From: Digital Yemeni (digital.yemeni@gmail.com)
Date: Fri Jun 29 2007 - 03:56:34 ART
Ops! You could right about NAT! I forgot this is a PIX! ;-)
On 6/29/07, Digital Yemeni <digital.yemeni@gmail.com> wrote:
>
> What has NAT to do with VPN? :)
> Most probably is a routing issue from the inside IPs, from one site to the
> other!
>
> On 6/29/07, Andrew Larkins < andrew.larkins@btgroup.co.za> wrote:
> >
> > I don't see the nat statements or rather the no nat statements shown
> > here for the 515E
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Joshua
> > Sent: 29 June 2007 07:37 AM
> > To: ccielab@groupstudy.com
> > Subject: Site to site VPN btw PIX515E and ASA5505 Issue!!!
> >
> > Guys, i am building a site to site IPSec VPN. One site is running PIX
> > 515E
> > and remote side is running ASA5505. I can see the VPN tunnel is up. But
> > i
> > cannot ping from internal 10.10.110.0 subnet to 10.19.76.0 subnet.
> > "Debug
> > icmp trace" turning on both box, when i ping from 10.10.110.11 to
> > 10.19.76.10, i see icmp echo-request on both box, but do not see
> > echo-reply.
> > Below is related configuration. Please help!!!
> >
> > =========
> > PIX 515E:
> > =========
> > Cisco PIX Firewall Version 6.3(4)
> >
> > access-list COQ permit ip 10.110.0.0 255.255.128.0 10.19.76.0
> > 255.255.255.0
> > !
> > crypto map mymap 220 match address COQ
> > crypto map mymap 220 set peer 20.12.28.247
> > crypto map mymap 220 set transform-set myset
> > crypto map mymap interface outside
> > isakmp enable outside
> > !
> > isakmp key ******** address 20.12.28.247 netmask 255.255.255.255
> > !
> > isakmp policy 5 authentication pre-share
> > isakmp policy 5 encryption 3des
> > isakmp policy 5 hash md5
> > isakmp policy 5 group 1
> > isakmp policy 5 lifetime 86400
> >
> > pixfirewall# sh cry isa sa
> > Total : 8
> > Embryonic : 0
> > dst src state pending created
> > ...
> > 20.12.28.247 204.2.18.8 QM_IDLE 0 1
> > ...
> >
> > ==========
> > ASA 5505 :
> > ==========
> > System image file is "disk0:/asa722-k8.bin"
> >
> >
> > : Saved
> > :
> > ASA Version 7.2(2)
> > !
> > ...
> > !
> > interface Vlan1
> > nameif inside
> > security-level 100
> > ip address 10.19.76.2 255.255.255.0
> > !
> > interface Vlan2
> > nameif outside
> > security-level 0
> > ip address dhcp setroute
> > !
> > interface Ethernet0/0
> > switchport access vlan 2
> > !
> > ....
> > access-list cryptomap extended permit ip 10.19.76.0 255.255.255.0
> > 10.110.0.0
> > 255.255.128.0
> > access-list nat0 extended permit ip 10.19.76.0 255.255.255.0 10.110.0.0
> > 255.255.128.0
> > ...
> > global (outside) 1 interface
> > nat (inside) 0 access-list nat0
> > nat (inside) 1 0.0.0.0 0.0.0.0
> > ...
> > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> > crypto map outside_map 20 match address cryptomap
> > crypto map outside_map 20 set peer 204.2.18.8
> > crypto map outside_map 20 set transform-set ESP-3DES-MD5
> > crypto map outside_map interface outside
> > crypto isakmp enable outside
> > crypto isakmp policy 10
> > authentication pre-share
> > encryption 3des
> > hash md5
> > group 1
> > lifetime 86400
> > crypto isakmp nat-traversal 3600
> > tunnel-group 204.2.18.8 type ipsec-l2l
> > tunnel-group 204.2.18.8 ipsec-attributes
> > pre-shared-key *
> > ...
> >
> >
> > coq5505# sh cry isa sa
> >
> > Active SA: 1
> > Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during
> > rekey)
> > Total IKE SA: 1
> >
> > 1 IKE Peer: 204.2.18.8
> > Type : L2L Role : responder
> > Rekey : no State : MM_ACTIVE
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> > The information contained in this message and or attachments is intended
> > only for the person or entity to which it is addressed and may contain
> > confidential and/or privileged material. Any review, retransmission,
> > dissemination or other use of, or taking of any action in reliance upon,
> > this information by persons or entities other than the intended
> > recipient
> > is prohibited. If you received this in error, please contact the sender
> > and
> > delete the material from any system and destroy any copies.
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
> --
> Best Regards!
> Digital, CCIE# to be assigned by Cisco when it collects enough $$ out of
> me! :p
-- Best Regards! Digital, CCIE# to be assigned by Cisco when it collects enough $$ out of me! :p
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:52 ART