[c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel

Michael K. Smith - Adhost mksmith at adhost.com
Thu Sep 3 15:20:41 EDT 2009


Hi Scott:

They will set to the lowest, but it's always a good idea for everything
to match.

Mike

--
Michael K. Smith - CISSP, GISP
Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com
w: +1 (206) 404-9500 f: +1 (206) 404-9050
PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)


> -----Original Message-----
> From: Scott Granados [mailto:gsgranados at comcast.net]
> Sent: Thursday, September 03, 2009 12:09 PM
> To: Michael K. Smith - Adhost
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel
> 
> Ah interesting.  So the lifetimes have to be the same, I thought it
> negotiated to the lowest value.  I will go through and check these.
> 
> Thank you again!
> 
> 
> ----- Original Message -----
> From: "Michael K. Smith - Adhost" <mksmith at adhost.com>
> To: "Scott Granados" <gsgranados at comcast.net>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Thursday, September 03, 2009 10:57 AM
> Subject: RE: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel
> 
> 
> Hello Scott:
> 
> That error is something not matching up in the Phase 1 portion.  You
> should look at the ISAKMP values on both sides to make sure they
match.
> Including, but not limited to, proposals, session key, lifetime
values,
> DH Group, etc.
> 
> Regards,
> 
> Mike
> 
> --
> Michael K. Smith - CISSP, GISP
> Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com
> w: +1 (206) 404-9500 f: +1 (206) 404-9050
> PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)
> 
> 
> > -----Original Message-----
> > From: Scott Granados [mailto:gsgranados at comcast.net]
> > Sent: Thursday, September 03, 2009 10:41 AM
> > To: Michael K. Smith - Adhost
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel
> >
> > Hi Mike and others, still no love.  I wanted to confirm I made the
> NAT
> > entries properly.  I used the example on Cisco.com for the ASA and
> l2l
> > +
> > clients as an example.
> >
> >
> > Here are the important bits
> >
> > global (outside) 1 206.x.x.234
> > nat (inside) 0 access-list nonat
> > nat (inside) 1 0.0.0.0 0.0.0.0
> >
> > And nonat acl
> >
> > access-list nonat extended permit ip 10.1.0.0 255.255.0.0 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.11.0.0 255.255.0.0
10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.64.0.0 255.255.0.0
10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.66.0.0 255.255.0.0
10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 141.11.0.0 255.255.0.0
> 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 192.168.122.0 255.255.255.192
> > 10.18.14.0 255.255.255.0
> > access-list nonat extended permit ip 157.254.0.0 255.255.0.0
> 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip host 216.x.x.196 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.18.0.0 255.255.255.0
> 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.18.1.0 255.255.255.0
> 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.18.2.0 255.255.255.0
> 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.18.3.0 255.255.255.0
> 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.18.4.0 255.255.255.0
> 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.18.5.0 255.255.255.0
> 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.18.6.0 255.255.255.0
> 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.18.7.0 255.255.255.0
> 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.18.8.0 255.255.255.0
> 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.18.9.0 255.255.255.0
> 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.18.10.0 255.255.255.0
> > 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.18.15.0 255.255.255.0
> > 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.15.0.0 255.255.0.0
10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.32.0.0 255.240.0.0
10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 192.168.255.0 255.255.255.0
> > 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 172.30.0.0 255.255.0.0
> 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.18.11.0 255.255.255.0
> > 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.18.12.0 255.255.255.0
> > 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.18.13.0 255.255.255.0
> > 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.18.16.0 255.255.255.0
> > 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.1.192.0 255.255.255.0
> > 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.1.224.0 255.255.255.0
> > 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.1.225.0 255.255.255.0
> > 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.1.226.0 255.255.255.0
> > 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.1.227.0 255.255.255.0
> > 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.1.228.0 255.255.255.0
> > 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.1.229.0 255.255.255.0
> > 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.1.230.0 255.255.255.0
> > 10.18.14.0
> > 255.255.255.0
> > access-list nonat extended permit ip 10.1.0.0 255.255.0.0 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.11.0.0 255.255.0.0
10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.64.0.0 255.255.0.0
10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.66.0.0 255.255.0.0
10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 141.11.0.0 255.255.0.0
> 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 192.168.122.0 255.255.255.192
> > 10.18.15.0 255.255.255.192
> > access-list nonat extended permit ip 157.254.0.0 255.255.0.0
> 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip host 216.x.x.196 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.18.0.0 255.255.255.0
> 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.18.1.0 255.255.255.0
> 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.18.2.0 255.255.255.0
> 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.18.3.0 255.255.255.0
> 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.18.4.0 255.255.255.0
> 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.18.5.0 255.255.255.0
> 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.18.6.0 255.255.255.0
> 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.18.7.0 255.255.255.0
> 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.18.8.0 255.255.255.0
> 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.18.9.0 255.255.255.0
> 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.18.10.0 255.255.255.0
> > 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.18.15.0 255.255.255.0
> > 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.15.0.0 255.255.0.0
10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.32.0.0 255.240.0.0
10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 192.168.255.0 255.255.255.0
> > 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 172.30.0.0 255.255.0.0
> 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.18.11.0 255.255.255.0
> > 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.18.12.0 255.255.255.0
> > 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.18.13.0 255.255.255.0
> > 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.18.16.0 255.255.255.0
> > 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.1.192.0 255.255.255.0
> > 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.1.224.0 255.255.255.0
> > 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.1.225.0 255.255.255.0
> > 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.1.226.0 255.255.255.0
> > 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.1.227.0 255.255.255.0
> > 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.1.228.0 255.255.255.0
> > 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.1.229.0 255.255.255.0
> > 10.18.15.0
> > 255.255.255.192
> > access-list nonat extended permit ip 10.1.230.0 255.255.255.0
> > 10.18.15.0
> > 255.255.255.192
> >
> >
> > Two points here.  I defined each as individual /24's to prevent the
> > inclusion of the 10.18.14.0/24 range and so we can add or delete
> easily
> > because we're presently migrating a bit from one 10.x range to
> another.
> > Also, I doubled up the listings 1 for the destination of
> 10.18.14.0/24
> > which
> > is the clients and 10.18.15.0/26 which is a far end site.  Not sure
> if
> > I'm
> > heading in the other direction.  The error I received while trying
to
> > bring
> > up the tunnel is unchanged.  "removing peer failed, no match!"
> >
> > I did grab some debug output from the Pix side here's the important
> bit
> >
> > crypto_isakmp_process_block:src:vpnc, dest:208.x.x.98 spt:500
dpt:500
> > ISAKMP: reserved not zero on payload 5!
> > ISAKMP: malformed payload
> >
> > I assume malformed payload means I have something set incorrectly
> > during the
> > negotiation phase.
> >
> > Any pointers would be appreciated.  I will grab more debug data per
> the
> > other post but this is what I've tried so far.
> >
> > Thanks
> > Scott
> >
> > ----- Original Message -----
> > From: "Michael K. Smith - Adhost" <mksmith at adhost.com>
> > To: "Scott Granados" <gsgranados at comcast.net>
> > Sent: Wednesday, September 02, 2009 11:03 AM
> > Subject: RE: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel
> >
> >
> > Correct.  But you can have multiple statements in your ACL.
> >
> > Access-list nonat permit ip 10.18.0.0 255.255.255.0 10.18.15.0
> > 255.255.255.192
> > Access-list nonat permit ip 10.18.0.0 255.255.255.0 10.18.15.192
> > 255.255.255.192
> > Access-list nonat permit ip 10.18.0.0 255.255.255.0 10.18.14.0
> > 255.255.255.0
> >
> > And so on.
> >
> > Mike
> >
> > --
> > Michael K. Smith - CISSP, GISP
> > Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com
> > w: +1 (206) 404-9500 f: +1 (206) 404-9050
> > PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)
> >
> >
> > -----Original Message-----
> > From: Scott Granados [mailto:gsgranados at comcast.net]
> > Sent: Wednesday, September 02, 2009 11:02 AM
> > To: Michael K. Smith - Adhost; Ryan West; cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel
> >
> > Hi Michael, thanks but one thing I'm not clear on.
> >
> > Suppose I have destinations of
> > 10.18.15.0/26 10.18.15.192/26 10.18.14.0/24 etc.
> > In other words my possible destinations can be different.  If I use
> > your
> >
> > example what happens if traffic has the proper source but a
> destination
> > of
> > 10.18.15.192/26 or if traffic is destined to a client on
> 10.18.14.0/24?
> > It
> > won't match the ACL correct?
> >
> >
> > ----- Original Message -----
> > From: "Michael K. Smith - Adhost" <mksmith at adhost.com>
> > To: "Scott Granados" <gsgranados at comcast.net>; "Ryan West"
> > <rwest at zyedge.com>; <cisco-nsp at puck.nether.net>
> > Sent: Wednesday, September 02, 2009 10:47 AM
> > Subject: RE: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel
> >
> >
> > Hi Scott:
> >
> > No, if you use the no-nat below, *all* traffic from 10.18.0.0/24
will
> > not be NAT'd, regardless of the destination.  What you want is:
> >
> > Access-list nonat permit ip 10.18.0.0 255.255.255.0 <remote subnet>
> > <remote mask>
> >
> > In looking at your post below, I think that would be:
> >
> > Access-list nonat permit ip 10.18.0.0 255.255.255.0 10.18.15.0
> > 255.255.255.192
> >
> > I should note that the mask on the remote side for the 10.18.0.0
> subnet
> > is a /20, not a /24.
> >
> > Regards,
> >
> > Mike
> >
> > --
> > Michael K. Smith - CISSP, GISP
> > Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com
> > w: +1 (206) 404-9500 f: +1 (206) 404-9050
> > PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)
> >
> >
> > -----Original Message-----
> > From: Scott Granados [mailto:gsgranados at comcast.net]
> > Sent: Wednesday, September 02, 2009 10:44 AM
> > To: Michael K. Smith - Adhost; Ryan West; cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel
> >
> > Hi Mike, to follow up on this, I do have existing clients working
> now.
> > For
> > the nonat rule would I create a sepperate ACL for each target or
> would
> > a
> >
> > basic acl like I use for the split tunneling do the trick?
> >
> > either
> > access-list ny-vpn extended permit ip 10.18.0.0 255.255.255.0
> > 10.18.15.0
> >
> > 255.255.255.192
> > or would
> > access-list nonat standard permit 10.18.0.0 255.255.255.0
> >
> > I have several different targets so how would one define that or is
> the
> > standard ACL enough?
> >
> > Thanks for the pointers!
> > Scott
> >
> > ----- Original Message -----
> > From: "Michael K. Smith - Adhost" <mksmith at adhost.com>
> > To: "Scott Granados" <gsgranados at comcast.net>; "Ryan West"
> > <rwest at zyedge.com>; <cisco-nsp at puck.nether.net>
> > Sent: Wednesday, September 02, 2009 10:33 AM
> > Subject: RE: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel
> >
> >
> > Hello Ryan:
> >
> > Without the no-nat on the ASA side it will try to NAT the traffic
> > before
> > putting it down the tunnel.  So, you're remove side is looking for
> the
> > 10. Addresses, but it's going to see traffic coming from the static
> > outside, NAT'd address.  Thus, the tunnel won't come up because your
> > proposals don't match.
> >
> > Mike
> >
> > --
> > Michael K. Smith - CISSP, GISP
> > Chief Technical Officer - Adhost Internet LLC mksmith at adhost.com
> > w: +1 (206) 404-9500 f: +1 (206) 404-9050
> > PGP: B49A DDF5 8611 27F3  08B9 84BB E61E 38C0 (Key ID: 0x9A96777D)
> >
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott
> Granados
> > Sent: Wednesday, September 02, 2009 9:45 AM
> > To: Ryan West; cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel
> >
> > Hi, so right now my Pix in the field is pointing at a VPN 3000 so I
> > can't
> > take that path down until after hours but I will to capture the
debug
> > data.
> >
> > A show ver on the asa shows device manager V5.0.7
> >
> > The field pix shows V6.3
> > I have access to both ends so updating the firmware is definitely an
> > option.
> > Any suggested version?
> >
> > On the ASA side I do not have a no nat statement at all.  I never
> > configured
> > NAT because this device isn't beingused for any features other than
a
> > VPN
> > access device with split tunneling enabled for the clients.
> > On the NY pix side the nat config and acl are as follows.
> >
> > global (outside) 1 208.x.x.100-208.x.x.115 netmask 255.255.255.224
> > global (outside) 1 208.x.x.99 netmask 255.255.255.224
> > nat (inside) 0 access-list vpn-1
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> >
> > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.1.0.0
> > 255.255.0.0
> > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.18.0.0
> > 255.255.240.0
> > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.14.0.0
> > 255.254.0.0
> > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 157.254.0.0
> > 255.255.0.0
> > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 141.11.0.0
> > 255.255.0.0
> > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.11.0.0
> > 255.255.0.0
> >
> > Thanks
> > Scott
> >
> > ----- Original Message -----
> > From: "Ryan West" <rwest at zyedge.com>
> > To: "Scott Granados" <gsgranados at comcast.net>;
> > <cisco-nsp at puck.nether.net>
> > Sent: Wednesday, September 02, 2009 6:15 AM
> > Subject: RE: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel
> >
> >
> > Scott,
> >
> > Can you provide debugs from the ASA, code versions on both devices
> and
> > your
> > associated no-nat ACLs?
> >
> > Assuming you have nothing else logging to monitor, you can enable
> > 'logging
> > class vpn monitor debug' and throw up a term mon to gather inbound
> > messages
> > to the ASA from the PIX side.  You can gather the information on the
> > PIX
> >
> > with a debug cry isa 2 and then initiate interesting traffic from
the
> > ASA
> > using the following, the more valuable information will be on the
> > receiving
> > end.  It really doesn't matter which side you enable as the
receiver,
> > but I
> > try to stay away from pre 7.x code on the PIXes.
> >
> > packet-tracer input inside icmp 10.1.0.10 8 0 10.18.15.10 detailed
> >
> > Phase: 10 or 11 should be subtype encrypt.  If it fails the first
> time,
> > run
> > it again, the negotiation process causes the first packet to fail as
> > the
> >
> > tunnel is being brought.  This type of traffic will also give you
> your
> > debug
> > information and help you figure out where the failure is.
> >
> > -ryan
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott
> Granados
> > Sent: Tuesday, September 01, 2009 8:29 PM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel
> >
> > Hi, I have a Pix out in the field and an ASA5520 that I'm trying to
> > configure to pass L2L traffic.  I keep getting an error that says
> > IKEV1 IP=a.b.c.d removing peer from peer table failed, no match
> > ip=a.b.c.d unable to remove peer table entry
> >
> > What am I doing wrong?
> >
> > Here are the important config bits
> >
> > asa-5520
> > crypto map
> > crypto ipsec transform-set vpn-transform1 esp-aes-256 esp-sha-hmac
> > crypto ipsec transform-set vpn-transform2 esp-aes-192 esp-md5-hmac
> > crypto ipsec transform-set vpn-transform3 esp-3des esp-sha-hmac
> > crypto dynamic-map dynmap 10 set transform-set vpn-transform1
> > vpn-transform2
> > vpn-transform3
> > crypto dynamic-map dynmap 10 set reverse-route
> > crypto map vpn-ra-map 10 match address ny-vpn-acl
> > crypto map vpn-ra-map 10 set peer ny-fw-outside
> > crypto map vpn-ra-map 10 set transform-set vpn-transform2
> > crypto map vpn-ra-map 10 set reverse-route
> > crypto map vpn-ra-map 65535 ipsec-isakmp dynamic dynmap
> > crypto map vpn-ra-map interface outside
> >
> > ISAKMP
> >
> > isakmp enable outside
> > isakmp policy 5 authentication pre-share
> > isakmp policy 5 encryption aes-256
> > isakmp policy 5 hash sha
> > isakmp policy 5 group 7
> > isakmp policy 5 lifetime 3600
> > isakmp policy 10 authentication pre-share
> > isakmp policy 10 encryption aes-256
> > isakmp policy 10 hash sha
> > isakmp policy 10 group 5
> > isakmp policy 10 lifetime 3600
> > isakmp policy 20 authentication pre-share
> > isakmp policy 20 encryption 3des
> > isakmp policy 20 hash sha
> > isakmp policy 20 group 2
> > isakmp policy 20 lifetime 3600
> > isakmp policy 30 authentication pre-share
> > isakmp policy 30 encryption aes-192
> > isakmp policy 30 hash md5
> > isakmp policy 30 group 2
> > isakmp policy 30 lifetime 28800
> > isakmp nat-traversal  20
> > isakmp reload-wait
> >
> > and the acl
> > access-list ny-vpn-acl extended permit ip 10.1.0.0 255.255.0.0
> > 10.18.15.0
> > 255.255.255.192
> > access-list ny-vpn-acl extended permit ip 10.18.0.0 255.255.254.0
> > 10.18.15.0
> > 255.255.255.192
> > access-list ny-vpn-acl extended permit ip 10.14.0.0 255.254.0.0
> > 10.18.15.0
> > 255.255.255.192
> > access-list ny-vpn-acl extended permit ip 157.254.0.0 255.255.0.0
> > 10.18.15.0
> > 255.255.255.192
> > access-list ny-vpn-acl extended permit ip 141.11.0.0 255.255.0.0
> > 10.18.15.0
> > 255.255.255.192
> > access-list ny-vpn-acl extended permit ip 10.11.0.0 255.255.0.0
> > 10.18.15.0
> > 255.255.255.192
> >
> > TUNNEL GROUP
> >
> > tunnel-group 208.37.161.98 type ipsec-l2l
> > tunnel-group 208.37.161.98 general-attributes
> >  tunnel-group 208.37.161.98 ipsec-attributes
> >  pre-shared-key *
> >  peer-id-validate nocheck
> >
> > PIX
> >
> > CRYPTO MAP and ISAKMP
> >
> > crypto ipsec transform-set set1 esp-aes-192 esp-md5-hmac
> > crypto map map1 10 ipsec-isakmp
> > crypto map map1 10 match address vpn-1
> > crypto map map1 10 set peer vpnc
> > crypto map map1 10 set transform-set set1
> > crypto map map1 interface outside
> > isakmp enable outside
> > isakmp key *
> >  address vpnc netmask 255.255.255.255
> > isakmp policy 20 authentication pre-share
> > isakmp policy 20 encryption aes
> > isakmp policy 20 hash sha
> > isakmp policy 20 group 2
> > isakmp policy 20 lifetime 28800
> >
> > ACL
> > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.1.0.0
> > 255.255.0.0
> > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.18.0.0
> > 255.255.240.0
> > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.14.0.0
> > 255.254.0.0
> > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 157.254.0.0
> > 255.255.0.0
> > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 141.11.0.0
> > 255.255.0.0
> > access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.11.0.0
> > 255.255.0.0
> >
> > )note on the ASA I use individual /24's and shortened the ACL for
> ease
> > of
> > reasing.  I do this to exclued 10.18.14.0/24 from the tunnels since
> > that
> > houses the ASA's inside interface and client access)
> >
> > Any pointers would be appreciated.
> >
> > Thanks
> > Scott
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list