Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

pix-to-pix or asa-to-asa Test Lab

Trying to setup a L2L lab for 2xASA 5510. The ASA's outside interface are connected w/ crossover cable. I can ping on both sides. Would it be possible to work L2L VPN using this setup w/out routers?

ASA1 outside - 1.1.1.1/30

inside - 172.16.1.1/24

ASA2 outside - 1.1.1.2/30

inside - 192.168.1.0/24

thanks in advance...

11 REPLIES
Hall of Fame Super Blue

Re: pix-to-pix or asa-to-asa Test Lab

Hi

Yes you can do this. You don't need routers to be able to configure a L2L VPN as any routers in between only route the IPSEC packets as normal IP traffic and do nothing special to it.

Jon

New Member

Re: pix-to-pix or asa-to-asa Test Lab

thanks for your reply ...

Not sure why I can establish tunnel, I verified everything on both sides and seems they're all correct. running in ver8.0(3)

enable debug crypto isakmp 255 and debug crypto ipsec 255, terminal mon is on ... no debug output so far.

Hall of Fame Super Blue

Re: pix-to-pix or asa-to-asa Test Lab

Can you post configs

New Member

Re: pix-to-pix or asa-to-asa Test Lab

here's the config on both ASA's. thanks for asking ...

Hall of Fame Super Blue

Re: pix-to-pix or asa-to-asa Test Lab

Hi

Config looks okay - what is the source IP address and destination IP address you are using

Jon

New Member

Re: pix-to-pix or asa-to-asa Test Lab

Host A - 10.10.1.15/24

Host B - 192.168.2.15/24

Host A can ping/SSH to ASA A.

Host B can ping/SSH to ASA B.

I did clear xlate on both sides...

Gold

Re: pix-to-pix or asa-to-asa Test Lab

i see no routing enabled on your devices, and no nat either.

You have a nat0 acl, but it's not applied to anything.

New Member

Re: pix-to-pix or asa-to-asa Test Lab

ASA1-ASA2 is directly connected with crossover cable.

C 127.0.0.0 255.255.0.0 is directly connected, cplane

C 10.10.1.0 255.255.255.0 is directly connected, inside

C 65.1.1.0 255.255.255.192 is directly connected, outside

++++++++++++++++++++++++++++++++++++++++++

I added these lines on both ASA's except the access-list inside_nat0_outbound list will be in reverse order...

access-list outside extended permit icmp any any

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside in interface outside

access-list inside_nat0_outbound extended permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

Still not working ... pls advise.

thanks ...

New Member

Re: pix-to-pix or asa-to-asa Test Lab

This is resolved, I fixed it.

New Member

Re: pix-to-pix or asa-to-asa Test Lab

Congarts, but how? what was the problem?

New Member

Re: pix-to-pix or asa-to-asa Test Lab

my first question was "to test ASA to ASA w/out a L3 router".

Well, I tried to figured out if that will work using crossover cable outside to outside interface. Same subnet on both sides. I can ping bidirectional just fine.

But, my tunnel can't establish using this setup.

So, I put L3 router on both sides via Async interface and PPP on it. This is a LAB environment for this time.

And, from there it works my TUNNEL.

Actually, I haven't tried before without L3 router testing PIX or ASA.

So, I went to its normal setup to make it works on my LAB.

However, I really appreciate if someone has this experience on testing PIXes or ASA's w/out a L3 router.

Thanks ...

299
Views
0
Helpful
11
Replies