At our main office we have a ASA 5520 device that we cannect to 3 or 4 other mini branches with a ASA 5505 at the other end.
This works well, but we need to add another mini branch. The site has a ISP router setup with a public ip. We plugged in the new ASA 5505 into this router and configured it. We have also setup (again correctly we think) the main ASA with a site-to-site vpn to this new remot site. However we just don't seam to be able to get the devices to talk to each other. We just don't seam to see the remote ASA connecting to the main ASA and we don't seam to see any messages on the remote ASA saying it is trying to connect to the main ASA.
We can putty on the remote ASA using its public IP from our main site so it does seam to be connecting to the internet.
Anyone any ideas, what we haev done wrong or what we can check.
Attached is a copy our config with the IPs removed...
Assuming that the peer IP in your crypto map is accurate, I would first validate the status of VLAN1? Do you have any other active devices patched into the ASA5505's e0/1-e0/7 ports or is only the outside interface attached? If there is a possibility that the hub will initiate the tunnel to the spoke, you will want to either configure "sysopt connection permit-vpn" or explicitly permit the IPSec protocols in your ingress ACL. I don't see PAT configured on this ASA. If you configure for PAT, you will want to be sure that you exempt the interesting traffic from the NAT process.
In your "show run", probably 2 or 3 pages into it, you will start seeing lines that begin with "crypto map". In fact if you use "show run | include crypto map" it will give you only the output that contains those lines.
What you are looking for is something like this:
crypto map outside_map 80 set peer 10.5.16.128
The word "outside_map" refers to the crypto map's name that I used, "80" is the number I used to associate other commands with this peer, "set peer 10.5.16.128" is the IP address of my remote site's ASA.
Looking at your configuration, the exact line you are looking to verify is
"crypto map outside_map 20 set peer Main-ASA-IP"
Verify that your set peer ip address is the correct one on both ends.
Also remember that when setting up a site-to-site VPN on an ASA, the tunnel group name has to match the IP address of the "set peer" statement.
At the bottom of your "show run" you should see the tunnel-group configuration, typically it's just a few lines, the name of the tunnel (in this case the IP address of the remote client) and the pre-shared key.
I also see that you have NAT-T disabled, if you are behind any type of NAT on either side, you need to enable this otherwise your tunnel will not stay up.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...