Check my blog: Check at the

allen00010 · ‎03-20-2014

I've two asa 5520's to setup site to site vpn. I want to test first before deployment to the remote site. After running the s2s wizard, I have no VPN connection. The settings are identical, apart from the peer outside addresses. I am using port 0/0 on both, connected by patch cable. I can ping the outside addresses from either device, 192.168.1.1/30 and .2/30. I cant see any vpn led on the front on the device, and no ipcec tunnels seem to come up in the monitoring section. Not having done this before, any help on how to test this would be greatly recieved.

Karsten Iwen · ‎03-20-2014

Here are some links to VPN-ressources:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/67912-pix2pix-vpn-pix70-asdm.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/site2sit.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_site2site.html

If there are still problems, then tell us which version you are running and show your crypto- and NAT-config.

allen00010 · ‎03-21-2014

Hi Karsten, Thanks for your reply. I have ASDM version 6.4 and ASA 8.4. I have wiped both asa's and first tried the asa_84 link config. I still cant get a solid vpn light on the console.

Is my test flawed? I have int0/3 on asa 2 as 192.168.4.254/24 and on asa1 int 0/3 has two sub interfaces 10 & 20 connected to a 3560 switch tunk port for vlan routing.

asa1 0/3.10 is 192.168.2.254/24

asa1 0/3.20 is 192.168.3.254/24

on asa2

0/3 is 192.168.4.254/24

I will get the configs when I get my usb stick. thanks again fo ryour help.

How can I ping 192.192.168.4.254 from device attached from 192.168.2.0 network, or even ping from asa1 device.

many thanks

Allen

rosaho · ‎07-28-2015

This discussion has been reposted from Cisco User Groups to the VPN community.

Jeremiah Lew Dalumpines · ‎03-20-2014

Hi Allen ,

Basic Configuartions for Cisco ASA 5520, you copy this configuration and create a mirror configuration

for your Site-2 Cisco ASA 5520

==================================

crypto isakmp enable outside

crypto isakmp policy 5

auth pre-share

encryption aes

hash sha

group 2

lifetime 28800

tunnel-group <peer IP addr> type ipsec-l2l

tunnel-group <peer IP addr> ipsec-attributes

pre-shared-key <your key>

access-list site1_to_site2 extended permit ip <site 1 subnet> <netmask> <site 2 subnet> <netmask>

access-list NO_NAT extended permit ip <site 1 subnet> <netmask> <site 2 subnet> <netmask>

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 1 match address site1_to_site2

crypto map outside_map 1 set peer <Peer IP Address>

crypto map outside_map 1 set pfs group2

crypto map outside_map 1 set security-association lifetime seconds 3600 kilobytes 8192

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

nat (inside) 0 access-list NO_NAT

=============================================

Thanks a lot.

Regards,

Lewy

Jeremiah Lew Dalumpines · ‎07-28-2015

Check my blog:

Check at the bottom part, it depends on the code you have. if it's pre 8.3 or post 8.3 ASA software versions.

https://lewypogi.wordpress.com/

Kindly make sure your routing for the interesting traffic is correct so tunnel will be triggered.

Jeremiah Lew Dalumpines · ‎07-28-2015

Check my blog:

Check at the bottom part, it depends on the code you have. if it's pre 8.3 or post 8.3 ASA software versions.

https://lewypogi.wordpress.com/

Kindly make sure your routing for the interesting traffic is correct so tunnel will be triggered.

how to set up site to site asa 5520