08-16-2010 10:41 AM
I am trying to setup a site to site vpn for testing and going through http://www.ciscosecrets.info/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml still not able to establish the connection. I have attached the config's to both the 5520's that I'm using. What am I missing.
Solved! Go to Solution.
08-16-2010 12:52 PM
08-16-2010 10:49 AM
Hi,
ASA 1 is using incorrect source in the acl 100 and ASA 3 is missing the
crypto map outside_map 20 match address statement.
Also check the nat exempt on both. whatever is the correct source, need to be part of access list 100 and "no nat" acl
08-16-2010 11:04 AM
I fixed those 2 items and have gone back through the config.
When I run show crypto ipsec sa I get "There are no ipsec sas" this is the same for when I do a show crypto isakmp sa. So the tunnel is not being created. I have L2 connectivity between them. Running debug on FW1(asa1) for Crypto ipsec gives me no results. Very very confusing. I have done this in the past using 2 5505's with no problems.
08-16-2010 11:07 AM
Unless this is just being challanging since the outside interfaces are on the same network. Is that possible?
08-16-2010 11:23 AM
I see you defined 10.1.1.x network in the acls on ASA1
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
On ASA3
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
I assume you want to encrypt traffic from 172.16.1.x to 192.168.2.x and vice versa. If that is the case make sure acls on ASA1 look like that
access-list 100 extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0
Also add the nat exempt on ASA3
nat (inside) 0 access-list nonat
How are you trying to initiate the tunnel, I assume you are pinging from a host on 172.16.1.x subnet to 192.168.2.x subnet or vice versa.
Get these debugsfrom both devices
debug crypto isakmp 128
debug crypto ipsec 128
08-16-2010 12:17 PM
Yes I am using ping to establish the tunnel. I have the debug set to 128 and I get no debug out
puts to the console or do the log buffer.
When I do a ping from the ASDM I get "Routing failed to locate next hop for udp from NP Identity Ifc:172.16.1.1/448 to inside:192.168.2.1/39554" however when I look at the nat config's for both devices they seem(are) correct.
ASA1
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
ASA2
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
08-16-2010 12:52 PM
Try this if you are pinging from ASA
management-access inside
08-17-2010 06:07 AM
Michael,
May I ask you a question? Are you connecting both the outside interfaces of the ASA to the same switch? I want to setup a test to do a site-to-site VPN before I go out to the Remote site. If you have any suggestions on how to setup a lab for site-to-site VPN, please let me know. Thanks.
08-17-2010 08:26 AM
Jill,
Yes I was connecting the 2 outside interfaces to each other via a VLan on a switch to test the IPSec tunnel, but this was just part 1 of a larger project I'm working on. I actually have 3 ASA's that I'm setting up for remote locations that once in place will have redundency back if one of the ASA's or IPSec tunnels fails it would be able to travers the other tunnel.
Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: