Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA to ASA Site to Site VPN

Have an ASA 5510 9.1(2) and ASA 5505 9.1(2)

The 5510 is located in the main office and the 5505 is located at a remote facility.  I want to create a tunnel that will allow the main office to access the subnets at the remote facility while allowing the devices at the remote facility to access the devices at the main office.  Example below.

5510

10.2.0.0/16

     /\

     ||

     \/

5505

172.16.0.0/16

10.166.0.0/16

Currently, I have one of the interfaces on the 5510 configured for a vlan for our wifi.  Another interface is configured for our backup ISP.  That setup works fantastic.  When I run the site to site vpn wizard according to this video "https://supportforums.cisco.com/videos/5933" but I'm confused with a couple of the settings.

Do I enable nat exempt?  Do I do this on both devices or just one and if so which one?

Do I need to setup static routes to access these different subnets?

There is a router involved but it's for the primary ISP.  It's currently set to forward any packets destined for the 2 subnets at the remote facility to the 5510.  So the packets do get forwarded but seem to die once they hit the 5510.

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

ASA to ASA Site to Site VPN

Hi,

Ok, so here should be the changes you need.

What we are essentially doing on both of the units is remove some configurations that are either not needed or are wrong.

ASA might give some notifications from removing one of the "crypto map" commands but you dont need to worry about it. It probably complains about a incomplete "crypto map" entry or something to that direction.

Seems to me that the L2L VPN ACL is wrong on both units and also the NAT. Also the ASA5510 seems to have a duplicate configuration for the same L2L VPN which I suggest removing below.

ASA5510

LOCAL: 10.2.0.0/16

REMOTE: 10.166.0.0/16

REMOVE CONFIGURATIONS

no crypto map tw_map 3 match address tw_cryptomap_1

no crypto map tw_map 3 set peer 69.x.x.x

no crypto map tw_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

no crypto map tw_map 3 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

no crypto map tw_map 1 match address tw_cryptomap

no access-list tw_cryptomap extended permit ip 10.2.0.0 255.255.0.0 any4

no access-list tw_cryptomap_1 extended permit ip 10.2.0.0 255.255.0.0 any4

no nat (private,tw) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 no-proxy-arp route-lookup

ADD CONFIGURATIONS

------------------

access-list L2LVPN-ACL remark Encryption Domain for L2L VPN

access-list L2LVPN-ACL permit ip 10.2.0.0 255.255.0.0 10.166.0.0 255.255.0.0

crypto map tw_map 1 match address L2LVPN-ACL

object network LAN

subnet 10.2.0.0 255.255.0.0

object network REMOTE-LAN

subnet 10.166.0.0 255.255.0.0

nat (private,tw) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

ASA5505

LOCAL: 10.166.0.0/16

REMOTE: 10.2.0.0/16

REMOVE CONFIGURATIONS

no crypto map outside_map 1 match address outside_cryptomap

no access-list outside_cryptomap extended permit ip 10.166.0.0 255.255.0.0 any4

no nat (outside,outside) source static NETWORK_OBJ_10.166.0.0_16 NETWORK_OBJ_10.166.0.0_16 no-proxy-arp route-lookup

ADD CONFIGURATIONS

access-list L2LVPN-ACL remark Encryption Domain for L2L VPN

access-list L2LVPN-ACL permit ip 10.166.0.0 255.255.0.0 10.2.0.0 255.255.0.0

rypto map outside_map 1 match address L2LVPN-ACL

object network LAN

subnet 10.166.0.0 255.255.0.0

object network REMOTE-LAN

subnet 10.2.0.0 255.255.0.0

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

Let me know if this works for you. Hope it helps

Please do remember to mark a reply as the correct answer if it answered your question.

If there is still problems after these configurations then lets look at the situation again.

- Jouni

25 REPLIES
Super Bronze

ASA to ASA Site to Site VPN

Hi,

NAT0 / NAT Exempt configurations are required on both ASAs forming the L2L VPN connection. That is unless you want to specifically NAT the LANs to something else though this is not usual.

The NAT0 ACL will match the ACL used in the L2L VPN configuration. They should be identical. If you have source networks on either side behind different interfaces then you naturally need to configure NAT0 configurations for each interface separately.

You wont have to setup any routes related to the L2L VPN in a normal setup. You do mention you have 2 ISP links. To utilize both ISP links in the L2L VPN you would need to have the remote end configured with both ISP peer IP addresses. The ASA with 2 ISPs would also need to have the "crypto map" attached to both of the ISP interfaces. But again its fine running the L2L VPN from the primary ISP only if that is your wish.

If you are having problems getting the L2L VPN to work then please provide us with the CLI format configurations of both units while changing the actual public IP addresses and removing any sensitive information.

Hope this helps

- Jouni

New Member

ASA to ASA Site to Site VPN

Thank you for your response.  That helps with those questions.  Another that I should ask is about the local and remote network that I have to select when going through the wizard.  I select the 10.2.0.0/16 on the 5510 for local and on the remote I choose any4.  On the 5505, I set both to be any4.  Is that correct or do I need to add in the other 2 subnets of the remote site to the 5510 and select those as well when running the wizard or am I thinking this wrong?

Super Bronze

ASA to ASA Site to Site VPN

Hi,

You should only use the specific networks as local/networks.

I would avoid using "any4" in any configurations, especially in the remote section. This is because it means the ASA will try to send ALL traffic through the L2L VPN. This might break all Internet traffic for user for example.

In a typical setup you wont want to tunnel all traffic naturally.

- Jouni

New Member

ASA to ASA Site to Site VPN

So you're saying that I should add in the subnets as networks on the 5505 and use those for the local setting in the wizard?  Do I need to add those subnets to the 5510?  Do I select those for the remote setting in the wizard?

Super Bronze

ASA to ASA Site to Site VPN

Hi,

I dont use ASDM or the Wizards much myself.

But in BOTH of the ASAs you configure the L2L VPN and mention their local/remote networks specifically.

If you have already configured the L2L VPN on both ASAs then can you provide the CLI (Command Line Interface) format configurations of both units (minus sensitive infomation like public IP addresses) and I can look what changes will be needed. This would probably be the easiest way to make the changes needed.

- Jouni

New Member

ASA to ASA Site to Site VPN

The 5510

: Saved

:

ASA Version 9.1(2)

!

hostname dalasa

enable password encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd encrypted

names

!

interface Ethernet0/0

nameif tw

security-level 0

ip address 64.x.x.x 255.255.255.248

!

interface Ethernet0/1

nameif private

security-level 100

ip address 10.2.1.252 255.255.0.0

!

interface Ethernet0/2

no nameif

no security-level

no ip address

!

interface Ethernet0/2.10

vlan 10

nameif wlan

security-level 50

ip address 172.16.0.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

boot system disk0:/asa912-k8.bin

ftp mode passive

dns domain-lookup tw

dns domain-lookup private

dns domain-lookup wlan

dns domain-lookup management

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 4.2.2.4

object network obj-10.2.0.0

subnet 10.2.0.0 255.255.0.0

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-172.16.0.0

subnet 172.16.0.0 255.255.255.0

object network NETWORK_OBJ_10.2.0.0_16

subnet 10.2.0.0 255.255.0.0

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

access-list private_access_in extended permit object-group DM_INLINE_PROTOCOL_1 10.2.0.0 255.255.0.0 any4

access-list wlan_access_in remark block traffic from wlan to private net

access-list wlan_access_in extended deny ip any object obj-10.2.0.0

access-list wlan_access_in extended permit object-group DM_INLINE_PROTOCOL_2 172.16.0.0 255.255.255.0 any4

access-list tw_cryptomap extended permit ip 10.2.0.0 255.255.0.0 any4

access-list tw_cryptomap_1 extended permit ip 10.2.0.0 255.255.0.0 any4

pager lines 24

logging enable

logging timestamp

logging buffered debugging

logging asdm informational

logging host private 10.x.x.x

mtu tw 1500

mtu private 1500

mtu wlan 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (private,tw) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 no-proxy-arp route-lookup

!

object network obj-10.2.0.0

nat (private,tw) dynamic interface

object network obj_any

nat (management,tw) dynamic interface

object network obj-172.16.0.0

nat (any,tw) dynamic interface

access-group private_access_in in interface private

access-group wlan_access_in in interface wlan

route tw 0.0.0.0 0.0.0.0 64.x.x.x 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto map tw_map 1 match address tw_cryptomap

crypto map tw_map 1 set peer 69.x.x.x

crypto map tw_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map tw_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto map tw_map 3 match address tw_cryptomap_1

crypto map tw_map 3 set peer 69.x.x.x

crypto map tw_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map tw_map 3 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto map tw_map interface tw

crypto ca trustpool policy

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable tw

crypto ikev1 enable tw

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 172.16.0.2-172.16.0.254 wlan

dhcpd dns 8.8.8.8 4.2.2.4 interface wlan

dhcpd enable wlan

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy GroupPolicy_69.x.x.x internal

group-policy GroupPolicy_69.x.x.x attributes

vpn-tunnel-protocol ikev1 ikev2

tunnel-group 69.x.x.x type ipsec-l2l

tunnel-group 69.x.x.x general-attributes

default-group-policy GroupPolicy_69.x.x.x

tunnel-group 69.x.x.x ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

: end

asdm image disk0:/asdm-713.bin

no asdm history enable

The 5505

: Saved

:

ASA Version 9.1(2)

!

hostname remote-site

domain-name example.com

enable password encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.166.1.10 255.255.0.0

!

interface Vlan2

description ISP Blended Circuit

nameif outside

security-level 0

ip address 69.x.x.x 255.255.255.192

!

interface Vlan5

shutdown

no nameif

security-level 50

ip address dhcp

!

boot system disk0:/asa912-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name example.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network ISPblend-ISP

host 66.x.x.x

description ISP router

object network NETWORK_OBJ_10.166.0.0_16

subnet 10.166.0.0 255.255.0.0

access-list inside_access_in remark default out

access-list inside_access_in extended permit ip any any

access-list outside_cryptomap extended permit ip 10.166.0.0 255.255.0.0 any4

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (outside,outside) source static NETWORK_OBJ_10.166.0.0_16 NETWORK_OBJ_10.166.0.0_16 no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 69.x.x.x 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.166.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

sysopt noproxyarp outside

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 64.x.x.x

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 10.166.0.0 255.255.0.0 inside

telnet timeout 5

ssh 10.166.0.0 255.255.0.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 65.55.56.206 source outside prefer

group-policy GroupPolicy_64.x.x.x internal

group-policy GroupPolicy_64.x.x.x attributes

vpn-tunnel-protocol ikev1 ikev2

username admin password encrypted privilege 15

tunnel-group 64.x.x.x type ipsec-l2l

tunnel-group 64.x.x.x general-attributes

default-group-policy GroupPolicy_64.x.x.x

tunnel-group 64.x.x.x ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

: end

asdm image disk0:/asdm-713.bin

no asdm history enable

Super Bronze

ASA to ASA Site to Site VPN

Hi,

Ok, so here should be the changes you need.

What we are essentially doing on both of the units is remove some configurations that are either not needed or are wrong.

ASA might give some notifications from removing one of the "crypto map" commands but you dont need to worry about it. It probably complains about a incomplete "crypto map" entry or something to that direction.

Seems to me that the L2L VPN ACL is wrong on both units and also the NAT. Also the ASA5510 seems to have a duplicate configuration for the same L2L VPN which I suggest removing below.

ASA5510

LOCAL: 10.2.0.0/16

REMOTE: 10.166.0.0/16

REMOVE CONFIGURATIONS

no crypto map tw_map 3 match address tw_cryptomap_1

no crypto map tw_map 3 set peer 69.x.x.x

no crypto map tw_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

no crypto map tw_map 3 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

no crypto map tw_map 1 match address tw_cryptomap

no access-list tw_cryptomap extended permit ip 10.2.0.0 255.255.0.0 any4

no access-list tw_cryptomap_1 extended permit ip 10.2.0.0 255.255.0.0 any4

no nat (private,tw) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 no-proxy-arp route-lookup

ADD CONFIGURATIONS

------------------

access-list L2LVPN-ACL remark Encryption Domain for L2L VPN

access-list L2LVPN-ACL permit ip 10.2.0.0 255.255.0.0 10.166.0.0 255.255.0.0

crypto map tw_map 1 match address L2LVPN-ACL

object network LAN

subnet 10.2.0.0 255.255.0.0

object network REMOTE-LAN

subnet 10.166.0.0 255.255.0.0

nat (private,tw) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

ASA5505

LOCAL: 10.166.0.0/16

REMOTE: 10.2.0.0/16

REMOVE CONFIGURATIONS

no crypto map outside_map 1 match address outside_cryptomap

no access-list outside_cryptomap extended permit ip 10.166.0.0 255.255.0.0 any4

no nat (outside,outside) source static NETWORK_OBJ_10.166.0.0_16 NETWORK_OBJ_10.166.0.0_16 no-proxy-arp route-lookup

ADD CONFIGURATIONS

access-list L2LVPN-ACL remark Encryption Domain for L2L VPN

access-list L2LVPN-ACL permit ip 10.166.0.0 255.255.0.0 10.2.0.0 255.255.0.0

rypto map outside_map 1 match address L2LVPN-ACL

object network LAN

subnet 10.166.0.0 255.255.0.0

object network REMOTE-LAN

subnet 10.2.0.0 255.255.0.0

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

Let me know if this works for you. Hope it helps

Please do remember to mark a reply as the correct answer if it answered your question.

If there is still problems after these configurations then lets look at the situation again.

- Jouni

New Member

ASA to ASA Site to Site VPN

You're amazing!!!  Thank you so much for your help!  I've been struggling with this for a while now.  I also now see what I was missing.  Just shows that I still have a LONG way to go.  Thanks again!!

Super Bronze

ASA to ASA Site to Site VPN

Hi,

Great to hear its working now

Dont hesitate to post here again if you run into some problems

- Jouni

New Member

ASA to ASA Site to Site VPN

So then if I wanted to enable access to the following subnets at the remote office.  Do I add them to the access list on the 5510 along with creating a second network object?

192.168.99.0/24

192.168.100.0/24

Add to the 5510

access-list L2LVPN-ACL permit ip 10.2.0.0 255.255.0.0 10.166.0.0 255.255.0.0 192.168.99.0 255.255.255.0 192.168.100.0 255.255.255.0

object network REMOTE-LAN2

subnet 192.168.99.0 255.255.255.0

nat (private,tw) source static LAN LAN destination static REMOTE-LAN2 REMOTE-LAN2

object network REMOTE-LAN3

subnet 192.168.100.0 255.255.255.0

nat (private,tw) source static LAN LAN destination static REMOTE-LAN3 REMOTE-LAN3

Add to the 5505

access-list  L2LVPN-ACL permit ip 10.166.0.0 255.255.0.0  192.168.99.0 255.255.255.0 192.168.100.0 255.255.255.0 10.2.0.0 255.255.0.0

object network LAN2

subnet 192.168.99.0 255.255.255.0

object network LAN3

subnet 192.168.100.0 255.255.255.0


Not sure if I need to add in the nat line on the 5505.  Does this look correct?

Super Bronze

ASA to ASA Site to Site VPN

Hi,

I am not sure at which ASA the networks 192.168.99.0/24 and 192.168.100.0/24 are located at and behind which interfaces. I can't see any mention of them in the earlier configurations.

- Jouni

New Member

ASA to ASA Site to Site VPN

Those 2 subnets are located in the remote office behind the 5505.  I forgot about those since they are rarely used but would be really nice to be able to access from the main office.

Super Bronze

ASA to ASA Site to Site VPN

Hi,

There are no routes configured for those networks on the ASA5505 and there are no interfaces with those subnets on the ASA5505.

If I were to presume that these networks are located behind "inside" interface of that ASA5505 then these would be the correct configurations

ASA5510

access-list L2LVPN-ACL permit ip 10.2.0.0 255.255.0.0 192.168.99.0 255.255.255.0

access-list L2LVPN-ACL permit ip 10.2.0.0 255.255.0.0 192.168.100.0 255.255.255.0

object network REMOTE-LAN-2

subnet 192.168.99.0 255.255.255.0

object network REMOTE-LAN-3

subnet 192.168.100.0 255.255.255.0

nat (private,tw) source static LAN LAN destination static REMOTE-LAN-2 REMOTE-LAN-2

nat (private,tw) source static LAN LAN destination static REMOTE-LAN-3 REMOTE-LAN-3

ASA5505

access-list L2LVPN-ACL permit ip 192.168.99.0 255.255.255.0 10.2.0.0 255.255.0.0

access-list L2LVPN-ACL permit ip 192.168.100.0 255.255.255.0 10.2.0.0 255.255.0.0

object network LAN-2

subnet 192.168.99.0 255.255.255.0

object network LAN-3

subnet 192.168.100.0 255.255.255.0

nat (inside,outside) source static LAN-2 LAN-2 destination static REMOTE-LAN REMOTE-LAN

nat (inside,outside) source static LAN-3 LAN-3 destination static REMOTE-LAN REMOTE-LAN

If the networks are not behind the "inside" interface of ASA5505 then the "nat" configuration needs to be changed.

If there is some router behind the ASA5505 then you will have to have "route" commands for those networks. I am just wondering as I dont see them in the configuration at all.

- Jouni

New Member

ASA to ASA Site to Site VPN

You're correct.  They are behind the inside interface on the 5505.  There is a router at the remote site and I'll have to add in the static routes.  I'll report back when that's done and if the config additions you suggested worked, I'll mark it as the right answer.  Thanks again for all of your help!

New Member

ASA to ASA Site to Site VPN

Well I think I'm getting ahead of myself.  I'm able to ping the remote office on the 10.166.0.0/16 network but that's all.  I'm unable to rdp, telnet, and ssh into any of the boxes on that network.  The ACL's say IP is permitted.  Any ideas?

Super Bronze

ASA to ASA Site to Site VPN

Hi,

In the previous configurations I can't see anything that should cause this. I guess we can also look at the current configurations on both devices.

I guess you could use TCP Ping on the ASAs to test if any of the hosts ports answer to TCP SYN.

The one run from ASA5510 should send the traffic through the L2L VPN. Use different ports and host IPs to test connections to your devices.

The one run from ASA5505 sends the traffic directly from the ASA that is in the same network as the hosts

ASA5510

ping tcp 10.2.100.100 12345

ASA5505

ping tcp

- Jouni

New Member

ASA to ASA Site to Site VPN

I can ping hosts on the network the asa is on.  For example, on the 5505(10.166.1.10), I can ping other hosts in the same subnet.  If I try to ping any host on the 10.2.0.0/16 I get the following message.

from the 5505

ping tcp 10.2.2.10 3389

No source specified. Pinging from identity interface.

Sending 5 TCP SYN requests to 10.2.2.10 port 3389

from 69.x.x.x, timeout is 2 seconds:

?????

Success rate is 0 percent <0/5>

Same thing when I do the reverse from the 5510.

from the 5510

ping tcp 10.166.1.190 3389

No source specified. Pinging from identity interface.

Sending 5 TCP SYN requests to 10.2.2.10 port 3389

from 64.x.x.x, timeout is 2 seconds:

?????

Success rate is 0 percent <0/5>

If I configure a pc to use the 5510 as it's gateway, I can ping hosts on the 10.166.0.0 range but that's all.

Super Bronze

ASA to ASA Site to Site VPN

Hi,

The commands you used dont really follow the instructions.

The first one I listed is meant to send TCP SYN from the ASA5510 with a certain source address. If you dont specify it will source the TCP SYN from the wrong IP address.

The second one I listed is meant to test the port connectivity directly from the ASA5505 unit and that doesnt need a source address specified since it will use the connected networks interface

Your test from the ASA5505 would probably fail because the ASA would probably use its "outside" interface as source and that traffic would not even match the L2L VPN configurations.

Same thing with the test on ASA5510

- Jouni

New Member

ASA to ASA Site to Site VPN

Sorry I did misread your answer.  When I run the ping from the 5510 it complains of invalid input.

ping 10.166.1.190 3389 10.2.100.100 12345

                               ^

ERROR: % Invalid input detected at '^' marker.

When I run it like the following it does complete but still 0% rate.

From the 5510

dalasa# ping tcp

Interface: private

Target IP address: 10.166.1.190

Destination port: [80] 3389

Specify source? [n]: y

Source IP address: 10.2.100.100

Source port: [0] 12345

Repeat count: [5]

Timeout in seconds: [2]

Type escape sequence to abort.

Sending 5 TCP SYN requests to 10.166.1.190 port 3389

from 10.2.100.100 starting port 12345, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

dalasa#

Super Bronze

ASA to ASA Site to Site VPN

Hi,

In the original command you atleast left out the "tcp" in the "ping" command.

I actually forgot to add one parameter to the other command

ASA5510

ping tcp source 10.2.100.100 12345

Can you take the output of the following command from both ASAs after you have tested some actual connections

show crypto ipsec sa

We might need to take a look at the current configurations of the ASAs also.

- Jouni

New Member

ASA to ASA Site to Site VPN

From the 5510

dalasa> ping tcp 10.166.1.190 3389 source 10.2.100.100 12345

Type escape sequence to abort.

Sending 5 TCP SYN requests to 10.166.1.190 port 3389

from 10.2.100.100 starting port 12345, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

From the 5510

dalasa# show crypto ipsec sa

interface: tw

    Crypto map tag: tw_map, seq num: 1, local addr: 64.x.x.x

      access-list L2LVPN-ACL extended permit ip 10.2.0.0 255.255.0.0 10.166.0.0 255.255.0.0

      local ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.166.0.0/255.255.0.0/0/0)

      current_peer: 69.x.x.x

      #pkts encaps: 292, #pkts encrypt: 292, #pkts digest: 292

      #pkts decaps: 5649, #pkts decrypt: 5649, #pkts verify: 5649

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 292, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 64.x.x.x./500, remote crypto endpt.: 69.x.x.x/500

      path mtu 1500, ipsec overhead 58(36), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: D3A8F8E2

      current inbound spi : 5265B21A

    inbound esp sas:

      spi: 0x5265B21A (1382396442)

         transform: esp-des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, IKEv2, }

         slot: 0, conn_id: 20389888, crypto-map: tw_map

         sa timing: remaining key lifetime (kB/sec): (4007801/22921)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0xD3A8F8E2 (3551066338)

         transform: esp-des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, IKEv2, }

         slot: 0, conn_id: 20389888, crypto-map: tw_map

         sa timing: remaining key lifetime (kB/sec): (3962859/22921)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

dalasa#

From the 5505

5505asa# show crypto ipsec sa

interface: outside

    Crypto map tag: outside_map, seq num: 1, local addr: 69.x.x.x

      access-list L2LVPN-ACL extended permit ip 10.166.0.0 255.255.0.0 10.2.0.0 255.255.0.0

      local ident (addr/mask/prot/port): (10.166.0.0/255.255.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)

      current_peer: 64.x.x.x

      #pkts encaps: 5649, #pkts encrypt: 5649, #pkts digest: 5649

      #pkts decaps: 292, #pkts decrypt: 292, #pkts verify: 292

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 5649, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 69.x.x.x/500, remote crypto endpt.: 64.x.x.x/500

      path mtu 1500, ipsec overhead 58(36), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: 5265B21A

      current inbound spi : D3A8F8E2

    inbound esp sas:

      spi: 0xD3A8F8E2 (3551066338)

         transform: esp-des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, IKEv2, }

         slot: 0, conn_id: 92712960, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4239339/22735)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x5265B21A (1382396442)

         transform: esp-des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, IKEv2, }

         slot: 0, conn_id: 92712960, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4007801/22735)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

5505asa#

Super Bronze

ASA to ASA Site to Site VPN

Hi,

There seems to be traffic in both directions on the L2L VPN so that is strange. You said that the ICMP works but nothing else.

Is there any TCP based services that you could enable in the remote hosts like installing VNC server on the hosts and trying connections like that. Just to make sure that there is no actual problem with the remote end hosts, for example related to software firewall.

When traffic only flows to one directions then its sometimes problem with routing but it doesnt seem to be the case with this setup as we clearly see that both ends have generated traffic towards the other remote end.

You could configure a traffic capture on the ASA5505 if you want to confirm that it sees the traffic coming from the site with ASA5510 and if it sees any return traffic coming from the LAN.

You could configure this on the ASA5505

access-list L2LVPN-CAP permit ip host 10.2.x.x host 10.166.x.x

access-list L2LVPN-CAP permit ip host 10.66.x.x host 10.2.x.x

capture L2LVPN-CAP type raw-data access-list L2LVPN-CAP interface inside buffer 2000000

Replace the above IP addresses with the actual IP address of the host you are using the attempt the connection with and naturally replace the destination host IP address with the actual host IP you are trying to connect to.

Then after the capture is configured and you have tested the connection once or twice then issue the following commands. Also send ICMP since you mention it works but nothing else.

show capture

show capture L2LVPN-CAP

And show us the output

- Jouni

New Member

ASA to ASA Site to Site VPN

I think the tunnel is just fine.  When I configure a pc at the main office with it's gateway set to use the 5510 and setup a pc at the remote office to use the 5505 as it's gateway, everything communicates across all ports.  I'm able to rdp from the 5510 to the pc behind the 5505 and vice versa.

The issue I think now is that there's a routing issue from the 5505 and it's "router" which is a juniper firewall.  I have a static route setup on it to forward any traffic for the 10.2.0.0/16 network to the 5505.

The same goes for the 5510.  The router here is a cisco that forwards any traffic destined for any of the subnets I listed before to the 5510.

I think it's a routing issue.  What about you?

Super Bronze

Re: ASA to ASA Site to Site VPN

Hi,

If the ASA firewalls arent the actual default gateway of the networks they are connected at (as you mention you have to separately route the remote networks towards the ASA at that location) then it is/was a routing problem.

I was not aware the the ASAs were not actually the devices through which ALL traffic was forwarded.

- Jouni

Super Bronze

ASA to ASA Site to Site VPN

Hi,

So were you able to get the network setup so that the connections between the 2 locations work without making actual changes on the hosts?

If there are no more problems then please remember to mark a reply as the correct answer if it answered your question and/or rate helpfull answers.

You can naturally ask more questions if there is still some problems with the setup.

- Jouni

924
Views
0
Helpful
25
Replies
CreatePlease to create content