[c-nsp] Cannot initiate tunnel (ASA to PIX )
JR Colmenares
sforcejr at yahoo.com
Tue Oct 21 23:06:54 EDT 2008
On a L2L tunnel "CompanyA" can initiate the tunnel but "CompanyB" cannot.
Company A's ASA 5505 config
ASA Version 7.2(4)
!
hostname CompanyA
domain-name default.domain.invalid
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.103.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 83.192.239.71 255.255.255.192
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list nonat1 extended permit ip 192.168.103.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list CompanyB_cryptomap extended permit ip 192.168.103.0 255.255.255.0 10.0.0.0 255.0.0.0
global (outside) 1 interface
nat (inside) 0 access-list nonat1
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto map Outside_map 2 match address CompanyB_cryptomap
crypto map Outside_map 2 set peer 209.5.217.130
crypto map Outside_map 2 set transform-set ESP-AES-256-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 15
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
tunnel-group 209.5.217.130 type ipsec-l2l
tunnel-group 209.5.217.130 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
Company B's Pix 506e config
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Str/GbGlphzdplIj encrypted
passwd Str/GbGlphzdplIj encrypted
hostname CompanyB
domain-name domain.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.10.10.253 server
access-list 90 permit ip 10.0.0.0 255.0.0.0 192.168.16.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.16.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.0.0.0 172.16.10.0 255.255.255.0
access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.102.0 255.255.255.0
access-list outside_access_in permit tcp any host 209.5.217.131 eq 3389
access-list outside_access_in permit tcp any host 209.5.217.131 eq www
access-list outside_access_in permit tcp any host 209.5.217.131 eq https
access-list outside_access_in permit tcp any host 209.5.217.131 eq pop3
access-list outside_access_in permit tcp any host 209.5.217.131 eq smtp
access-list Store10 permit ip 10.0.0.0 255.0.0.0 172.16.10.0 255.255.255.0
access-list CompanyA permit ip 10.0.0.0 255.0.0.0 192.168.102.0 255.255.255.0
pager lines 24
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 209.5.217.130 255.255.255.240
ip address inside 10.10.10.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name ids-attack attack action alarm drop reset
ip audit name ids-info info action alarm
ip audit interface outside ids-info
ip audit interface outside ids-attack
ip audit interface inside ids-info
ip audit interface inside ids-attack
ip audit info action alarm
ip audit attack action alarm
ip local pool roamer 192.168.10.1-192.168.10.15
ip local pool vpn-users 10.10.10.175-10.10.10.199
pdm location 10.10.10.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.5.217.129 1
timeout xlate 0:05:00
timeout conn 0:10:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:04:59 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec transform-set AES256 esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 90 set transform-set strong
crypto map toRemote 20 ipsec-isakmp
crypto map toRemote 20 match address 90
crypto map toRemote 20 set peer 66.49.43.226
crypto map toRemote 20 set transform-set strong
crypto map toRemote 38 ipsec-isakmp
crypto map toRemote 38 match address Store10
crypto map toRemote 38 set peer 70.251.40.126
crypto map toRemote 38 set transform-set strong
crypto map toRemote 39 ipsec-isakmp
crypto map toRemote 39 match address CompanyA
crypto map toRemote 39 set peer 83.192.239.71
crypto map toRemote 39 set transform-set AES256
crypto map toRemote 90 ipsec-isakmp dynamic dynmap
crypto map toRemote interface outside
isakmp enable outside
isakmp key ******** address 66.49.43.226 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 70.251.40.126 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 83.192.239.71 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 20
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption aes-256
isakmp policy 8 hash sha
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash md5
isakmp policy 9 group 2
isakmp policy 9 lifetime 86400
vpngroup vpn address-pool roamer
vpngroup vpn dns-server server
vpngroup vpn wins-server server
vpngroup vpn default-domain domain.local
vpngroup vpn idle-time 1800
vpngroup vpn password ********
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd address 10.10.10.210-10.10.10.240 inside
dhcpd dns 10.10.10.254
dhcpd wins 10.10.10.254
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain domain.com
terminal width 80
Cryptochecksum:a849ed5f7bbd90a019547ba385a3c924
: end
[OK]
I appreciate anybody that can point me to a misconfiguration on either side.
THanks
jrc
More information about the cisco-nsp
mailing list