Site To Site VPN between ASA 5505 and ASA 5520

Answered Question
Feb 27th, 2009
User Badges:

I've two ASA devices: a 5505 and a 5520. I'm attempting to configure a simple, site-to-site vpn tunnel between the two and so far, haven't had any luck. I'm a bit of a novice with this, so was hoping the config files I've attached may provide some insight in to what I'm missing.


The 'philly' side has an internal ip range of 192.168.60.x and is using the 5505.


The 'dc" side has an internal ip range of 10.10.50.x and is using the 5520.


All I want to do is to be able to get from one side to the other and vice versa.


Thanks in advance!



Correct Answer by acomiskey about 8 years 3 months ago

Add this to both..


crypto isakmp enable outside

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Fri, 02/27/2009 - 08:41
User Badges:
  • Green, 3000 points or more

This should help.


dc.


access-list nat0 extended permit ip 10.10.50.0 255.255.255.0 192.168.60.0 255.255.255.0

nat (inside) 0 access-list nat0


philly.


access-list nat0 extended permit ip 192.168.60.0 255.255.255.0 10.10.50.0 255.255.255.0

nat (inside) 0 access-list nat0

cavemanbobby Fri, 02/27/2009 - 09:08
User Badges:

Thanks a ton for your swift and helpful response.


I did as you had suggested, but unfortunately I am still unable to ping from one internal network to the other.


I've attached the updated configs with the nat0 arguments included for further analysis.





Attachment: 
Correct Answer
acomiskey Fri, 02/27/2009 - 09:20
User Badges:
  • Green, 3000 points or more

Add this to both..


crypto isakmp enable outside

cavemanbobby Fri, 02/27/2009 - 11:04
User Badges:

Magic!


That did it. I have no idea what that command did, but obviously it works. Will look up the details immediately.


You the man.


Thanks.

denaumcisco Mon, 03/02/2009 - 04:46
User Badges:

dear cavemanbobby,


Can you post the ASA 5520 configuration file (vpn)?


Thanks

denaumcisco Mon, 03/02/2009 - 05:05
User Badges:

dear cavemanbobby,


Can you post the ASA 5520 configuration file (vpn)?


Thanks

denaumcisco Mon, 03/02/2009 - 08:45
User Badges:

thanks caveman,


I have another question, Do you know how to do a "backup route" on ASA 5520?

denaumcisco Mon, 03/02/2009 - 09:04
User Badges:

but this example is for ASA 5505, I cant do VLAN's on 5520


Another suggestion?

Patrick0711 Mon, 03/02/2009 - 20:52
User Badges:
  • Bronze, 100 points or more

You are missing the "ISAKMP enable outside" command on both devices. The crypto map is applied to the outside interface but ISAKMP isn't.

wangliwei_01 Tue, 03/03/2009 - 02:19
User Badges:

Enabling ISAKMP on the Outside Interface

You must enable ISAKMP on the interface that terminates the VPN tunnel. Typically this is the outside,

or public interface.

To enable ISAKMP, enter the following command:

crypto isakmp enable interface-name

For example:

hostname(config)# crypto isakmp enable outside



if have a nat ,enable NAT-T,and be sure the FireWALL can PASS port 500,and proto ID 50

Actions

This Discussion