09-10-2008 01:47 AM
Hi All,
I want to set up a VPN site to site between 2 networks, both firewalls are ASA 5510, one with security plus license for HA purpose.
But when I set up the VPN tunnel between 2 firewalls, from the log of the firewall of site A, I can see the VPN has set up displayed Group = (IP of Site B), IP = (IP of Site B), Phase one completed. IPSEC: An outbound LAN to LAN SA between ...... has been created. Group = ...... Security negotitation complete for ....... Group =........, PHASE 2 COMPLETED. When I start the ping action by a SITE A PC to SITE B PC. The log showed Built inbound ICMP connection for faddr PC/512 gaddr PC2/0 laddr PC2/0. After a while when the ping show Request timeout, the log showed Teardown ICMP connection for faddr PC/512 gaddr PC2/0 laddr PC2/0
When I do it again with the TELNET FUCNTION, it still the same response seems can not establish.
Experts, please help me.
I think the VPN setting should be OK, because from the log, I can see the Phase 1 and Phase 2 also completed.
Is it a problem with the access list or the security group.
Also, want to ask dose it suppose multiple site to site VPN?
Assume Site A is my place, I want to make a tunnel with Site B and Site C.
If Site B and Site C's private network also is 192.168.1.0. mask 255.255.255.0.
What is the best way to do it?
Thanks for your reading.
09-10-2008 02:42 AM
hi
what i suggest u is to have a look at the following link which will answer ur questions and u can follow it to achieve what u want
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml
good luck
if helpful Rate
09-10-2008 05:20 AM
Hello,
please check the output of "show crypto isakmp sa" the tunnel state should be "QM_Idle"., then your tunnel is up.
Can you post result of "show crypto ipsec sa"
? and also post vpn configurations from both ends .
Regarding your second question of overlapping network for two different sites, here you will have to do Static NAT of network 192.168.1.0/24 of one of the sites on the sites vpn device before it reaches Hub device .If you want site B to communicate with site C then you need to do NAT on both remote vpn devices.
Also since you will configuring the vpn tunnels on outside interface of Hub ASA devices. and ASA by default do not redirect traffic on same interface , you will have to configure
"same-security-traffic permit intra-interface"
HTH
Saju
Pls rate if it helps
09-10-2008 08:29 PM
Hey,
Thanks for your reply.
I have checked the show crypto ipsec sa.
The result is :
Active SA :1
Rekey SA: 0
Total IKE SA:1
1 IKE Peer: Site B outside address
Type: L2L
Role:Initiator
Rekey: no
State: MM_ACTIVE
When I am configuring the VPN,
As I mentioned before, The version of ASA of site B is different with firewall of site A.
Because I was using the ASDM for configuration.
In the Encryption Stage of configuration.
One of the Firewall has an option of "perfect forwarding secrecy" and need to choose the DH group. But the other one did not have this options.
Do you think it is a problem?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide