cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
826
Views
0
Helpful
8
Replies

Issue's creating a site-to-site vpn

v-mileve
Level 1
Level 1

I am trying to setup a site to site vpn for testing and going through http://www.ciscosecrets.info/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml  still not able to establish the connection.  I have attached the config's to both the 5520's that I'm using.   What am I missing.

1 Accepted Solution

Accepted Solutions

Try this if you are pinging from ASA

management-access inside

View solution in original post

8 Replies 8

Asim Malik
Level 1
Level 1

Hi,

ASA 1 is using incorrect source in the acl 100 and ASA 3 is missing the

crypto map outside_map 20 match address statement.

Also check the nat exempt on both. whatever is the correct source, need to be part of access list 100 and  "no nat" acl

I fixed those 2 items and have gone back through the config.

When I run show crypto ipsec sa I get "There are no ipsec sas"  this is the same for when I do a show crypto isakmp sa.  So the tunnel is not being created.  I have L2 connectivity between them.  Running debug on FW1(asa1) for Crypto ipsec gives me no results.  Very very confusing.  I have done this in the past using 2 5505's with no problems.

Unless this is just being challanging since the outside interfaces are on the same network.  Is that possible?

I see you defined 10.1.1.x network in the acls on ASA1

access-list 100 extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

On ASA3


access-list 100 extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24

I assume you want to encrypt traffic from 172.16.1.x to 192.168.2.x and vice versa. If that is the case make sure acls on ASA1 look like that

access-list 100 extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Also add the nat exempt on ASA3

nat (inside) 0 access-list nonat

How are you trying to initiate the tunnel, I assume you are pinging from a  host on 172.16.1.x subnet to 192.168.2.x subnet or vice versa.

Get these debugsfrom both devices

debug crypto isakmp 128

debug crypto ipsec 128

Yes I am using ping to establish the tunnel.  I have the debug set to 128 and I get no debug out

puts to the console or do the log buffer. 

When I do a ping from the ASDM I get "Routing failed to locate next hop for udp from NP Identity Ifc:172.16.1.1/448 to inside:192.168.2.1/39554" however when I look at the nat config's for both devices they seem(are) correct.

ASA1

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0

ASA2

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0

Try this if you are pinging from ASA

management-access inside

Michael,

May I ask you a question?  Are you connecting both the outside interfaces of the ASA to the same switch?  I want to setup a test to do a site-to-site VPN before I go out to the Remote site.  If you have any suggestions on how to setup a lab for site-to-site VPN, please let me know.  Thanks.

Jill,

Yes I was connecting the 2 outside interfaces to each other via a VLan on a switch to test the IPSec tunnel, but this was just part 1 of a larger project I'm working on.  I actually have 3 ASA's that I'm setting up for remote locations that once in place will have redundency back if one of the ASA's or IPSec tunnels fails it would be able to travers the other tunnel.

Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: