2

I have been working on converting a config over from a PIX to a ASA 8.2 but I am running into some trouble with the site to site vpn part of it. The PIX has both a client VPN and site to site. Since some of the configs for the site to site cross over the client VPN I'm getting confused. Any help would be apperciated.

Belows are excerpts of just the related VPN commands from the PIX.

access-list Remote_splitTunnelAcl permit ip 192.168.0.0 255.255.0.0 any 
access-list inside_outbound_nat0_acl permit ip any 192.168.0.160 255.255.255.240 
access-list inside_outbound_nat0_acl permit ip host Zenoss_OS NOC 255.255.255.0 
access-list inside_outbound_nat0_acl permit ip host SilverBack NOC 255.255.255.0 
access-list inside_outbound_nat0_acl permit ip host enoss_Hardware NOC 255.255.255.0 
access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.160 255.255.255.240 
access-list outside_cryptomap_20 permit ip host Zenoss_OS NOC 255.255.255.0 
access-list outside_cryptomap_20 permit ip host SilverBack NOC 255.255.255.0 
access-list outside_cryptomap_20 permit ip host Zenoss_Hardware NOC 255.255.255.0 

ip local pool DHCP_Pool 192.168.0.161-192.168.0.174

nat (inside) 0 access-list inside_outbound_nat0_acl

sysopt connection permit-vpn
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 205.x.29.41
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL 
crypto map outside_map interface outside
isakmp enable outside
isakmp key KEY address 205.x.29.41 netmask 255.255.255.255 no-xauth no-config-mode 
isakmp nat-traversal 180
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup GHA_Remote address-pool DHCP_Pool
vpngroup GHA_Remote dns-server 192.168.0.11
vpngroup GHA_Remote wins-server 192.168.0.11
vpngroup GHA_Remote default-domain x.org
vpngroup GHA_Remote split-tunnel Remote_splitTunnelAcl
vpngroup GHA_Remote idle-time 1800
vpngroup GHA_Remote password KEY

I guess what I am really asking is if someone can convert the site-to-site version of this VPN config to ASA 8.2 so I can compare it to what I have. I need to have this so I can just drop it in place and work.

Also it doesn't seem that isakmp policy 40 is being used, correct?

The following command is the only command I can't enter directly:

crypto map outside_map 20 ipsec-isakmp

I get a ERROR: % Incomplete command I then see that I need to add dynamic "dynamic map name" I'm unsure of what dynamic map I need to tie this to.

evolvd
  • 1,374
  • 6
  • 33
  • 58

1 Answers1

3

Why are you doing this all manually? Cisco offers a Pix to ASA migration tool. Run your config through that and then just verify the results before you put it into production (and stop using des encryption. Use 3des or aes).

EDIT:
Sorry. It's been a while since I've used that migration tool. I thought it did the VPN stuff. Here's what your configuration should look like. There was a lot of extra stuff in there that you don't need if you're just doing site to site, so I took it out. I also put you on 3des encryption:

access-list inside_outbound_nat0_acl permit ip any 192.168.0.160 255.255.255.240
access-list inside_outbound_nat0_acl permit ip host Zenoss_OS NOC 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host SilverBack NOC 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host enoss_Hardware NOC 255.255.255.0
access-list outside_cryptomap_20 permit ip host Zenoss_OS NOC 255.255.255.0
access-list outside_cryptomap_20 permit ip host SilverBack NOC 255.255.255.0
access-list outside_cryptomap_20 permit ip host Zenoss_Hardware NOC 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 205.x.29.41
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
tunnel-group 205.x.29.41 type ipsec-l2l
tunnel-group 205.x.29.41 ipsec-attributes
pre-shared-key KEY

Jason Berg
  • 18,954
  • 6
  • 38
  • 55
  • +1. Indeed, stop using DES and switch to 3DES or AES. – petrus Jun 01 '11 at 14:12
  • This is actually the converted output using that tool...I guess the tool doesn't convert the VPN commands to 8.2 commands. That is why I am doing this manually. Yes des is changing to 3des. – evolvd Jun 01 '11 at 14:16