Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Request urgent help --> ASA to PIX VPN setup

Status
Not open for further replies.
prince78

prince78

Technical User
Dec 8, 2006
21
0
0
Hi

I am working on VPNs for the first time and I have the setup and config as below. Can someone please check these configs and advise if any changes required.

Local network remote network
switch - ASA - 1700 router - internet(T1) - ISProuter - pix - switch

A T1 is configured on the router.
I have only 1 public IP and all outside access to internal servers on different ports should use the same IP address. Local and remote switches and servers have the gateway configured to firewall inside interface

my configs as below (original IPs are not included)

ASA config
------------
ASA Version 7.0(2)
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 210.55.6.49 255.255.255.252
interface Ethernet0/1
nameif inside
security-level 100
ip address 20.0.14.5 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
no ip address
management-only
ftp mode passive
same-security-traffic permit intra-interface
access-list nonat extended permit ip 20.0.14.0.255.255.255.0 20.0.24.0 255.255.255.0
access-list cryptomap extended permit ip 20.0.14.0.255.255.255.0 20.0.24.0 255.255.255.0
access-list outside-to-inside extended permit tcp any host 65.154.19.149 eq www
access-list outside-to-inside extended permit tcp any host 65.154.19.149 eq 81
access-list outside-to-inside extended permit tcp any host 65.154.19.149 eq 82
access-list outside-to-inside extended permit tcp any host 65.154.19.149 eq ftp
access-list outside-to-inside extended permit tcp any host 65.154.19.149 eq 3389
access-list outside-to-inside extended permit tcp any host 65.154.19.149 eq https
access-list outside-to-inside extended permit tcp any host 65.154.19.149 eq smtp
access-list outside-to-inside extended permit tcp any host 65.154.19.149 eq 8080
access-list outside-to-inside extended permit tcp any host 65.154.19.149 eq 8008
access-list outside-to-inside extended permit tcp any host 65.154.19.149 eq 4433
access-list outside-to-inside remark Permit outside access to inside networks
pager lines 10
logging enable
logging list syslogs level notifications
logging monitor notifications
logging buffered notifications
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
monitor-interface outside
monitor-interface inside
asdm image disk0:/asdm-502.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 20.0.14.0 255.255.255.0
// outside access to internal servers on different ports using only 1 public address //
static (inside,outside) tcp 65.154.19.149 255.255.255.255
static (inside,outside) tcp 65.154.19.149 81 20.0.14.30 81 netmask 255.255.255.255
static (inside,outside) tcp 65.154.19.149 82 20.0.14.30 82 netmask 255.255.255.255
static (inside,outside) tcp 65.154.19.149 ftp 20.0.14.31 ftp netmask 255.255.255.255
static (inside,outside) tcp 65.154.19.149 3389 20.0.14.32 3389 netmask 255.255.255.255
static (inside,outside) tcp 65.154.19.149 https 20.0.14.33 https netmask 255.255.255.255
static (inside,outside) tcp 65.154.19.149 smtp 20.0.14.34 smtp netmask 255.255.255.255
static (inside,outside) tcp 65.154.19.149 8080 20.0.14.35 8080 netmask 255.255.255.255
static (inside,outside) tcp 65.154.19.149 8008 20.0.14.33 8008 netmask 255.255.255.255
static (inside,outside) tcp 65.154.19.149 4433 20.0.14.30 4433 netmask 255.255.255.255
access-group outside-to-inside in interface outside
route outside 0.0.0.0 0.0.0.0 65.154.19.149 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 20.0.14.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map map1 18 match address cryptomap
crypto map map1 18 set peer 20.174.55.14
crypto map map1 18 set transform-set myset
crypto map map1 interface outside
isakmp identity address
isakmp enable outside
isakmp policy 18 authentication pre-share
isakmp policy 18 encryption 3des
isakmp policy 18 hash sha
isakmp policy 18 group 2
isakmp policy 18 lifetime 86400
telnet 20.0.14.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
tunnel-group 20.174.55.14 type ipsec-l2l
tunnel-group 20.174.55.14 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
: end
--------------------------------------------
1700 router config
--------------------

version 12.2
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
logging buffered 36000 notifications
memory-size iomem 25
ip subnet-zero
no ip domain-lookup
interface FastEthernet0/0
ip address 65.154.19.149 255.255.255.252
speed auto
full-duplex
interface Serial0/0
ip unnumbered FastEthernet0/0
encapsulation ppp
no fair-queue
ip classless
ip route 0.0.0.0 0.0.0.0 65.154.19.150
ip route 20.0.14.0 255.255.255.0 210.55.6.49
ip route 210.55.6.49 255.255.255.255 FastEthernet0/0
no ip http server
line con 0
password
login
line aux 0
line vty 0 4
password
login
end
-----------------------------------------------------------
remote PIX config
------------------
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nonat permit ip 20.0.24.0 255.255.255.0 20.0.14.0 255.255.255.0
access-list cryptomap permit ip 20.0.24.0 255.255.255.0 20.0.14.0 255.255.255.0
pager lines 50
mtu outside 1500
mtu inside 1500
ip address outside 20.174.55.14 255.255.255.252
ip address inside 20.0.24.10 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 20.0.24.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 20.174.55.13 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map map1 18 ipsec-isakmp
crypto map map1 18 match address cryptomap
crypto map map1 18 set peer 210.55.6.49
crypto map map1 18 set transform-set myset
crypto map map1 interface outside
isakmp enable outside
isakmp key ******** address 210.55.6.49 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp policy 18 authentication pre-share
isakmp policy 18 encryption 3des
isakmp policy 18 hash sha
isakmp policy 18 group 2
isakmp policy 18 lifetime 86400
telnet 20.0.24.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
--------------------------------------------------------
And as I configured serial interface on the router as unnumbered, should ISP has to make any changes at their end?

Thanks very much
 
Sort by date Sort by votes
As I found the hardware is not supporting ip unnummbered, I have changed the configs as below

ASA
route outside 0.0.0.0 0.0.0.0 210.55.6.50

icmp permit any echo inside
icmp permit any echo outside
icmp permit any echo-reply inside
icmp permit any echo-reply outside
icmp permit any time-exceeded inside
icmp permit any time-exceeded outside

policy-map global_policy
class inspection_default
inspect icmp

1700 router
interface FastEthernet0/0
ip address 210.55.6.50 255.255.255.252
speed auto
full-duplex

interface Serial0/0
ip address 65.154.19.149 255.255.255.252
encapsulation ppp
no fair-queue
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
150
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
154
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
165
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
53
WhosYourDiffie
WhosYourDiffie
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
57
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top