Re: Site to site VPN btw PIX515E and ASA5505 Issue!!!

From: WorkerBee (ciscobee@gmail.com)
Date: Fri Jun 29 2007 - 03:06:55 ART

• Next message: Victor Cappuccio: "RE: RE: MTU Mismatch in OSPF"
• Previous message: Parthiban Devadass: "Re: Unicast/Multicast packet flow"
• Maybe in reply to: Joshua: "Site to site VPN btw PIX515E and ASA5505 Issue!!!"
• Next in thread: Andrew Larkins: "RE: Site to site VPN btw PIX515E and ASA5505 Issue!!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Show your routing table of both PIX and ASA. Most probably
is routing issue.

On 6/29/07, Joshua <joshualixin@gmail.com> wrote:
> Guys, i am building a site to site IPSec VPN. One site is running PIX 515E
> and remote side is running ASA5505. I can see the VPN tunnel is up. But i
> cannot ping from internal 10.10.110.0 subnet to 10.19.76.0 subnet. "Debug
> icmp trace" turning on both box, when i ping from 10.10.110.11 to
> 10.19.76.10, i see icmp echo-request on both box, but do not see echo-reply.
> Below is related configuration. Please help!!!
>
> =========
> PIX 515E:
> =========
> Cisco PIX Firewall Version 6.3(4)
>
> access-list COQ permit ip 10.110.0.0 255.255.128.0 10.19.76.0 255.255.255.0
> !
> crypto map mymap 220 match address COQ
> crypto map mymap 220 set peer 20.12.28.247
> crypto map mymap 220 set transform-set myset
> crypto map mymap interface outside
> isakmp enable outside
> !
> isakmp key ******** address 20.12.28.247 netmask 255.255.255.255
> !
> isakmp policy 5 authentication pre-share
> isakmp policy 5 encryption 3des
> isakmp policy 5 hash md5
> isakmp policy 5 group 1
> isakmp policy 5 lifetime 86400
>
> pixfirewall# sh cry isa sa
> Total : 8
> Embryonic : 0
> dst src state pending created
> ...
> 20.12.28.247 204.2.18.8 QM_IDLE 0 1
> ...
>
> ==========
> ASA 5505 :
> ==========
> System image file is "disk0:/asa722-k8.bin"
>
>
> : Saved
> :
> ASA Version 7.2(2)
> !
> ...
> !
> interface Vlan1
> nameif inside
> security-level 100
> ip address 10.19.76.2 255.255.255.0
> !
> interface Vlan2
> nameif outside
> security-level 0
> ip address dhcp setroute
> !
> interface Ethernet0/0
> switchport access vlan 2
> !
> ....
> access-list cryptomap extended permit ip 10.19.76.0 255.255.255.0 10.110.0.0
> 255.255.128.0
> access-list nat0 extended permit ip 10.19.76.0 255.255.255.0 10.110.0.0
> 255.255.128.0
> ...
> global (outside) 1 interface
> nat (inside) 0 access-list nat0
> nat (inside) 1 0.0.0.0 0.0.0.0
> ...
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto map outside_map 20 match address cryptomap
> crypto map outside_map 20 set peer 204.2.18.8
> crypto map outside_map 20 set transform-set ESP-3DES-MD5
> crypto map outside_map interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash md5
> group 1
> lifetime 86400
> crypto isakmp nat-traversal 3600
> tunnel-group 204.2.18.8 type ipsec-l2l
> tunnel-group 204.2.18.8 ipsec-attributes
> pre-shared-key *
> ...
>
>
> coq5505# sh cry isa sa
>
> Active SA: 1
> Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
> Total IKE SA: 1
>
> 1 IKE Peer: 204.2.18.8
> Type : L2L Role : responder
> Rekey : no State : MM_ACTIVE
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Victor Cappuccio: "RE: RE: MTU Mismatch in OSPF"
• Previous message: Parthiban Devadass: "Re: Unicast/Multicast packet flow"
• Maybe in reply to: Joshua: "Site to site VPN btw PIX515E and ASA5505 Issue!!!"
• Next in thread: Andrew Larkins: "RE: Site to site VPN btw PIX515E and ASA5505 Issue!!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:52 ART