VPN Site to Site between 2 ASA5510

Unanswered Question
Sep 10th, 2008

Hi All,

I want to set up a VPN site to site between 2 networks, both firewalls are ASA 5510, one with security plus license for HA purpose.

But when I set up the VPN tunnel between 2 firewalls, from the log of the firewall of site A, I can see the VPN has set up displayed Group = (IP of Site B), IP = (IP of Site B), Phase one completed. IPSEC: An outbound LAN to LAN SA between ...... has been created. Group = ...... Security negotitation complete for ....... Group =........, PHASE 2 COMPLETED. When I start the ping action by a SITE A PC to SITE B PC. The log showed Built inbound ICMP connection for faddr PC/512 gaddr PC2/0 laddr PC2/0. After a while when the ping show Request timeout, the log showed Teardown ICMP connection for faddr PC/512 gaddr PC2/0 laddr PC2/0

When I do it again with the TELNET FUCNTION, it still the same response seems can not establish.

Experts, please help me.

I think the VPN setting should be OK, because from the log, I can see the Phase 1 and Phase 2 also completed.

Is it a problem with the access list or the security group.

Also, want to ask dose it suppose multiple site to site VPN?

Assume Site A is my place, I want to make a tunnel with Site B and Site C.

If Site B and Site C's private network also is mask

What is the best way to do it?

Thanks for your reading.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
singhsaju Wed, 09/10/2008 - 05:20


please check the output of "show crypto isakmp sa" the tunnel state should be "QM_Idle"., then your tunnel is up.

Can you post result of "show crypto ipsec sa"

? and also post vpn configurations from both ends .

Regarding your second question of overlapping network for two different sites, here you will have to do Static NAT of network of one of the sites on the sites vpn device before it reaches Hub device .If you want site B to communicate with site C then you need to do NAT on both remote vpn devices.

Also since you will configuring the vpn tunnels on outside interface of Hub ASA devices. and ASA by default do not redirect traffic on same interface , you will have to configure

"same-security-traffic permit intra-interface"



Pls rate if it helps

djemba-djemba Wed, 09/10/2008 - 20:29


Thanks for your reply.

I have checked the show crypto ipsec sa.

The result is :

Active SA :1

Rekey SA: 0

Total IKE SA:1

1 IKE Peer: Site B outside address

Type: L2L


Rekey: no


When I am configuring the VPN,

As I mentioned before, The version of ASA of site B is different with firewall of site A.

Because I was using the ASDM for configuration.

In the Encryption Stage of configuration.

One of the Firewall has an option of "perfect forwarding secrecy" and need to choose the DH group. But the other one did not have this options.

Do you think it is a problem?



This Discussion