cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1857
Views
0
Helpful
12
Replies

Site To Site VPN between ASA 5505 and ASA 5520

cavemanbobby
Level 1
Level 1

I've two ASA devices: a 5505 and a 5520. I'm attempting to configure a simple, site-to-site vpn tunnel between the two and so far, haven't had any luck. I'm a bit of a novice with this, so was hoping the config files I've attached may provide some insight in to what I'm missing.

The 'philly' side has an internal ip range of 192.168.60.x and is using the 5505.

The 'dc" side has an internal ip range of 10.10.50.x and is using the 5520.

All I want to do is to be able to get from one side to the other and vice versa.

Thanks in advance!

1 Accepted Solution

Accepted Solutions

Add this to both..

crypto isakmp enable outside

View solution in original post

12 Replies 12

acomiskey
Level 10
Level 10

This should help.

dc.

access-list nat0 extended permit ip 10.10.50.0 255.255.255.0 192.168.60.0 255.255.255.0

nat (inside) 0 access-list nat0

philly.

access-list nat0 extended permit ip 192.168.60.0 255.255.255.0 10.10.50.0 255.255.255.0

nat (inside) 0 access-list nat0

Thanks a ton for your swift and helpful response.

I did as you had suggested, but unfortunately I am still unable to ping from one internal network to the other.

I've attached the updated configs with the nat0 arguments included for further analysis.

Add this to both..

crypto isakmp enable outside

Magic!

That did it. I have no idea what that command did, but obviously it works. Will look up the details immediately.

You the man.

Thanks.

dear cavemanbobby,

Can you post the ASA 5520 configuration file (vpn)?

Thanks

dear cavemanbobby,

Can you post the ASA 5520 configuration file (vpn)?

Thanks

Sure thing.

This, as you requested, is the config from the ASA5520.

thanks caveman,

I have another question, Do you know how to do a "backup route" on ASA 5520?

I've not done one myself. But here is a pretty good link on how to:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/b_72.html#wp1337316

but this example is for ASA 5505, I cant do VLAN's on 5520

Another suggestion?

Patrick0711
Level 3
Level 3

You are missing the "ISAKMP enable outside" command on both devices. The crypto map is applied to the outside interface but ISAKMP isn't.

wangliwei_01
Level 1
Level 1

Enabling ISAKMP on the Outside Interface

You must enable ISAKMP on the interface that terminates the VPN tunnel. Typically this is the outside,

or public interface.

To enable ISAKMP, enter the following command:

crypto isakmp enable interface-name

For example:

hostname(config)# crypto isakmp enable outside

if have a nat ,enable NAT-T,and be sure the FireWALL can PASS port 500,and proto ID 50

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: