1. Home
  2. Cisco Systems
  3. Site to Site VPN ASA 5505 not creating tunnel

Site to Site VPN ASA 5505 not creating tunnel

I am somewhat of a newbie at this stuff but I am trying to set up a site to site vpn using two Cisco ASA 5505's. I went through the wizard on the ADSM but I can't seem to get the tunnel to come up. I have it set up as follows:

Comp #1 --- cat5 --- (inside)ASA #1(outside) --- cat5 --- (outside)ASA #2(inside) --- cat5 --- Comp #2

IP addresses: Comp 1: 134.133.56.101 ASA 1 Inside: 134.131.56.251 ASA 1 Outside: 209.165.200.226 ASA 2 Outside: 209.165.200.236 ASA 2 Inside: 134.133.57.252 Comp 2: 134.133.57.102 Note: theses are static and will not be hooked up to the internet at any time. IP addresses were arbitrarily chosen.

Comp 1 can ping ASA 1 ASA 1 can ping ASA 2(inside only) ASA 2 can ping ASA 1(inside and outside) Comp 2 can ping ASA 2

I just tried the crossover and that didn't seem to do any thing. I have been messing with ASA 1 too much so ASA 2 actually has the config that is closer to being right. I have posted that down below. If you have any questions please ask. Any help is greatly appreciated.

CONFIG FOR ASA 2:

: Saved : ASA Version 8.0(4) ! hostname ciscoasb enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names name 134.133.56.0 inside-network2 ! interface Vlan1 nameif inside security-level 100 ip address 134.133.57.252 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 209.165.200.236 255.255.255.0 ! interface Vlan5 no forward interface Vlan1 nameif dmz security-level 50 ip address dhcp ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive access-list outside_1_cryptomap extended permit ip 134.133.57.0

255.255.255.0 inside-network2 255.255.255.0 access-list inside_nat0_outbound extended permit ip 134.133.57.0 255.255.255.0 inside-network2 255.255.255.0 access-list outside_access_in extended permit ip any any pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-613.bin no asdm history enable arp timeout 14400 nat (inside) 0 access-list inside_nat0_outbound nat (inside) 0 0.0.0.0 0.0.0.0 access-group outside_access_in in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 134.133.0.0 255.255.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 209.165.200.226 crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map 1 set security-association lifetime seconds 28800 crypto map outside_map 1 set security-association lifetime kilobytes 4608000 crypto map outside_map interface outside crypto isakmp enable inside crypto isakmp enable outside crypto isakmp enable dmz crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside !

threat-detection basic-threat threat-detection statistics host threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn tunnel-group DefaultL2LGroup ipsec-attributes pre-shared-key * tunnel-group 209.165.200.226 type ipsec-l2l tunnel-group 209.165.200.226 ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:ddfe8555ed8e621f9981d66890e80365 : end asdm image disk0:/asdm-613.bin asdm location inside-network2 255.255.255.0 inside no asdm history enable

Reply to
chunalt787
Loading thread data ...

How are you verifying your tunnel? From your description of what you can ping and from where, it sounds like your tunnel is up since you can ping the inside interfaces from the other devices.

Reply to
Justin G. Mitchell

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.