cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1104
Views
3
Helpful
15
Replies

Site-to-Site VPN between 5510 and 5505

kerryjcox
Level 1
Level 1

Am trying to get a site-to-site VPN up and running between a satellite office and our main office. I have the settings in place but am trying to determine if it is my settings or the DSL provider, Verizon.

They have a 5505 with a static IP connected through cable modem. From their 5505 I can ping the outside IP address of my 5510 no problem. All the settings are correct on both sides; they reflect the same settings and yet the Static VPN does not come up.

Is there some sort of CLI command I must issue to bring it up?

Also, I am wondering if perhaps my 2821 is stopping any VPN traffic in as it does have to be re-NAT'ed to get to the 192.168.250.0/23 and the 192.168.252.0/24 subnets.

This is simply about getting traffic from their 192.168.40.0 subnet into our 192.168.250.0/23 VOIP subnet.

Am attaching a basic diagram. I can provide the configs for nearly everything

1 Accepted Solution

Accepted Solutions

Hello,

you have two instances of crypto map sequence with similar settings(except tranform set) . Get rid of following crypto map sequences:

On Satellite ASA:

no crypto map outside_map 2 match address outside_cryptomap

no crypto map outside_map 2 set pfs

no crypto map outside_map 2 set peer smivpn.sorensonmedia.com

no crypto map outside_map 2 set transform-set ESP-3DES-MD5

no crypto map outside_map 2 set security-association lifetime seconds 28800

no crypto map outside_map 2 set security-association lifetime kilobytes 4608000

no crypto map outside_map 2 set reverse-route

On Corporate ASA:

no crypto map outside_map 1 match address outside_1_cryptomap_1

no crypto map outside_map 1 set pfs

no crypto map outside_map 1 set peer cda.asa5505

no crypto map outside_map 1 set transform-set ESP-3DES-SHA

no crypto map outside_map 1 set security-association lifetime seconds 28800

no crypto map outside_map 1 set security-association lifetime kilobytes 4608000

no crypto map outside_map 1 set reverse-route

Then check and capture debugs.

HTH

Saju

View solution in original post

15 Replies 15

singhsaju
Level 4
Level 4

Can you post VPN configs of both vpn end devices?

Sure thing. Thanks for your time.

The satellite config is for the remote location and the corporate config is for the main office.

And here are the configs..... my bad

Can you make Crypto ACL as simple ACLs(no object groups ) and then check.

Corporate ASA

no access-list outside_1_cryptomap

access-list outside_1_cryptomap extended permit ip 192.168.252.0 255.255.255.0 192.168.40.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.250.0 255.255.254.0 192.168.40.0 255.255.255.0

Satellite ASA

no access-list outside_2_cryptomap_1

access-list outside_2_cryptomap_1 extended permit ip 192.168.40.0 255.255.255.0 192.168.252.0 255.255.255.0

access-list outside_2_cryptomap_1 extended permit ip 192.168.40.0 255.255.255.0 192.168.250.0 255.255.254.0

Also try removing PFS from both sides . First make the basic tunnel come up , later on you can add PFS etc.

HTH

Saju

Pls rate helpful posts

I did as you suggested and changed the access-lists on both corporate and satellite. I am still unable to ping inside addresses. Traceroute is unable to route. The PtP VPN is not coming up.

At corporate:

cisco# ping 192.168.40.101

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.40.101, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

At satellite:

cisco# ping 192.168.250.11

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.250.11, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Here is the latest set of configs, plus the 2821 router config that sits between the ASA5510 and the 192.168.250.0/24 and 192.168.252.0/24 subnets.

Thanks in advance.

Add following route on Corporate ASA:

Corporate ASA

route inside 192.168.250.0 255.255.254.0 172.17.10.2

Enable debugs: "debug crypto isakmp " and "debug crypto ipsec" on both ASA , initiate ipsec traffic and capture debugs and post them .

HTH

Saju

I am making some progress here. I followed the instructions on the following page: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

I was never able to get much debug output as the remote VPNs kept showing up.

So, here is a screenshot of the syslog output from the ASDM on the satellite firewall. It is nearly there.

Here are the latest running-configs from both corporate and satellite.

Thanks.

Hello,

you have two instances of crypto map sequence with similar settings(except tranform set) . Get rid of following crypto map sequences:

On Satellite ASA:

no crypto map outside_map 2 match address outside_cryptomap

no crypto map outside_map 2 set pfs

no crypto map outside_map 2 set peer smivpn.sorensonmedia.com

no crypto map outside_map 2 set transform-set ESP-3DES-MD5

no crypto map outside_map 2 set security-association lifetime seconds 28800

no crypto map outside_map 2 set security-association lifetime kilobytes 4608000

no crypto map outside_map 2 set reverse-route

On Corporate ASA:

no crypto map outside_map 1 match address outside_1_cryptomap_1

no crypto map outside_map 1 set pfs

no crypto map outside_map 1 set peer cda.asa5505

no crypto map outside_map 1 set transform-set ESP-3DES-SHA

no crypto map outside_map 1 set security-association lifetime seconds 28800

no crypto map outside_map 1 set security-association lifetime kilobytes 4608000

no crypto map outside_map 1 set reverse-route

Then check and capture debugs.

HTH

Saju

Here is some more debug data I was able to pull off the satellite 5505 firewall. Am sending it as an attachment.

And here is the debug data pulled off the corporate firewall. Also, as an attachment.

Hello,

you have two instances of crypto map sequence with similar settings(except tranform set) . Get rid of following crypto map sequences:

On Satellite ASA:

no crypto map outside_map 2 match address outside_cryptomap

no crypto map outside_map 2 set pfs

no crypto map outside_map 2 set peer smivpn.sorensonmedia.com

no crypto map outside_map 2 set transform-set ESP-3DES-MD5

no crypto map outside_map 2 set security-association lifetime seconds 28800

no crypto map outside_map 2 set security-association lifetime kilobytes 4608000

no crypto map outside_map 2 set reverse-route

On Corporate ASA:

no crypto map outside_map 1 match address outside_1_cryptomap_1

no crypto map outside_map 1 set pfs

no crypto map outside_map 1 set peer cda.asa5505

no crypto map outside_map 1 set transform-set ESP-3DES-SHA

no crypto map outside_map 1 set security-association lifetime seconds 28800

no crypto map outside_map 1 set security-association lifetime kilobytes 4608000

no crypto map outside_map 1 set reverse-route

Then check and capture debugs.

HTH

Saju

There are actually 2 crypto maps on the satellite VPN. You'll notice that the one went to sdihq.com and the other to sorensonmedia.com. sdihq.com is the former parent company. We want this satellite office to be part of us now. sdihq.com is in place as a backup measure. But we want the phones to come directly to us and NOT to route to them and then down to us, as per the network image.

I am making the changes as appropriate and will post debug here shortly.

I think I am actually making headway. I started afresh on both ASA devices.

Here is the debug output from both. I will attach the latest configs for both in a follow-up posting.

Any recommendations as to what both are spewing out would be appreciated.

And here are the latest running configs from both the corporate and satellite firewalls.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: