Question : Problem: PIX version capabilities

I'm trying to determine if the version firmware on a PIX 515E I have can run features that a Cisco ASA5510 can handle.

At issue here is at one site I have a ASA5510 running firmware version 7.1(2)
At another site I have a PIX515E running firmware version 7.2(3)

In the attached code snippett, the first part pof code are the config lines of what is working on the ASA firewall. What this code does is establish a vpn tunnel to another site and then NAT's the internal IP subnet of the ASA to a range of IP address that are allowable at the pther site. This is done because the other site us currently usning the ASA's internal IP addresses and you can have overlaps of IP segments.

The second half od the code snippett is from the PIX515. It's nearly identical to the ASA's with exception of some varible name changes due to how things were named at each network.

At issue is, the remote site says that the tunnel is getting established, but when it goes into IPSEC mode, it terminates. Everything looks OK on my end, except that I never see the tunnel get established.

With the above info, does anyone see what I'm missing here?  Or can the PIX515E firewall not be able to handle this operation that a ASA can?
Code Snippet: 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:

Code Snippet below is from our ASA5510 firewall.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2008.08.13 11:10:36 =~=~=~=~=~=~=~=~=~=~=~=
: Saved
:
ASA Version 7.1(2) 
!
hostname CCVA-ASA
!
!
!
access-list targetvpn extended permit ip 192.168.100.0 255.255.252.0 10.51.1.0 255.255.255.0 
!
access-list targetnat extended permit ip 10.13.4.0 255.255.252.0 10.51.1.0 255.255.255.0 
!
!
!
static (inside,outside) 192.168.100.0  access-list targetnat 
!
!
!
crypto ipsec transform-set ccva esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
!
!
!
crypto map vpnccva 70 match address targetvpn
crypto map vpnccva 70 set peer 66.150.206.76 
crypto map vpnccva 70 set transform-set ccva
!
!
crypto map vpnccva interface outside
!
isakmp identity address 
isakmp enable outside
!
!
!
!
tunnel-group 66.150.206.76 type ipsec-l2l
tunnel-group 66.150.206.76 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 120 retry 10
!
tunnel-group-map enable rules
!
no vpn-addr-assign aaa
 
no vpn-addr-assign local
!
: end
 
 
 
 
Code Snippet below is from our PIX 515 at a different location.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2008.08.13 22:07:37 =~=~=~=~=~=~=~=~=~=~=~=
: Saved
:
PIX Version 7.2(3) 
!
hostname DALPIX
!
!
!
access-list targetvpn extended permit ip 192.168.104.0 255.255.252.0 10.51.1.0 255.255.255.0 
access-list targetnat extended permit ip 10.13.4.0 255.255.252.0 10.51.1.0 255.255.255.0 
!
!
!
 
static (inside,outside) 192.168.104.0  access-list targetnat 
!
!
!
crypto ipsec transform-set dallas esp-3des esp-md5-hmac 
!
!
crypto map dalvpn 70 match address targetvpn
crypto map dalvpn 70 set peer 66.150.206.76 
crypto map dalvpn 70 set transform-set dallas
!
crypto map dalvpn interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
!
!
!
 
tunnel-group 66.150.206.76 type ipsec-l2l
tunnel-group 66.150.206.76 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 120 retry 10
!
: end
Open in New Window Select All

Answer : Problem: PIX version capabilities

1) you need not do the NAT at both sides.....remove NAT from one end.
2) second thing is that crypto ACL must be mirror image....

say at site A subnet is 10.13.4.0 255.255.252.0
and at site B it is 10.51.1.0 255.255.255.0  then

ACL at site A:
-----------------
access-list extended permit ip 10.13.4.0 255.255.252.0 10.51.1.0 255.255.255.0

at site B it would be
-------------------------
access-list targetnat extended permit ip  10.51.1.0 255.255.255.0  10.13.4.0 255.255.252.0
(obviously you need to give NATTED IP... so change it accordingly.....)

PIX is fully compatible with ASA when it comes to IPSec site to site VPN.

The subnets that you have given in NAT and access-list, makes some confusion...can you share subnet details....which subnet is being used at which site ??

If you provide subnet details....anyone will be able to give you complete configuration of both the ends
Random Solutions  
 
programming4us programming4us