Site to Site VPN ASA 5505 not creating tunnel

Discussion in 'Cisco' started by chunalt787, Jul 20, 2009.

  1. chunalt787

    chunalt787 Guest

    I am somewhat of a newbie at this stuff but I am trying to set up a
    site to site vpn using two Cisco ASA 5505's. I went through the
    wizard on the ADSM but I can't seem to get the tunnel to come up. I
    have it set up as follows:

    Comp #1 --- cat5 --- (inside)ASA #1(outside) --- cat5 --- (outside)ASA
    #2(inside) --- cat5 --- Comp #2

    IP addresses:
    Comp 1: 134.133.56.101
    ASA 1 Inside: 134.131.56.251
    ASA 1 Outside: 209.165.200.226
    ASA 2 Outside: 209.165.200.236
    ASA 2 Inside: 134.133.57.252
    Comp 2: 134.133.57.102
    Note: theses are static and will not be hooked up to the internet at
    any time. IP addresses were arbitrarily chosen.

    Comp 1 can ping ASA 1
    ASA 1 can ping ASA 2(inside only)
    ASA 2 can ping ASA 1(inside and outside)
    Comp 2 can ping ASA 2

    I just tried the crossover and that didn't seem to do any thing. I
    have been messing with ASA 1 too much so ASA 2 actually has the config
    that is closer to being right. I have posted that down below. If you
    have any questions please ask. Any help is greatly appreciated.

    CONFIG FOR ASA 2:

    : Saved
    :
    ASA Version 8.0(4)
    !
    hostname ciscoasb
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    name 134.133.56.0 inside-network2
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 134.133.57.252 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 209.165.200.236 255.255.255.0
    !
    interface Vlan5
    no forward interface Vlan1
    nameif dmz
    security-level 50
    ip address dhcp
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    ftp mode passive
    access-list outside_1_cryptomap extended permit ip 134.133.57.0
    255.255.255.0 inside-network2 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 134.133.57.0
    255.255.255.0 inside-network2 255.255.255.0
    access-list outside_access_in extended permit ip any any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-613.bin
    no asdm history enable
    arp timeout 14400
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 0 0.0.0.0 0.0.0.0
    access-group outside_access_in in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 134.133.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown
    coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 209.165.200.226
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map 1 set security-association lifetime seconds
    28800
    crypto map outside_map 1 set security-association lifetime kilobytes
    4608000
    crypto map outside_map interface outside
    crypto isakmp enable inside
    crypto isakmp enable outside
    crypto isakmp enable dmz
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !

    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    tunnel-group DefaultL2LGroup ipsec-attributes
    pre-shared-key *
    tunnel-group 209.165.200.226 type ipsec-l2l
    tunnel-group 209.165.200.226 ipsec-attributes
    pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:ddfe8555ed8e621f9981d66890e80365
    : end
    asdm image disk0:/asdm-613.bin
    asdm location inside-network2 255.255.255.0 inside
    no asdm history enable
     
    chunalt787, Jul 20, 2009
    #1
    1. Advertising

  2. On Jul 20, 9:41 am, chunalt787 <> wrote:
    > I am somewhat of a newbie at this stuff but I am trying to set up a
    > site to site vpn using two Cisco ASA 5505's.  I went through the
    > wizard on the ADSM but I can't seem to get the tunnel to come up.  I
    > have it set up as follows:
    >
    > Comp #1 --- cat5 --- (inside)ASA #1(outside) --- cat5 --- (outside)ASA
    > #2(inside) --- cat5 --- Comp #2
    >
    > IP addresses:
    > Comp 1: 134.133.56.101
    > ASA 1 Inside: 134.131.56.251
    > ASA 1 Outside: 209.165.200.226
    > ASA 2 Outside: 209.165.200.236
    > ASA 2 Inside: 134.133.57.252
    > Comp 2: 134.133.57.102
    > Note: theses are static and will not be hooked up to the internet at
    > any time. IP addresses were arbitrarily chosen.
    >
    > Comp 1 can ping ASA 1
    > ASA 1 can ping ASA 2(inside only)
    > ASA 2 can ping ASA 1(inside and outside)
    > Comp 2 can ping ASA 2
    >
    > I just tried the crossover and that didn't seem to do any thing. I
    > have been messing with ASA 1 too much so ASA 2 actually has the config
    > that is closer to being right. I have posted that down below. If you
    > have any questions please ask.  Any help is greatly appreciated.
    >


    How are you verifying your tunnel? From your description of what you
    can ping and from where, it sounds like your tunnel is up since you
    can ping the inside interfaces from the other devices.
     
    Justin G. Mitchell, Jul 21, 2009
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Trouble
    Replies:
    0
    Views:
    780
    Trouble
    Aug 4, 2006
  2. Trouble
    Replies:
    1
    Views:
    591
  3. Replies:
    1
    Views:
    3,452
  4. SteveB
    Replies:
    0
    Views:
    3,368
    SteveB
    Mar 26, 2009
  5. Dogg Child

    Re: ASA 5505 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    0
    Views:
    729
    Dogg Child
    Jun 7, 2010
Loading...

Share This Page