Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site To Site VPN between ASA 5505 and ASA 5520

I've two ASA devices: a 5505 and a 5520. I'm attempting to configure a simple, site-to-site vpn tunnel between the two and so far, haven't had any luck. I'm a bit of a novice with this, so was hoping the config files I've attached may provide some insight in to what I'm missing.

The 'philly' side has an internal ip range of 192.168.60.x and is using the 5505.

The 'dc" side has an internal ip range of 10.10.50.x and is using the 5520.

All I want to do is to be able to get from one side to the other and vice versa.

Thanks in advance!

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Site To Site VPN between ASA 5505 and ASA 5520

Add this to both..

crypto isakmp enable outside

12 REPLIES
Green

Re: Site To Site VPN between ASA 5505 and ASA 5520

This should help.

dc.

access-list nat0 extended permit ip 10.10.50.0 255.255.255.0 192.168.60.0 255.255.255.0

nat (inside) 0 access-list nat0

philly.

access-list nat0 extended permit ip 192.168.60.0 255.255.255.0 10.10.50.0 255.255.255.0

nat (inside) 0 access-list nat0

New Member

Re: Site To Site VPN between ASA 5505 and ASA 5520

Thanks a ton for your swift and helpful response.

I did as you had suggested, but unfortunately I am still unable to ping from one internal network to the other.

I've attached the updated configs with the nat0 arguments included for further analysis.

Green

Re: Site To Site VPN between ASA 5505 and ASA 5520

Add this to both..

crypto isakmp enable outside

New Member

Re: Site To Site VPN between ASA 5505 and ASA 5520

Magic!

That did it. I have no idea what that command did, but obviously it works. Will look up the details immediately.

You the man.

Thanks.

New Member

Re: Site To Site VPN between ASA 5505 and ASA 5520

dear cavemanbobby,

Can you post the ASA 5520 configuration file (vpn)?

Thanks

New Member

Re: Site To Site VPN between ASA 5505 and ASA 5520

dear cavemanbobby,

Can you post the ASA 5520 configuration file (vpn)?

Thanks

New Member

Re: Site To Site VPN between ASA 5505 and ASA 5520

Sure thing.

This, as you requested, is the config from the ASA5520.

New Member

Re: Site To Site VPN between ASA 5505 and ASA 5520

thanks caveman,

I have another question, Do you know how to do a "backup route" on ASA 5520?

New Member

Re: Site To Site VPN between ASA 5505 and ASA 5520

I've not done one myself. But here is a pretty good link on how to:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/b_72.html#wp1337316

New Member

Re: Site To Site VPN between ASA 5505 and ASA 5520

but this example is for ASA 5505, I cant do VLAN's on 5520

Another suggestion?

Bronze

Re: Site To Site VPN between ASA 5505 and ASA 5520

You are missing the "ISAKMP enable outside" command on both devices. The crypto map is applied to the outside interface but ISAKMP isn't.

New Member

Re: Site To Site VPN between ASA 5505 and ASA 5520

Enabling ISAKMP on the Outside Interface

You must enable ISAKMP on the interface that terminates the VPN tunnel. Typically this is the outside,

or public interface.

To enable ISAKMP, enter the following command:

crypto isakmp enable interface-name

For example:

hostname(config)# crypto isakmp enable outside

if have a nat ,enable NAT-T,and be sure the FireWALL can PASS port 500,and proto ID 50

978
Views
0
Helpful
12
Replies