[c-nsp] Cannot initiate tunnel (ASA to PIX )

JR Colmenares sforcejr at yahoo.com
Tue Oct 21 23:06:54 EDT 2008


On a L2L tunnel "CompanyA" can initiate the tunnel but "CompanyB" cannot.

 Company A's ASA 5505 config

ASA Version 7.2(4) 

!

hostname CompanyA

domain-name default.domain.invalid

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.103.254 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 83.192.239.71 255.255.255.192 

dns server-group DefaultDNS

 domain-name default.domain.invalid

access-list nonat1 extended permit ip 192.168.103.0 255.255.255.0 10.0.0.0 255.0.0.0 

access-list CompanyB_cryptomap extended permit ip 192.168.103.0 255.255.255.0 10.0.0.0 255.0.0.0 

global (outside) 1 interface

nat (inside) 0 access-list nonat1

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL 

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto dynamic-map Outside_dyn_map 20 set pfs 

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-256-SHA

crypto map Outside_map 2 match address CompanyB_cryptomap

crypto map Outside_map 2 set peer 209.5.217.130 

crypto map Outside_map 2 set transform-set ESP-AES-256-SHA

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface outside

crypto isakmp identity address 

crypto isakmp enable outside

crypto isakmp policy 1

 authentication pre-share

 encryption aes-256

 hash sha

 group 1

 lifetime 86400

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 1

 lifetime 86400

crypto isakmp policy 15

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

crypto isakmp policy 30

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

tunnel-group 209.5.217.130 type ipsec-l2l

tunnel-group 209.5.217.130 ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 


Company B's Pix 506e config

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Str/GbGlphzdplIj encrypted
passwd Str/GbGlphzdplIj encrypted
hostname CompanyB
domain-name domain.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.10.10.253 server
access-list 90 permit ip 10.0.0.0 255.0.0.0 192.168.16.0 255.255.255.0 
access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.16.0 255.255.255.0  
access-list nonat permit ip 10.0.0.0 255.0.0.0 172.16.10.0 255.255.255.0 
access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.102.0 255.255.255.0 
access-list outside_access_in permit tcp any host 209.5.217.131 eq 3389 
access-list outside_access_in permit tcp any host 209.5.217.131 eq www 
access-list outside_access_in permit tcp any host 209.5.217.131 eq https 
access-list outside_access_in permit tcp any host 209.5.217.131 eq pop3 
access-list outside_access_in permit tcp any host 209.5.217.131 eq smtp 
access-list Store10 permit ip 10.0.0.0 255.0.0.0 172.16.10.0 255.255.255.0 
access-list CompanyA permit ip 10.0.0.0 255.0.0.0 192.168.102.0 255.255.255.0 
pager lines 24
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 209.5.217.130 255.255.255.240
ip address inside 10.10.10.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name ids-attack attack action alarm drop reset
ip audit name ids-info info action alarm
ip audit interface outside ids-info
ip audit interface outside ids-attack
ip audit interface inside ids-info
ip audit interface inside ids-attack
ip audit info action alarm
ip audit attack action alarm
ip local pool roamer 192.168.10.1-192.168.10.15
ip local pool vpn-users 10.10.10.175-10.10.10.199
pdm location 10.10.10.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.5.217.129 1
timeout xlate 0:05:00
timeout conn 0:10:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:04:59 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server TACACS+ max-failed-attempts 3 
aaa-server TACACS+ deadtime 10 
aaa-server RADIUS protocol radius 
aaa-server RADIUS max-failed-attempts 3 
aaa-server RADIUS deadtime 10 
aaa-server LOCAL protocol local 
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-md5-hmac 
crypto ipsec transform-set AES256 esp-aes-256 esp-sha-hmac 
crypto dynamic-map dynmap 90 set transform-set strong
crypto map toRemote 20 ipsec-isakmp
crypto map toRemote 20 match address 90
crypto map toRemote 20 set peer 66.49.43.226
crypto map toRemote 20 set transform-set strong
crypto map toRemote 38 ipsec-isakmp
crypto map toRemote 38 match address Store10
crypto map toRemote 38 set peer 70.251.40.126
crypto map toRemote 38 set transform-set strong
crypto map toRemote 39 ipsec-isakmp
crypto map toRemote 39 match address CompanyA 
crypto map toRemote 39 set peer 83.192.239.71
crypto map toRemote 39 set transform-set AES256
crypto map toRemote 90 ipsec-isakmp dynamic dynmap
crypto map toRemote interface outside
isakmp enable outside
isakmp key ******** address 66.49.43.226 netmask 255.255.255.255 no-xauth no-config-mode 
isakmp key ******** address 70.251.40.126 netmask 255.255.255.255 no-xauth no-config-mode 
isakmp key ******** address 83.192.239.71 netmask 255.255.255.255 no-xauth no-config-mode 
isakmp identity address
isakmp keepalive 20
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption aes-256
isakmp policy 8 hash sha
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash md5
isakmp policy 9 group 2
isakmp policy 9 lifetime 86400
vpngroup vpn address-pool roamer
vpngroup vpn dns-server server
vpngroup vpn wins-server server
vpngroup vpn default-domain domain.local
vpngroup vpn idle-time 1800
vpngroup vpn password ********
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd address 10.10.10.210-10.10.10.240 inside
dhcpd dns 10.10.10.254 
dhcpd wins 10.10.10.254 
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain domain.com
terminal width 80
Cryptochecksum:a849ed5f7bbd90a019547ba385a3c924
: end
[OK]


I appreciate anybody that can point me to a misconfiguration on either side.

THanks

jrc





      


More information about the cisco-nsp mailing list