Site To Site VPN between ASA 5505 and ASA 5520

Answered Question
Feb 27th, 2009

I've two ASA devices: a 5505 and a 5520. I'm attempting to configure a simple, site-to-site vpn tunnel between the two and so far, haven't had any luck. I'm a bit of a novice with this, so was hoping the config files I've attached may provide some insight in to what I'm missing.

The 'philly' side has an internal ip range of 192.168.60.x and is using the 5505.

The 'dc" side has an internal ip range of 10.10.50.x and is using the 5520.

All I want to do is to be able to get from one side to the other and vice versa.

Thanks in advance!

I have this problem too.
0 votes
Correct Answer by acomiskey about 7 years 10 months ago

Add this to both..

crypto isakmp enable outside

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
acomiskey Fri, 02/27/2009 - 08:41

This should help.

dc.

access-list nat0 extended permit ip 10.10.50.0 255.255.255.0 192.168.60.0 255.255.255.0

nat (inside) 0 access-list nat0

philly.

access-list nat0 extended permit ip 192.168.60.0 255.255.255.0 10.10.50.0 255.255.255.0

nat (inside) 0 access-list nat0

cavemanbobby Fri, 02/27/2009 - 09:08

Thanks a ton for your swift and helpful response.

I did as you had suggested, but unfortunately I am still unable to ping from one internal network to the other.

I've attached the updated configs with the nat0 arguments included for further analysis.

Attachment: 
Correct Answer
acomiskey Fri, 02/27/2009 - 09:20

Add this to both..

crypto isakmp enable outside

cavemanbobby Fri, 02/27/2009 - 11:04

Magic!

That did it. I have no idea what that command did, but obviously it works. Will look up the details immediately.

You the man.

Thanks.

denaumcisco Mon, 03/02/2009 - 04:46

dear cavemanbobby,

Can you post the ASA 5520 configuration file (vpn)?

Thanks

denaumcisco Mon, 03/02/2009 - 05:05

dear cavemanbobby,

Can you post the ASA 5520 configuration file (vpn)?

Thanks

denaumcisco Mon, 03/02/2009 - 08:45

thanks caveman,

I have another question, Do you know how to do a "backup route" on ASA 5520?

denaumcisco Mon, 03/02/2009 - 09:04

but this example is for ASA 5505, I cant do VLAN's on 5520

Another suggestion?

Patrick0711 Mon, 03/02/2009 - 20:52

You are missing the "ISAKMP enable outside" command on both devices. The crypto map is applied to the outside interface but ISAKMP isn't.

wangliwei_01 Tue, 03/03/2009 - 02:19

Enabling ISAKMP on the Outside Interface

You must enable ISAKMP on the interface that terminates the VPN tunnel. Typically this is the outside,

or public interface.

To enable ISAKMP, enter the following command:

crypto isakmp enable interface-name

For example:

hostname(config)# crypto isakmp enable outside

if have a nat ,enable NAT-T,and be sure the FireWALL can PASS port 500,and proto ID 50

Actions

This Discussion