• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 197
  • Last Modified:

Can't get Site to Site VPN working using ASA 5505

Hello, I just setup my two Cisco ASA 5505's for Site to Site VPN using the VPN Wizard.  So what do I do next?  I can't ping  the other network from one of the computers on this network.  Here's my config, let me know if this is correct.  

: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ehqk/MonoURni2Z2 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address (outside IP) 255.255.255.248
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.5 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.5 https netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 (gateway IP) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer (site2 IP)
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
tunnel-group (site2 IP) type ipsec-l2l
tunnel-group (site2 IP) ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:e016ef41e086f6f17cf9836e331f3ab5
: end
asdm image disk0:/asdm-523.bin
no asdm history enable

0
tourist08
Asked:
tourist08
  • 3
  • 2
1 Solution
 
batry_boyCommented:
Add the following lines to the above ASA configuration:

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list nonat

You may also want to check the other ASA to see if it has complimentary statements as well...something like:

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat
0
 
tourist08Author Commented:
Thank you.  That is what I was thinking I just couldn't find the proper command as I'm just learning the CLI.  I'm not in the office but I will try it tomorrow morning.  I'll let you know.  
0
 
tourist08Author Commented:
Ok that seemed to work.  thank you
0
 
tourist08Author Commented:
When I accept your answer as the solution are you automatically awarded the points?  Because it doesn't have a button that says accept and reward next to your name but it does on mine.  Just want to make sure you get the points.
0
 
batry_boyCommented:
Yes, I got the points...glad you got it working!
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now