Site to Site VPN ASA 5505 not creating tunnel

Discussion in 'Cisco' started by chunalt787, Jul 20, 2009.

  1. chunalt787

    chunalt787 Guest

    I am somewhat of a newbie at this stuff but I am trying to set up a
    site to site vpn using two Cisco ASA 5505's. I went through the
    wizard on the ADSM but I can't seem to get the tunnel to come up. I
    have it set up as follows:

    Comp #1 --- cat5 --- (inside)ASA #1(outside) --- cat5 --- (outside)ASA
    #2(inside) --- cat5 --- Comp #2

    IP addresses:
    Comp 1:
    ASA 1 Inside:
    ASA 1 Outside:
    ASA 2 Outside:
    ASA 2 Inside:
    Comp 2:
    Note: theses are static and will not be hooked up to the internet at
    any time. IP addresses were arbitrarily chosen.

    Comp 1 can ping ASA 1
    ASA 1 can ping ASA 2(inside only)
    ASA 2 can ping ASA 1(inside and outside)
    Comp 2 can ping ASA 2

    I just tried the crossover and that didn't seem to do any thing. I
    have been messing with ASA 1 too much so ASA 2 actually has the config
    that is closer to being right. I have posted that down below. If you
    have any questions please ask. Any help is greatly appreciated.


    : Saved
    ASA Version 8.0(4)
    hostname ciscoasb
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    name inside-network2
    interface Vlan1
    nameif inside
    security-level 100
    ip address
    interface Vlan2
    nameif outside
    security-level 0
    ip address
    interface Vlan5
    no forward interface Vlan1
    nameif dmz
    security-level 50
    ip address dhcp
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    access-list outside_1_cryptomap extended permit ip inside-network2
    access-list inside_nat0_outbound extended permit ip inside-network2
    access-list outside_access_in extended permit ip any any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu dmz 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-613.bin
    no asdm history enable
    arp timeout 14400
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 0
    access-group outside_access_in in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map 1 set security-association lifetime seconds
    crypto map outside_map 1 set security-association lifetime kilobytes
    crypto map outside_map interface outside
    crypto isakmp enable inside
    crypto isakmp enable outside
    crypto isakmp enable dmz
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside

    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    tunnel-group DefaultL2LGroup ipsec-attributes
    pre-shared-key *
    tunnel-group type ipsec-l2l
    tunnel-group ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    service-policy global_policy global
    prompt hostname context
    : end
    asdm image disk0:/asdm-613.bin
    asdm location inside-network2 inside
    no asdm history enable
    chunalt787, Jul 20, 2009
    1. Advertisements

  2. How are you verifying your tunnel? From your description of what you
    can ping and from where, it sounds like your tunnel is up since you
    can ping the inside interfaces from the other devices.
    Justin G. Mitchell, Jul 21, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.