Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Trouble with connecting two asa 5505s

My squadron has purchased two ASA 5505s which they would like to use to create a very basic standalone network for training purposes. I have configured two laptops to act as domain controllers for two seperate domains behind each ASA. Thus far I have configured the inside vlans without much issue and am able to ping host to server. The issue I'm running into now is connecting the two ASAs to allow the two domains to talk. I have tried using the wizard to create a site to site VPN but am still unable to ping hiost to host from the seperate domains. In addition I realized I was unable to ping from my inside vlan to my outside vlan on either ASA. I am not very knowledeable when it comes to routing protocols and VPNs so any ideas or information would be very helpful, thanks!

  • Getting Started with LANs
5 REPLIES
Bronze

Trouble with connecting two asa 5505s

Hi,

can you please post simple diagram of network described and configuration both of ASA?

From your description I understand this:

inside network1------ASA1<------WAN(internet)------>ASA2-------inside network2

What do you mean outside vlan?

Basically you can do this two ways.

1] configure simple routing between your ASA --> unencrypted traffic will flow through WAN

2] configure s2s VPN between your ASA --> traffic will be encrypted

Best Regards,

Jan

New Member

Trouble with connecting two asa 5505s

The diagram you drew is accurate except the network never hits the internet. The ASAs are directly connected to each other. When I ran the startup wizard in ASDM I had already configured my inside. During the startup it gave me the option to create an "outside" and a "dmz" vlan on the open interfaces, I assumed this would be the Vlan my traffic would leave the ASA through.

New Member

Re: Trouble with connecting two asa 5505s

Can you give us the VPN configuration?

Sent from Cisco Technical Support iPhone App

Re: Trouble with connecting two asa 5505s

Sorry if any of this has already been done, but without seeing the config it's tough to tell what's already been completed. Here are some ideas you can work through (assuming you are on 8.3 or higher code):

  • Is there a switch between the two ASAs?  If not, do you have one you can try?  Also, If you haven't configured an ACL that allows both ASAs to pass all traffic between the two subnets, you probably need to try that. 

          Since they aren't connected to the Internet, try something like this (on both ASAs):

          conf t

          access-list outside_acl permit ip any any

          access-group outside_acl in interface outside

  • You need to make sure you have NAT statements that tell the two firewalls whether to NAT traffic or not.  Try something like this:

          nat (inside,outside) dynamic interface

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

Re: Trouble with connecting two asa 5505s

Hello

Just like to add to Christophers post -

The Direct connection between the two asa's willl be seen as WAN ( public ip addesses.)

So in theroy you will have something like this

(172.16.1.1 _ LAN1_ 172.16.1.2) ASA1 (-20.20.20.1 __-WAN __ 20.20.20.2) ASA2 (10.1.1.2 __LAN2__  10.1.1.1)

ASA1

PAT config

object network LAN1

subnet 172.16.1.0 255.255.255.0

nat (inside,outside) dynamic interface

Allow ICMP replies:

access-list 10 extended permit icmp any object LAN1 echo-reply

access-group 10 in interface outside

Default route:

route outside 0 0 20.20.20.2

ASA2

PAT config

object network LAN2

subnet 10.1.1.0 255.255.255.0

nat (inside,outside) dynamic interface

Allow ICMP replies:

access-list 10 extended permit icmp any object LAN2 echo-reply

access-group 10 in interface outside

Default route:

route outside 0 0 20.20.20.1

Please don't forget to rate any posts that have been helpful.

Thanks.

Please don't forget to rate any posts that have been helpful. Thanks.
744
Views
0
Helpful
5
Replies