pix-to-pix or asa-to-asa Test Lab

Unanswered Question
Jan 7th, 2008
User Badges:

Trying to setup a L2L lab for 2xASA 5510. The ASA's outside interface are connected w/ crossover cable. I can ping on both sides. Would it be possible to work L2L VPN using this setup w/out routers?



ASA1 outside - 1.1.1.1/30

inside - 172.16.1.1/24

ASA2 outside - 1.1.1.2/30

inside - 192.168.1.0/24


thanks in advance...



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 01/07/2008 - 13:16
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Yes you can do this. You don't need routers to be able to configure a L2L VPN as any routers in between only route the IPSEC packets as normal IP traffic and do nothing special to it.


Jon

Gerard Gacusan Mon, 01/07/2008 - 14:01
User Badges:

thanks for your reply ...


Not sure why I can establish tunnel, I verified everything on both sides and seems they're all correct. running in ver8.0(3)


enable debug crypto isakmp 255 and debug crypto ipsec 255, terminal mon is on ... no debug output so far.






Jon Marshall Mon, 01/07/2008 - 14:03
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Can you post configs

Jon Marshall Mon, 01/07/2008 - 14:19
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Config looks okay - what is the source IP address and destination IP address you are using


Jon

Gerard Gacusan Mon, 01/07/2008 - 14:21
User Badges:

Host A - 10.10.1.15/24

Host B - 192.168.2.15/24


Host A can ping/SSH to ASA A.

Host B can ping/SSH to ASA B.


I did clear xlate on both sides...



srue Mon, 01/07/2008 - 16:02
User Badges:
  • Blue, 1500 points or more

i see no routing enabled on your devices, and no nat either.

You have a nat0 acl, but it's not applied to anything.

Gerard Gacusan Tue, 01/08/2008 - 07:32
User Badges:

ASA1-ASA2 is directly connected with crossover cable.


C 127.0.0.0 255.255.0.0 is directly connected, cplane

C 10.10.1.0 255.255.255.0 is directly connected, inside

C 65.1.1.0 255.255.255.192 is directly connected, outside


++++++++++++++++++++++++++++++++++++++++++


I added these lines on both ASA's except the access-list inside_nat0_outbound list will be in reverse order...



access-list outside extended permit icmp any any

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside in interface outside

access-list inside_nat0_outbound extended permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound


Still not working ... pls advise.


thanks ...



Gerard Gacusan Wed, 01/09/2008 - 14:36
User Badges:

my first question was "to test ASA to ASA w/out a L3 router".


Well, I tried to figured out if that will work using crossover cable outside to outside interface. Same subnet on both sides. I can ping bidirectional just fine.


But, my tunnel can't establish using this setup.


So, I put L3 router on both sides via Async interface and PPP on it. This is a LAB environment for this time.


And, from there it works my TUNNEL.


Actually, I haven't tried before without L3 router testing PIX or ASA.


So, I went to its normal setup to make it works on my LAB.


However, I really appreciate if someone has this experience on testing PIXes or ASA's w/out a L3 router.


Thanks ...


Actions

This Discussion