Unanswered Question
Feb 28th, 2010
User Badges:

Ok, I got Newbie error here but I do not see it.

I am trying to get a second site doing a VPN tunel to the orginal Site1

Site1 VPN is working for VPN cleint users but I am not getting a IPSec Tunnel up between sites

Site2 VPN is not accepting clients either... but does have internet

I have attached santized cfg's for both site.

I have been using the ADSM. But can set up the console easily on Site2.

Thanks in Advance for any assistance or suggestions

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mopaul Sun, 02/28/2010 - 20:02
User Badges:
  • Bronze, 100 points or more


I have reviewed the configuration and found that both ASAs have set-route command on outside, which makes me think that your ISP is assinging Dynamic IP addresss. But this should not be true as you have mentioned that the RA clients work fine on Site 1 ASA.. To my understanding though the ISP device is assinging a dynamic ip but it remains static in nature (does not change), please correct me if am wrong. On Site B, the remote client may not be working because the IP assigned to its outside is dynamic in nature and hence keeps changing. For remote client set up , VPN server should have a static ip address where clients can connect to. aCan you please reply with nature of public ip address on both ASAs? Also, do let me know what IP address is it if its static so that i can verify the configuration.

You can also refer to the following sample configuration document. These documents are pretty straight.

Scenario: Site-to-Site VPN Configuration (With Static IP address on both sites)

Scenario: Remote-Access VPN Configuration

PIX/ASA 7.x PIX-to-PIX Dynamic-to-Static IPsec with NAT and VPN Client Configuration Example

*Last document is exempting NAT*




marcuslupi Mon, 03/01/2010 - 06:22
User Badges:

Actually Both Site have Dynamic IP address but will keep the the same IP.

Site1 Is cable modem

Site2 is ADSL

Both Sites ISP's keep the same IP to a MAC Address so unless hardware is change (Either modem or Firewall) the IP's acts as static.

I did double check that IP's have not shifted.

I can send you the live IP's by email if you wish.

busterswt Mon, 03/01/2010 - 06:42
User Badges:
  • Bronze, 100 points or more


The crypto ACL on site1 appears to be setup incorrectly. Site1 is defined at, yet the crypto ACL shows to be both the source and destination:

object-group network DM_INLINE_NETWORK_1
network-object host

access-list outside_1_cryptoSite2 extended permit ip host object-group DM_INLINE_NETWORK_1

You'll need to change the source from a host entry to the network. The destination will need to be changed from a host entry to the network. You'll also want to remove from the object group, otherwise you'll be defining *all* traffic (once you fix the source network) as interesting traffic.

In addition to that, the crypto maps for both firewalls show PFS to be enabled, but one is group1 and the other is group2 (default). You'll want these to match.

You've got these two entries within the site2 NAT exemption ACL, but they will not be effective at all and can probably be removed once things are working correctly:

access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip Site1

The NAT exemption ACL on the site1 fw is missing an entry for communication between (source) and (destination). This will need to be added also.

See what you can do to correct those things and give it a shot. Since traffic is not being considered as 'interesting' that could likely be why you're not seeing any logs.



This Discussion