Site to Site ASA 5505

I'm new to the ASA 5505s and I wanted to create a site to site tunnel here in my lab setup.  I've read the cisco setup pages along with various resources and configs to set this all up. I have even entered in sample configs from cisco and various people online who created site to site basic tunnels and still no dice.  I've tried the ASDM several times and everything seems to look good but the VPN light does not come on, I have both device outside ports plugged into a switch and a laptop on each end plugged into the inside ports, mirroring configurations.  

My question is after going through the Startup Wiz and VPN Wiz (ASDM which i think is ver 7.2(4)) will this create the whole tunnel start to finish? I've read that even if you use the vpn wizard there are still static routes that need to be added along with interesting traffic etc. I'm having trouble trying getting this VPN up.  This is my intended setup which i think is real basic.  I'll give you the run down before posting config.
 
ASA-1
Vlan2 Outside 100.100.100.1
Vlan1 Inside 192.168.1.0

ASA-2
Vlan2 Outside 200.200.200.1
Vlan1 Inside 192.168.2.0

I would like to have connectivty of course from subnet to subnet. Thanks in advance.
seanramosAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ken BooneNetwork ConsultantCommented:
Well first of all if you use those outside addresses and plug them into a switch you need some type of layer 3 device in order for the two ASA to be able to communicate with each other.  Without a layer 3 router you cannot go from 100.100.100.x to 200.200.200.x.  If all you have is a layer 2 switch, how about changing the public address on the second ASA to 100.100.100.2 instead of 200.200.200.x.  This way the outside interface can talk to each other.  The outside interfaces need to be able to reach other before we can get the VPN working.  
0
seanramosAuthor Commented:
I reconfiged both ASA's, 100.100.100.1 and 100.100.100.2 and I still can't get the vpn tunnel up, below are both of my configs. Thanks in advance.

ASA-1:
ASA Version 7.2(4)
!
hostname ASA-1
domain-name default.domain.invalid
enable password 0bmo3eDt1sgljTdM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 100.100.100.1 255.255.255.0
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 19
2.168.2.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192
.168.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 100.100.100.2
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
!

tunnel-group 100.100.100.2 type ipsec-l2l
tunnel-group 100.100.100.2 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b1efd70feb6e5cb0b7c465c27167c164


ASA-2:

ASA Version 7.2(4)
!
hostname ASA-2
domain-name default.domain.invalid
enable password 0bmo3eDt1sgljTdM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 100.100.100.2 255.255.255.0
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 19
2.168.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192
.168.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 100.100.100.1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.2.2-192.168.2.129 inside
dhcpd enable inside
!

tunnel-group 100.100.100.1 type ipsec-l2l
tunnel-group 100.100.100.1 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:831d186af34452aa554b3374d9202546
0
Ken BooneNetwork ConsultantCommented:
Ok that looks good as far as tunnel configuration.  The issue is that in order for something to go through a VPN tunnel the traffic has to hit the outside interface.  So when you are behind firewall #1 and try to reach the network behind firewall #2, the traffic comes into the inside interface of firewall #1, but there are no routes defined on the firewall so it doesn't know where to send the traffic.  Normally there is at least one default route configured on the firewall pointing to the next hop gateway on the outside of the firewall.  If you add:

route outside 0.0.0.0 0.0.0.0 100.100.100.2 to firewall #1

and a recipricol route on firewall #2 the VPN traffic will flow through the outside interface which would then send it into the vpn tunnel.

0
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

seanramosAuthor Commented:
Ok Added the routes, 100.100.100.2 being ASA-1 and 100.100.100.1 being ASA-2.  I saved the config to both but I still don't get any communication or VPN light.  Do i need to add more routes?
0
Ken BooneNetwork ConsultantCommented:
Do you actually have devices on each one of the subnets.  The VPN does not get built automatically.  It has to have some VPN traffic attempt to enter the tunnel in order to bring it up.  Are you waiting on the VPN light to come on or are you actually attempting to send traffic from one LAN subnet to the other?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
seanramosAuthor Commented:
Thank you so much, you were right I plugged in both laptops on each end and VPN came right up, I'm able to ping from both sides!  Now I just need to learn how to harden a VPN tunnel.  Thanks again!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.