Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

site-to-site with ASA 5505

Attempting to setup site-to-site IPsec VPN with two ASA 5505s with 8.0(5):

10.1.1.0/24 --> ASA 5505 (atl) --> Internet <-- ASA 5505 (bna) <-- 192.168.22.0/24

"There are no isakmp sas" and "There are no ipsec sas"

configs attached....

Any ideas?

Everyone's tags (4)
6 REPLIES

Re: site-to-site with ASA 5505

tunnel config is ok, have you tried passing traffic through the tunnel to bring it up? enable the following command on both firewalls:

management-access inside

Then go ahead and do a ping inside 192.168.22.1 from the asa-atl firewall, do you get replies? does the tunnel seem to come up?

New Member

Re: site-to-site with ASA 5505

Thank you for the response.

I enabled "management-access inside" on both ASAs, and pinged from the atl ASA. No response. No SAs. It's weird.

Re: site-to-site with ASA 5505

Ok, turn on the following debug on both boxes and try again, debug crypto isakmp 50

Ping again with ping inside... and see what debug output do you get on both, paste it here please.

New Member

Re: site-to-site with ASA 5505

I think I forgot to specify the interface with my last ping, and when I specified ping though the inside interface, the tunnel came up.

So what was the key? What did "management-access inside" do?

Thanks for your help.

Re: site-to-site with ASA 5505

No Magic there, the only thing we did was to allow the ASA to send pings sourced from it's inside interface which will then match the interesting crypto acl and then bring the tunnel up. Management access command helps for administration fo ASA via an ipsec tunnel for https, telnet ssh and some other features.

As of your tunnel you always need to pass traffic to make the tunnel to be built.

New Member

Re: site-to-site with ASA 5505

This helped resolving my issue as well and didnt have to call the client to test. Thank you

5069
Views
5
Helpful
6
Replies
CreatePlease to create content