03-20-2014 01:16 PM
I've two asa 5520's to setup site to site vpn. I want to test first before deployment to the remote site. After running the s2s wizard, I have no VPN connection. The settings are identical, apart from the peer outside addresses. I am using port 0/0 on both, connected by patch cable. I can ping the outside addresses from either device, 192.168.1.1/30 and .2/30. I cant see any vpn led on the front on the device, and no ipcec tunnels seem to come up in the monitoring section. Not having done this before, any help on how to test this would be greatly recieved.
03-20-2014 04:13 PM
Here are some links to VPN-ressources:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/site2sit.html
If there are still problems, then tell us which version you are running and show your crypto- and NAT-config.
03-21-2014 09:11 AM
Hi Karsten, Thanks for your reply. I have ASDM version 6.4 and ASA 8.4. I have wiped both asa's and first tried the asa_84 link config. I still cant get a solid vpn light on the console.
Is my test flawed? I have int0/3 on asa 2 as 192.168.4.254/24 and on asa1 int 0/3 has two sub interfaces 10 & 20 connected to a 3560 switch tunk port for vlan routing.
asa1 0/3.10 is 192.168.2.254/24
asa1 0/3.20 is 192.168.3.254/24
on asa2
0/3 is 192.168.4.254/24
I will get the configs when I get my usb stick. thanks again fo ryour help.
How can I ping 192.192.168.4.254 from device attached from 192.168.2.0 network, or even ping from asa1 device.
many thanks
Allen
07-28-2015 03:09 PM
This discussion has been reposted from Cisco User Groups to the VPN community.
03-20-2014 08:06 PM
Hi Allen ,
Basic Configuartions for Cisco ASA 5520, you copy this configuration and create a mirror configuration
for your Site-2 Cisco ASA 5520
==================================
crypto isakmp enable outside
crypto isakmp policy 5
auth pre-share
encryption aes
hash sha
group 2
lifetime 28800
tunnel-group <peer IP addr> type ipsec-l2l
tunnel-group <peer IP addr> ipsec-attributes
pre-shared-key <your key>
access-list site1_to_site2 extended permit ip <site 1 subnet> <netmask> <site 2 subnet> <netmask>
access-list NO_NAT extended permit ip <site 1 subnet> <netmask> <site 2 subnet> <netmask>
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address site1_to_site2
crypto map outside_map 1 set peer <Peer IP Address>
crypto map outside_map 1 set pfs group2
crypto map outside_map 1 set security-association lifetime seconds 3600 kilobytes 8192
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
nat (inside) 0 access-list NO_NAT
=============================================
Thanks a lot.
Regards,
Lewy
07-28-2015 05:27 PM
Check my blog:
Check at the bottom part, it depends on the code you have. if it's pre 8.3 or post 8.3 ASA software versions.
https://lewypogi.wordpress.com/
Kindly make sure your routing for the interesting traffic is correct so tunnel will be triggered.
07-28-2015 05:27 PM
Check my blog:
Check at the bottom part, it depends on the code you have. if it's pre 8.3 or post 8.3 ASA software versions.
https://lewypogi.wordpress.com/
Kindly make sure your routing for the interesting traffic is correct so tunnel will be triggered.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide