.0.x addresses, should I be able to allocate a public IP, nat it to the outside ASA interface IP (192.168.0.100) and still get the S2S VPN to work?

 

[Supergrrover]

It will be similar to this -

http://www.cisco.com/en/US/products...s_configuration_example09186a00808a61f4.shtml

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[eMailDude]

According to the document the EasyVPN is only supported on the ASA 5505, I have an ASA 5510.

 

[eMailDude]

Brent - I appreciate the help on this, I'm not in my comfort zone here...

Ok, so I setup the VPN between the ASA 5510 and the PIX, now when I try to create interesting traffic from the ASA to the PIX by pinging an IP on the internal side of the pix from the ASA I get the following :

ASA# ping 172.16.0.129
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.129, timeout is 2 seconds:
Oct 28 22:14:06 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Oct 28 22:14:06 [IKEv1]: IP = 1.2.3.4, IKE Initiator: New Phase 1, Intf NP
Identity Ifc, IKE Peer 1.2.3.4 local Proxy Address 0.0.0.0, remote Proxy
Address 172.16.0.0, Crypto map (outside_map)
Oct 28 22:14:06 [IKEv1 DEBUG]: IP = 1.2.3.4, constructing ISAKMP SA payloa
d
Oct 28 22:14:06 [IKEv1 DEBUG]: IP = 1.2.3.4, constructing NAT-Traversal VI
D ver 02 payload
Oct 28 22:14:06 [IKEv1 DEBUG]: IP = 1.2.3.4, constructing NAT-Traversal VI
D ver 03 payload
Oct 28 22:14:06 [IKEv1 DEBUG]: IP = 1.2.3.4, constructing NAT-Traversal VI
D ver RFC payload
Oct 28 22:14:06 [IKEv1 DEBUG]: IP = 1.2.3.4, constructing Fragmentation VI
D + extended capabilities payload
Oct 28 22:14:06 [IKEv1]: IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0
) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDO
R (13) + NONE (0) total length : 168
?Oct 28 22:14:08 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Oct 28 22:14:08 [IKEv1]: IP = 1.2.3.4, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
?Oct 28 22:14:10 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Oct 28 22:14:10 [IKEv1]: IP = 1.2.3.4, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
?Oct 28 22:14:12 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Oct 28 22:14:12 [IKEv1]: IP = 1.2.3.4, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
?Oct 28 22:14:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Oct 28 22:14:14 [IKEv1]: IP = 1.2.3.4, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
Oct 28 22:14:14 [IKEv1]: IP = 1.2.3.4, IKE_DECODE RESENDING Message (msgid
=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VEN
DOR (13) + NONE (0) total length : 168
?
Success rate is 0 percent (0/5)
pix-gurnee# Oct 28 22:14:22 [IKEv1]: IP = 1.2.3.4, IKE_DECODE RESENDING Me
ssage (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDO
R (13) + VENDOR (13) + NONE (0) total length : 168
Oct 28 22:14:30 [IKEv1]: IP = 1.2.3.4, IKE_DECODE RESENDING Message (msgid
=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VEN
DOR (13) + NONE (0) total length : 168
Oct 28 22:14:38 [IKEv1 DEBUG]: IP = 1.2.3.4, IKE MM Initiator FSM error hi
story (struct &0xd8342c98) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2,
EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV
_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2
, EV_RETRY
Oct 28 22:14:38 [IKEv1 DEBUG]: IP = 1.2.3.4, IKE SA MM:451d33bd terminatin
g: flags 0x01000022, refcnt 0, tuncnt 0
Oct 28 22:14:38 [IKEv1 DEBUG]: IP = 1.2.3.4, sending delete/delete with re
ason message
Oct 28 22:14:38 [IKEv1]: IP = 1.2.3.4, Removing peer from peer table faile
d, no match!
Oct 28 22:14:38 [IKEv1]: IP = 1.2.3.4, Error: Unable to remove PeerTblEntr
y

 

[eMailDude]

Sorry, forgot to post this as well...

As the errors above are being displayed on the ASA the following are displayed on the PIX

crypto_isakmp_process_block:src:5.6.7.8, dest:1.2.3.4 spt:500 dpt:50
0
crypto_isakmp_init_phase1_fields: responder
OAK_MM exchange
oakley_process_mm:
OAK_MM_NO_STATE
process_isakmp_packet:
process_sa: mess_id 0x0
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: default group 2
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
crypto_generate_DH_parameters: dhset 0xf4e8ec, phase 0
DH_ALG_PHASE1
process_isakmp_packet: OAK_MM
process_vendor_id:
ISAKMP (0): processing vendor id payload

process_udp_enc_vendor_id:
ISAKMP (0:0): vendor ID is NAT-T
process_isakmp_packet: OAK_MM
process_vendor_id:
ISAKMP (0): processing vendor id payload

process_udp_enc_vendor_id:
ISAKMP (0:0): vendor ID is NAT-T
process_isakmp_packet: OAK_MM
process_vendor_id:
ISAKMP (0): processing vendor id payload

process_udp_enc_vendor_id:
process_isakmp_packet: OAK_MM
process_vendor_id:
ISAKMP (0): processing vendor id payload

process_udp_enc_vendor_id:
process_isakmp_packet: OAK_MM
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
construct_header: message_id 0x0
construct_isakmp_sa: auth 7
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_block:src:5.6.7.8, dest:1.2.3.4 spt:500 dpt:50
0
crypto_isakmp_init_phase1_fields: responder
VPN Peer:ISAKMP: Peer Info for 5.6.7.8/500 not found - peers:0

ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): retransmitting phase 1 (2)...
crypto_isakmp_process_block:src:5.6.7.8, dest:1.2.3.4 spt:500 dpt:50
0
crypto_isakmp_init_phase1_fields: responder
VPN Peer:ISAKMP: Peer Info for 5.6.7.8/500 not found - peers:0

ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (3)...
crypto_isakmp_process_block:src:5.6.7.8, dest:1.2.3.4 spt:500 dpt:50
0
crypto_isakmp_init_phase1_fields: responder
VPN Peer:ISAKMP: Peer Info for 5.6.7.8/500 not found - peers:0

ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (4)...
ISAKMP (0): deleting SA: src 5.6.7.8, dst 1.2.3.4
ISADB: reaper checking SA 0xf4e634, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 5.6.7.8/500 not found - peers:0

 

[Supergrrover]

i'll take a look tomorrow when I can spin up my lab

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[eMailDude]

Many thanks in advance...

 

[Supergrrover]

I thick you will have to circumvent the fatpipe for the vpn. is it doing load balancing? can you post your latest config?

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[eMailDude]

I've removed the fatpipe, before I did that I had nothing at all when I debugged the vpn connection, now that it's gone I'm getting the errors above.

as before, thanks in advance!

configs are as follows:

ASA

: Saved
:
ASA Version 8.2(1)
!
hostname ASA5510
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.2.3.114 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.31.1.1 255.255.255.0
!
interface Ethernet0/2
nameif inside2
security-level 100
ip address 10.0.10.1 255.255.254.0
!
interface Ethernet0/3
shutdown
no nameif
security-level 0
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name cisco.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inbound extended permit tcp any host 1.2.3.117 eq https
access-list inbound extended permit tcp any host 1.2.3.117 eq www
access-list inbound extended permit tcp any host 1.2.3.119 eq 3389
access-list inbound extended permit tcp any host 1.2.3.115 eq 3389
access-list inbound extended permit tcp any host 1.2.3.118 eq pptp
access-list inbound extended permit gre any host 1.2.3.118
access-list inbound extended permit tcp any host 1.2.3.116 eq www
access-list inbound extended permit tcp any host 1.2.3.116 eq https
access-list inbound extended permit udp any host 1.2.3.116 eq domain
access-list inside2_nat0_outbound extended permit ip 10.0.10.0 255.255.254.0 172.31.1.0 255.255.255.0
access-list inside2_nat0_outbound extended permit ip interface inside2 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.31.1.0 255.255.255.0 10.0.10.0 255.255.254.0
access-list inside_nat0_outbound extended permit ip 10.0.10.0 255.255.254.0 any
access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.255.0
access-list inside2_access_in extended permit ip any any
access-list outside2_access_in extended permit tcp any host 1.2.3.115 eq 3389
access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm informational
logging host inside2 10.0.11.200
mtu outside 1500
mtu inside 1500
mtu inside2 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any inside2
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside2) 0 access-list inside2_nat0_outbound
nat (inside2) 1 0.0.0.0 0.0.0.0
static (inside2,outside) 1.2.3.119 10.0.11.210 netmask 255.255.255.255
static (inside2,outside) 1.2.3.117 10.0.11.211 netmask 255.255.255.255
static (inside2,outside) 1.2.3.115 10.0.11.200 netmask 255.255.255.255
static (inside2,outside) 1.2.3.118 10.0.11.180 netmask 255.255.255.255
static (inside2,outside) 1.2.3.116 10.0.11.160 netmask 255.255.255.255
access-group inbound in interface outside
access-group inside2_access_in in interface inside2
route outside 0.0.0.0 0.0.0.0 1.2.3.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 10.0.10.2 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside2
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 4.5.6.7
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 inside2
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside2
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 4.2.2.2
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 4.5.6.7 type ipsec-l2l
tunnel-group 4.5.6.7 ipsec-attributes
pre-shared-key *

from the PIX :

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.0.10.0 ASA
access-list inside_outbound_nat0_acl permit ip interface inside ASA 255.255.254.0
access-list outside_cryptomap_20 permit ip interface inside ASA 255.255.254.0
access-list outside_access_in permit tcp interface outside eq 3389 host 172.16.0.11 eq 3389
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 4.5.6.7 255.255.255.248
ip address inside 172.16.0.219 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm location ASA 255.255.254.0 outside
pdm location 172.16.0.11 255.255.255.255 inside
pdm location ASA 255.255.255.254 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 172.16.0.11 172.16.0.11 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 172.16.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer 1.2.3.114
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 1.2.3.114 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80

 

[Supergrrover]

ASA
tighten this up to be specific
access-list outside_1_cryptomap extended permit ip 10.0.10.0 255.255.254.0 172.16.0.0 255.255.255.0

Change this
access-list inside2_nat0_outbound extended permit ip 10.0.10.0 255.255.254.0 172.31.1.0 255.255.255.0
access-list inside2_nat0_outbound extended permit ip interface inside2 192.168.0.0 255.255.255.0
to
access-list inside2_nat0_outbound extended permit ip 10.0.10.0 255.255.254.0 172.31.1.0 255.255.255.0
access-list inside2_nat0_outbound extended permit ip 10.0.10.0 255.255.254.0 172.16.0.0 255.255.255.0

crypto map outside_map 1 set pfs group1
should be group2 to match your pix

PIX
access-list inside_outbound_nat0_acl permit ip interface inside ASA 255.255.254.0
access-list outside_cryptomap_20 permit ip interface inside ASA 255.255.254.0
should be
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.255.0 10.0.10.0 255.255.254.0
access-list outside_cryptomap_20 permit ip 172.16.0.0 255.255.255.0 10.0.10.0 255.255.254.0

why is this here??
static (inside,outside) 172.16.0.11 172.16.0.11 netmask 255.255.255.255 0 0

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[eMailDude]

Brent,

I made the changes requested, a couple of quick questions:

1) on the asa, trying to change the crypto map outside_map 1 set pfs group1 command to group2 by using the no command and then reentering with group2 won't display the group any more, it just ends at pfs, how do I add that?

2) The pix now shows ! Incomplete for the crypto map transform-set command, I'm not sure what I did wrong.

3) should I be rebooting the ASA / PIX after these changes? using the debug crypto commands I still get the same errors about "peer table failed, no match".

Updated ASA config :

ASA Version 8.2(1)
!
hostname ASA5510
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.2.3.114 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.31.1.1 255.255.255.0
!
interface Ethernet0/2
nameif inside2
security-level 100
ip address 10.0.10.1 255.255.254.0
!
interface Ethernet0/3
shutdown
no nameif
security-level 0
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name charter.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inbound extended permit tcp any host 1.2.3.117 eq https
access-list inbound extended permit tcp any host 1.2.3.117 eq www
access-list inbound extended permit tcp any host 1.2.3.117 eq telnet
access-list inbound extended permit tcp any host 1.2.3.119 eq 3389
access-list inbound extended permit tcp any host 1.2.3.115 eq 3389
access-list inbound extended permit tcp any host 1.2.3.118 eq pptp
access-list inbound extended permit gre any host 1.2.3.118
access-list inbound extended permit tcp any host 1.2.3.116 eq www
access-list inbound extended permit tcp any host 1.2.3.116 eq https
access-list inbound extended permit udp any host 1.2.3.116 eq domain
access-list inside2_nat0_outbound extended permit ip 10.0.10.0 255.255.254.0 172.31.1.0 255.255.255.0
access-list inside2_nat0_outbound extended permit ip 10.0.10.0 255.255.254.0 172.16.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.31.1.0 255.255.255.0 10.0.10.0 255.255.254.0
access-list inside_nat0_outbound extended permit ip 10.0.10.0 255.255.254.0 any
access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.255.0
access-list inside2_access_in extended permit ip any any
access-list outside2_access_in extended permit tcp any host 1.2.3.115 eq 3389
access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging asdm informational
logging host inside2 10.0.11.200
mtu outside 1500
mtu inside 1500
mtu inside2 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any inside2
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside2) 0 access-list inside2_nat0_outbound
nat (inside2) 1 0.0.0.0 0.0.0.0
static (inside2,outside) 1.2.3.119 10.0.11.210 netmask 255.255.255.255
static (inside2,outside) 1.2.3.117 10.0.11.211 netmask 255.255.255.255
static (inside2,outside) 1.2.3.115 10.0.11.200 netmask 255.255.255.255
static (inside2,outside) 1.2.3.118 10.0.11.180 netmask 255.255.255.255
static (inside2,outside) 1.2.3.116 10.0.11.160 netmask 255.255.255.255
access-group inbound in interface outside
access-group inside2_access_in in interface inside2
route outside 0.0.0.0 0.0.0.0 1.2.3.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 inside2
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 4.5.6.7
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 inside2
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside2
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 4.5.6.7 type ipsec-l2l
tunnel-group 4.5.6.7 ipsec-attributes
pre-shared-key *


Updated PIX Config:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.255.0 10.0.10.0 255.255.254.0
access-list outside_cryptomap_20 permit ip 172.16.0.0 255.255.255.0 10.0.10.0 255.255.254.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 4.5.6.7 255.255.255.248
ip address inside 172.16.0.219 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 10.0.10.0 255.255.254.0 outside
pdm location 172.16.0.11 255.255.255.255 inside
pdm location 10.0.10.0 255.255.255.254 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 172.16.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer 12.70.171.114
crypto map outside_map 20 set transform-set ESP-3DES-SHA
! Incomplete
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 1.2.3.114 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
terminal width 80

as before, thanks in advance...