Re: Site to site VPN btw PIX515E and ASA5505 Issue!!!

From: Ye Tian (emaomi@gmail.com)
Date: Fri Jun 29 2007 - 04:02:08 ART

• Next message: Du, Jianbo: "Hiring a network engineer in ShangHai"
• Previous message: Digital Yemeni: "Re: Site to site VPN btw PIX515E and ASA5505 Issue!!!"
• Maybe in reply to: Joshua: "Site to site VPN btw PIX515E and ASA5505 Issue!!!"
• Next in thread: Peter Svidler: "Re: Site to site VPN btw PIX515E and ASA5505 Issue!!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Sorry, i forgot copy some config. Here they are:

=======
PIX 515e
=======

access-list nonat permit ip 10.10.0.0 255.255.128.0 10.9.0.0 255.255.0.0
!
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

PIX515E# sh route
        outside 0.0.0.0 0.0.0.0 204.2.18.253 1 OTHER static
        inside 10.10.5.0 255.255.255.0 10.10.40.2 1 OTHER static
        insde ....

ASA5505# sh route

Gateway of last resort is 20.12.28.1 to network 0.0.0.0

C 20.12.28.0 255.255.255.0 is directly connected, outside
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C 10.19.76.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 20.12.28.1, outside

On 6/28/07, Andrew Larkins <andrew.larkins@btgroup.co.za> wrote:
>
> I don't see the nat statements or rather the no nat statements shown
> here for the 515E
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Joshua
> Sent: 29 June 2007 07:37 AM
> To: ccielab@groupstudy.com
> Subject: Site to site VPN btw PIX515E and ASA5505 Issue!!!
>
> Guys, i am building a site to site IPSec VPN. One site is running PIX
> 515E
> and remote side is running ASA5505. I can see the VPN tunnel is up. But
> i
> cannot ping from internal 10.10.110.0 subnet to 10.19.76.0 subnet.
> "Debug
> icmp trace" turning on both box, when i ping from 10.10.110.11 to
> 10.19.76.10, i see icmp echo-request on both box, but do not see
> echo-reply.
> Below is related configuration. Please help!!!
>
> =========
> PIX 515E:
> =========
> Cisco PIX Firewall Version 6.3(4)
>
> access-list COQ permit ip 10.110.0.0 255.255.128.0 10.19.76.0
> 255.255.255.0
> !
> crypto map mymap 220 match address COQ
> crypto map mymap 220 set peer 20.12.28.247
> crypto map mymap 220 set transform-set myset
> crypto map mymap interface outside
> isakmp enable outside
> !
> isakmp key ******** address 20.12.28.247 netmask 255.255.255.255
> !
> isakmp policy 5 authentication pre-share
> isakmp policy 5 encryption 3des
> isakmp policy 5 hash md5
> isakmp policy 5 group 1
> isakmp policy 5 lifetime 86400
>
> pixfirewall# sh cry isa sa
> Total : 8
> Embryonic : 0
> dst src state pending created
> ...
> 20.12.28.247 204.2.18.8 QM_IDLE 0 1
> ...
>
> ==========
> ASA 5505 :
> ==========
> System image file is "disk0:/asa722-k8.bin"
>
>
> : Saved
> :
> ASA Version 7.2(2)
> !
> ...
> !
> interface Vlan1
> nameif inside
> security-level 100
> ip address 10.19.76.2 255.255.255.0
> !
> interface Vlan2
> nameif outside
> security-level 0
> ip address dhcp setroute
> !
> interface Ethernet0/0
> switchport access vlan 2
> !
> ....
> access-list cryptomap extended permit ip 10.19.76.0 255.255.255.0
> 10.110.0.0
> 255.255.128.0
> access-list nat0 extended permit ip 10.19.76.0 255.255.255.0 10.110.0.0
> 255.255.128.0
> ...
> global (outside) 1 interface
> nat (inside) 0 access-list nat0
> nat (inside) 1 0.0.0.0 0.0.0.0
> ...
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto map outside_map 20 match address cryptomap
> crypto map outside_map 20 set peer 204.2.18.8
> crypto map outside_map 20 set transform-set ESP-3DES-MD5
> crypto map outside_map interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash md5
> group 1
> lifetime 86400
> crypto isakmp nat-traversal 3600
> tunnel-group 204.2.18.8 type ipsec-l2l
> tunnel-group 204.2.18.8 ipsec-attributes
> pre-shared-key *
> ...
>
>
> coq5505# sh cry isa sa
>
> Active SA: 1
> Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during
> rekey)
> Total IKE SA: 1
>
> 1 IKE Peer: 204.2.18.8
> Type : L2L Role : responder
> Rekey : no State : MM_ACTIVE
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
> The information contained in this message and or attachments is intended
> only for the person or entity to which it is addressed and may contain
> confidential and/or privileged material. Any review, retransmission,
> dissemination or other use of, or taking of any action in reliance upon,
> this information by persons or entities other than the intended recipient
> is prohibited. If you received this in error, please contact the sender
> and
> delete the material from any system and destroy any copies.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Du, Jianbo: "Hiring a network engineer in ShangHai"
• Previous message: Digital Yemeni: "Re: Site to site VPN btw PIX515E and ASA5505 Issue!!!"
• Maybe in reply to: Joshua: "Site to site VPN btw PIX515E and ASA5505 Issue!!!"
• Next in thread: Peter Svidler: "Re: Site to site VPN btw PIX515E and ASA5505 Issue!!!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:52 ART