Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SETUP A SITE TO SITE VPN BETWEEN AN ASA AND A PIX FIREWALL

Status
Not open for further replies.

drbk563

IS-IT--Management
Nov 21, 2006
194
US
I am trying to setup a site to site VPN between an ASA and a PIX firewall. I need help with the entire config? Also I am a little confused on what IP address should I be using on PIX side for the peer address. Should it be the G0/0 ip address on the W_Net_1 Router or should it be ip address of the ASA outside interface? You can take a look at the network diagram at
 
Ok I configured both sides with the site to site VPN configuration but the tunnel is not coming up what am I doing wrong? Below is the config for the ASA and the PIX.

Thank you

ASA Config

ASA Version 7.2(2)
!
hostname ASA1
domain-name xxxxxx
enable password xxxxxxxxx encrypted
names
!
interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address 66.x.x.8 255.255.248.0 standby 66.x.x.9
!
interface GigabitEthernet0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.178.183.71 255.255.255.224 standby 10.178.183.72
!
interface GigabitEthernet0/2
speed 1000
<--- More ---> duplex full
nameif dmz1
security-level 70
ip address 192.168.200.1 255.255.255.240 standby 192.168.200.2
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
speed 1000
duplex full
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
<--- More ---> no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
passwd xxxxxxxx encrypted
banner motd *************************************************************************
banner motd * AUTHORIZED USE ONLY *
banner motd * Any use of this system is logged and monitored. Trespassers and *
banner motd * unauthorized users will be prosecuted to the fullest extent of *
banner motd * the law. If you are not supposed to be here: Leave Now! *
banner motd *************************************************************************
ftp mode passive
<--- More ---> clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxxx.org
same-security-traffic permit intra-interface
object-group icmp-type icmp_traffic
description Allows traces and pings out to the internet
icmp-object echo-reply
icmp-object source-quench
icmp-object unreachable
icmp-object time-exceeded
access-list inside_nat0_outbound extended permit ip any 192.168.7.0 255.255.255.0
access-list RemoteUsers_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.7.0 255.255.255.0
access-list acl_out extended permit tcp any host 66.17.160.75 eq https
access-list acl_out extended permit gre any host 66.17.160.75
access-list acl_out extended permit udp any eq isakmp host 66.17.160.75 eq isakmp
access-list acl_out extended permit tcp any eq 1023 host 66.17.160.75 eq pptp
access-list acl_out extended permit esp any host 66.17.160.75
access-list acl_out extended permit udp any eq 10000 host 66.17.160.75 eq 10000
access-list acl_out extended permit tcp any eq 10000 host 66.17.160.75 eq 10000
access-list acl_out extended permit udp any eq 4500 host 66.17.160.75 eq 4500
access-list acl_out extended permit tcp object-group xxxxxxxxx host 66.17.160.10 object-group xxxxxxxx
access-list acl_out extended permit udp object-group xxxxxxxxx host 66.17.160.10 object-group xxxxxxxx
access-list acl_out extended permit object-group xxxxxx object-group xxxxxxxxxxxxx host 66.17.160.10
<--- More ---> access-list acl_out extended permit udp object-group xxxxxxxxx host 66.17.160.10 eq ntp
access-list acl_out extended permit tcp object-group xxxxxxx host 66.17.160.10 gt 1024
access-list acl_out extended permit icmp host 159.132.1.10 host 143.104.179.205
access-list acl_out extended permit tcp any host 66.x.x.1 eq smtp
access-list acl_out extended permit tcp any host 66.x.x.215 eq https
access-list acl_out extended permit tcp any host 66.x.x.3 eq https
access-list acl_out extended permit tcp any host 66.x.x.4 eq https
access-list acl_out extended permit tcp any host 66.x.x.20 eq smtp
access-list acl_out extended permit tcp any host 66.x.x.30 eq https
access-list acl_out extended permit tcp any host 66.x.x.30 eq www
access-list acl_out extended permit tcp any host 64.x.x.45 eq ftp
access-list acl_out extended permit tcp any host 66.x.x.32 eq domain
access-list acl_out extended permit udp any host 66.x.x.32 eq domain
access-list acl_out extended permit udp any host 66.x.x.32 eq 6421
access-list acl_out extended permit icmp any any object-group icmp_traffic
access-list acl_out extended permit tcp object-group xxxxxx host 66.17.160.10 eq www
access-list acl_out extended permit udp host 216.x.x.85 host 66.x.x.8 eq isakmp
access-list acl_out extended permit esp host 216.x.x.85 host 66.x.x.8
access-list acl_out extended permit udp host 216.x.x.85 host 66.x.x.8 eq 4500
access-list acl_out extended permit tcp host 216.x.x.85 host 66.x.x.8 eq 10000
access-list acl_out extended permit ip 10.1.1.0 255.255.255.0 143.104.181.0 255.255.255.0
access-list Shn extended permit ip 192.168.128.0 255.255.224.0 any
access-list Wyf extended permit ip 143.104.176.0 255.255.248.0 any
access-list M extended permit ip 192.168.160.0 255.255.224.0 any
<--- More ---> access-list acl_in extended permit icmp any any
access-list acl_in extended permit ip 10.178.188.200 255.255.255.248 any
access-list acl_in extended permit tcp host 10.178.178.38 any eq www
access-list acl_in extended permit tcp host 10.178.183.74 host 208.192.164.10 eq www
access-list acl_in extended deny tcp any host 66.51.109.225 eq www
access-list acl_in extended deny tcp 10.178.0.0 255.255.0.0 any eq www
access-list acl_in extended deny tcp 10.178.0.0 255.255.0.0 any eq https
access-list acl_in extended permit ip any any
access-list acl_in extended permit tcp any eq telnet any
access-list acl_in extended permit ip host 10.178.183.74 any
access-list acl_dmz1 extended permit ip host 192.168.200.18 host 192.168.200.8
access-list acl_dmz1 extended permit ip 192.168.200.16 255.255.255.240 any
access-list TEST_VPN extended permit ip 143.104.181.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm debugging
logging device-id context-name
logging host inside 10.178.176.118
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
<--- More ---> mtu management 1500
failover
failover lan unit primary
failover lan interface LanFailover GigabitEthernet0/3
failover link LanFailover GigabitEthernet0/3
failover interface ip LanFailover 10.178.183.61 255.255.255.252 standby 10.178.183.62
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (outside) 10 66.17.160.101-66.17.160.199
global (outside) 3 66.17.163.1-66.17.163.254
global (outside) 2 66.17.162.1-66.17.162.254
global (outside) 4 66.17.160.201-66.17.160.213
global (outside) 1 66.17.161.1-66.17.161.254
global (outside) 10 66.17.160.200
global (outside) 3 66.17.163.255
global (outside) 1 66.17.161.255
global (outside) 4 66.17.160.214
global (outside) 5 interface
global (dmz1) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
<--- More ---> nat (inside) 3 access-list Shn
nat (inside) 2 access-list M
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) 66.x.x.75 10.178.183.75 netmask 255.255.255.255
static (inside,outside) 66.x.x.10 10.178.183.74 netmask 255.255.255.255
static (inside,outside) 66.x.x.1 10.178.185.225 netmask 255.255.255.255
static (inside,outside) 66.x.x.2 143.104.183.239 netmask 255.255.255.255
static (inside,outside) 66.x.x.6 143.104.181.87 netmask 255.255.255.255
static (inside,outside) 66.x.x.7 143.104.177.46 netmask 255.255.255.255
static (inside,outside) 66.x.x.8 143.104.177.160 netmask 255.255.255.255
static (inside,outside) 66.x.x.9 143.104.177.147 netmask 255.255.255.255
static (inside,outside) 66.x.x.10 143.104.177.170 netmask 255.255.255.255
static (inside,outside) 66.x.x.11 143.104.177.163 netmask 255.255.255.255
static (inside,outside) 66.x.x.12 143.104.181.48 netmask 255.255.255.255
static (inside,outside) 66.x.x.13 143.104.181.16 netmask 255.255.255.255
static (inside,outside) 66.x.x.15 143.104.177.84 netmask 255.255.255.255
static (inside,outside) 66.x.x.16 143.104.177.109 netmask 255.255.255.255
static (inside,outside) 66.x.x.17 143.104.183.210 netmask 255.255.255.255
static (inside,outside) 66.17.164.18 143.104.177.164 netmask 255.255.255.255
static (dmz1,outside) 66.x.x.3 192.168.200.18 netmask 255.255.255.255
static (inside,dmz1) 192.168.200.8 143.104.183.200 netmask 255.255.255.255
static (inside,outside) 66.x.x.4 143.104.183.176 netmask 255.255.255.255
static (inside,outside) 66.x.x.19 143.104.181.161 netmask 255.255.255.255
static (inside,outside) 66.x.x.14 143.104.181.147 netmask 255.255.255.255
<--- More ---> static (inside,outside) 66.x.x.30 143.104.179.7 netmask 255.255.255.255
static (inside,outside) 66.x.x.20 143.104.183.219 netmask 255.255.255.255
static (inside,outside) 66.x.x.21 143.104.183.228 netmask 255.255.255.255
static (inside,outside) 66.x.x.22 143.104.183.214 netmask 255.255.255.255
static (inside,outside) 66.x.x.23 143.104.183.174 netmask 255.255.255.255
static (inside,outside) 66.x.x.27 143.104.183.203 netmask 255.255.255.255
static (inside,outside) 66.x.x.28 143.104.177.91 netmask 255.255.255.255
static (inside,outside) 64.x.x.45 143.104.181.150 netmask 255.255.255.255
static (inside,outside) 66.x.x.25 143.104.177.73 netmask 255.255.255.255
static (inside,outside) 66.x.x.26 143.104.177.190 netmask 255.255.255.255
static (inside,outside) 66.x.x.32 143.104.183.238 netmask 255.255.255.255
access-group acl_out in interface outside
access-group acl_in in interface inside
access-group acl_dmz1 in interface dmz1
route outside 0.0.0.0 0.0.0.0 66.x.x.1 1
route inside 172.22.16.0 255.255.248.0 10.178.183.70 1
route inside 172.22.24.0 255.255.248.0 10.178.183.70 1
route inside 10.0.0.0 255.0.0.0 10.178.183.70 1
route inside 192.168.128.0 255.255.224.0 10.178.183.70 1
route inside 192.168.160.0 255.255.224.0 10.178.183.70 1
route inside 143.104.176.0 255.255.248.0 10.178.183.70 1
route dmz1 192.168.200.0 255.255.255.0 192.168.200.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
<--- More ---> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username xxxxxxx password xxxxxxxxxx encrypted privilege 15
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 143.104.181.160 255.255.255.255 inside
http 143.104.181.88 255.255.255.255 inside
http 143.104.181.196 255.255.255.255 inside
http 143.104.177.188 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
http 10.178.0.0 255.255.0.0 inside
snmp-server host inside 10.178.183.71 community m0nit0r
no snmp-server location
no snmp-server contact
snmp-server community m0nit0r
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP_3DES esp-3des esp-md5-hmac
crypto map TEST_VPN 563 match address TEST_VPN
crypto map TEST_VPN 563 set peer 216.x.x.85
crypto map TEST_VPN 563 set transform-set ESP_3DES
crypto map TEST_VPN interface outside
<--- More ---> crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 15
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 216.x.x.85 type ipsec-l2l
tunnel-group 216.x.x.85 ipsec-attributes
pre-shared-key *
telnet timeout 60
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d3909abe4109e88a8555e5b63588ecbb
: end
ASA1(config)#


PIX Config


sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxx encrypted
passwd xxxxxxxx encrypted
hostname PIXFIREWALL
domain-name xxxxxxxxx.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
<--- More --->

names
object-group network Denied_Hosts
network-object 59.124.0.0 255.252.0.0
network-object host 24.71.105.183
network-object host 163.27.116.133
network-object host 218.189.179.82
network-object host 84.60.164.161
network-object host 222.128.34.89
network-object host 202.64.47.108
network-object host 87.162.179.31
network-object host 70.255.106.164
object-group network Web_Server
network-object host 216.x.x.236
object-group protocol Protoc
protocol-object tcp
protocol-object udp
object-group service TCP_UDP_Services tcp-udp
port-object eq www
object-group icmp-type icmp_traffic
icmp-object echo-reply
icmp-object source-quench
icmp-object unreachable
icmp-object time-exceeded
<--- More --->

access-list allow_inbound deny ip object-group Denied_Hosts any
access-list allow_inbound permit tcp any host 216.x.x.236 eq telnet
access-list allow_inbound permit tcp any interface outside eq 49156
access-list allow_inbound permit udp any interface outside eq 49156
access-list allow_inbound permit tcp any host 216.x.x.236 eq 9563
access-list allow_inbound permit tcp any interface outside eq 23193
access-list allow_inbound permit udp any interface outside eq 60537
access-list allow_inbound permit object-group Protoc any object-group Web_Server object-group TCP_UDP_Services
access-list allow_inbound permit icmp any any object-group icmp_traffic
access-list allow_inbound permit udp host 66.x.x.8 host 216.x.x.85 eq isakmp
access-list allow_inbound permit esp host 66.x.x.8 host 216.x.x.85
access-list allow_inbound permit udp host 66.x.x.8 host 216.x.x.85 eq 4500
access-list allow_inbound permit tcp host 66.x.x.8 host 216.x.x.85 eq 10000
access-list allow_inbound permit ip 143.104.181.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list deny_outbound deny tcp any host 63.236.240.73 eq https
access-list deny_outbound deny tcp any host 209.202.9.7 eq https
access-list deny_outbound deny tcp any host 63.236.240.73 eq www
access-list deny_outbound deny tcp any host 66.28.235.59 eq www
access-list deny_outbound deny tcp any host 204.245.86.77 eq www
access-list deny_outbound deny tcp any host 69.18.151.78 eq www
access-list deny_outbound permit ip any any
access-list 101 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list TEST_VPN permit ip 10.1.1.0 255.255.255.0 143.104.181.0 255.255.255.0
pager lines 24
<--- More --->

logging on
logging timestamp
logging monitor debugging
logging buffered warnings
logging trap notifications
logging queue 0
logging device-id hostname
logging host inside 10.1.1.23
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 216.x.x.85 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool HomeVpnPool 192.168.1.1-192.168.1.254
ip local pool WindowsVpnPool 10.1.1.11-10.1.1.13
pdm location 24.71.105.183 255.255.255.255 outside
pdm location 59.124.0.0 255.252.0.0 outside
pdm location 63.236.240.73 255.255.255.255 outside
pdm location 66.28.235.59 255.255.255.255 outside
pdm location 69.18.151.78 255.255.255.255 outside
<--- More --->

pdm location 70.255.106.164 255.255.255.255 outside
pdm location 84.60.164.161 255.255.255.255 outside
pdm location 87.162.179.31 255.255.255.255 outside
pdm location 163.27.116.133 255.255.255.255 outside
pdm location 202.64.47.108 255.255.255.255 outside
pdm location 204.245.86.77 255.255.255.255 outside
pdm location 209.202.9.7 255.255.255.255 outside
pdm location 218.189.179.82 255.255.255.255 outside
pdm location 222.128.34.89 255.255.255.255 outside
pdm location 10.1.1.23 255.255.255.255 inside
pdm location 191.200.14.0 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 216.x.x.236
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 49156 10.1.1.2 49156 netmask 255.255.255.255 0 0
static (inside,outside) tcp 216.x.x.236 255.255.255.255 0 0
static (inside,outside) tcp interface 23193 10.1.1.2 23193 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 60537 10.1.1.2 60537 netmask 255.255.255.255 0 0
static (inside,outside) tcp 216.x.x.236 telnet 10.1.1.251 telnet netmask 255.255.255.255 0 0
access-group allow_inbound in interface outside
access-group deny_outbound in interface inside
<--- More --->

route outside 0.0.0.0 0.0.0.0 216.254.64.1 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa-server AuthInbound max-failed-attempts 3
aaa-server AuthInbound deadtime 10
aaa-server AuthInbound (inside) host 10.1.1.23 xxxxx timeout 10
aaa authentication ssh console AuthInbound LOCAL
aaa authentication include telnet outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 LOCAL
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
<--- More --->

no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP_3DES esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication AuthInbound LOCAL
crypto map TEST_VPN_MAP 563 ipsec-isakmp
crypto map TEST_VPN_MAP 563 match address TEST_VPN
crypto map TEST_VPN_MAP 563 set peer 66.x.x.8
crypto map TEST_VPN_MAP 563 set transform-set ESP_3DES
crypto map TEST_VPN_MAP interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address 66.x.x.8 netmask 255.255.255.255
isakmp nat-traversal 20
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption 3des
isakmp policy 15 hash md5
isakmp policy 15 group 2
<--- More --->

isakmp policy 15 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup xxxx address-pool HomeVpnPool
vpngroup xxxxx split-tunnel 101
vpngroup xxxxx idle-time 1800
vpngroup xxxxx password ********
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
vpdn group xxxx accept dialin pptp
vpdn group xxxx ppp authentication pap
vpdn group xxxx ppp authentication chap
vpdn group xxxx ppp authentication mschap
vpdn group xxxx ppp encryption mppe auto
vpdn group xxxx client configuration address local WindowsVpnPool
vpdn group xxxx client authentication aaa AuthInbound
vpdn group xxxx pptp echo 60
vpdn enable outside
<--- More --->

vpdn enable inside
dhcpd address 10.1.1.38-10.1.1.69 inside
dhcpd dns 216.x.x.2 216.x.x.2
dhcpd lease 86400
dhcpd ping_timeout 750
dhcpd domain xxxx.com
dhcpd enable inside
username xxxx password xxxxxxxxx encrypted privilege 15
terminal width 511
banner login
banner login If you do not belong here get out now. All activity is monitored.
Cryptochecksum:9aa1b1ca23acafca0be4270966d4ab49
: end

PIXFIREWALL(config)#
 
Your VPN ACLs are off.

PIX should be:
access-list TEST_VPN permit ip 10.1.1.0 255.255.255.0 10.178.183.71 255.255.255.224

ASA should be:
access-list TEST_VPN extended permit ip 10.178.183.71 255.255.255.224 10.1.1.0 255.255.255.0

There should also be NAT exemption ACLs that mirror the VPN ACLs.

I can't really make heads or tails of your ASA config. Does anything on the ASA work? Is the router doing NAT? Confused.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Yes a lot of things are working on the ASA. The router is not doing NAT the ASA is doing NAT. It might look confusing because I removed a few things that I could not post. I got the VPN tunnel up however I still have an issue. If a host located on the PIX side(10.1.1.0) try to telnet into a device on the ASA side(143.104.181.0) I am able to telnet. However, if I try to telnet into a device from the ASA side(143.104.181.0) to the PIX side(10.1.1.0) I am not able too. I checked the logs in the ASA and I saw this:

Jun 23 2007 10:40:08 ASA1 : %ASA-7-609001: Built local-host inside:10.1.1.4

Jun 23 2007 10:40:08 ASA1 : %ASA-3-305005: No translation group found for tcp src inside:143.104.181.160/22504 dst inside:10.1.1.4/23

What should I change on my config? Also, I am not able to ping either way through the tunnel?

Thank You
 
Repost the configs with the changes.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
I already got the tunnel up and running.


Thank you
 
What did you change to fix it?


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top