Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Issue's creating a site-to-site vpn

I am trying to setup a site to site vpn for testing and going through http://www.ciscosecrets.info/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml  still not able to establish the connection.  I have attached the config's to both the 5520's that I'm using.   What am I missing.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Issue's creating a site-to-site vpn

Try this if you are pinging from ASA

management-access inside

8 REPLIES
Cisco Employee

Re: Issue's creating a site-to-site vpn

Hi,

ASA 1 is using incorrect source in the acl 100 and ASA 3 is missing the

crypto map outside_map 20 match address statement.

Also check the nat exempt on both. whatever is the correct source, need to be part of access list 100 and  "no nat" acl

New Member

Re: Issue's creating a site-to-site vpn

I fixed those 2 items and have gone back through the config.

When I run show crypto ipsec sa I get "There are no ipsec sas"  this is the same for when I do a show crypto isakmp sa.  So the tunnel is not being created.  I have L2 connectivity between them.  Running debug on FW1(asa1) for Crypto ipsec gives me no results.  Very very confusing.  I have done this in the past using 2 5505's with no problems.

New Member

Re: Issue's creating a site-to-site vpn

Unless this is just being challanging since the outside interfaces are on the same network.  Is that possible?

Cisco Employee

Re: Issue's creating a site-to-site vpn

I see you defined 10.1.1.x network in the acls on ASA1

access-list 100 extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

On ASA3


access-list 100 extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24

I assume you want to encrypt traffic from 172.16.1.x to 192.168.2.x and vice versa. If that is the case make sure acls on ASA1 look like that

access-list 100 extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 172.16.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Also add the nat exempt on ASA3

nat (inside) 0 access-list nonat

How are you trying to initiate the tunnel, I assume you are pinging from a  host on 172.16.1.x subnet to 192.168.2.x subnet or vice versa.

Get these debugsfrom both devices

debug crypto isakmp 128

debug crypto ipsec 128

New Member

Re: Issue's creating a site-to-site vpn

Yes I am using ping to establish the tunnel.  I have the debug set to 128 and I get no debug out

puts to the console or do the log buffer. 

When I do a ping from the ASDM I get "Routing failed to locate next hop for udp from NP Identity Ifc:172.16.1.1/448 to inside:192.168.2.1/39554" however when I look at the nat config's for both devices they seem(are) correct.

ASA1

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0

ASA2

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0

Cisco Employee

Re: Issue's creating a site-to-site vpn

Try this if you are pinging from ASA

management-access inside

New Member

Re: Issue's creating a site-to-site vpn

Michael,

May I ask you a question?  Are you connecting both the outside interfaces of the ASA to the same switch?  I want to setup a test to do a site-to-site VPN before I go out to the Remote site.  If you have any suggestions on how to setup a lab for site-to-site VPN, please let me know.  Thanks.

New Member

Re: Issue's creating a site-to-site vpn

Jill,

Yes I was connecting the 2 outside interfaces to each other via a VLan on a switch to test the IPSec tunnel, but this was just part 1 of a larger project I'm working on.  I actually have 3 ASA's that I'm setting up for remote locations that once in place will have redundency back if one of the ASA's or IPSec tunnels fails it would be able to travers the other tunnel.

Mike

310
Views
0
Helpful
8
Replies