We help IT Professionals succeed at work.

Site 2 Site - Cisco ASA 5505 & ASA 5550

Medium Priority
478 Views
Last Modified: 2012-06-27
Hi

I am having some trouble setting up a site to site vpn conection between a cisco asa 5505 and cisco asa 5550.

I have run the wizard on both ends to setup the connection. I have entered the local address list and the remote address list on both sides.

The problem is I am not able to brng the tunnel up and I dont see any logs on both the ends trying to get the tunnel connected.

Can you advice as to what should be done inorder for the tunnel to come up. There is a default tunnel gateway configured on both ends.

Thank you in advance
Comment
Watch Question

CERTIFIED EXPERT

Commented:
From a PC, not the ASA, ping a server/pc on the remove network, this will bring the tunnel up. From the ASA that the PC  that is connected to and use the ASDM to watch the logs for any errors. You should be able to see the tunnel is up on the home screen or from monitoring.

If you get errors and need further help please post the erros and the scrubbed configs of the ASA devices.

Regards,

3nerds

Author

Commented:
Thanks for your reply.

I have my pc connected to the asa and i have a ping -t to one host machine on the remote network. I dont see any error messages nor logs regarding any traffic that it is tryint to attempt connection.

I am not sure what is wrong. From the asa on both ends , I can ping to each of the, but beyond that, there is no connection.

CERTIFIED EXPERT

Commented:
On the "HOME" screen of the ASDM there is a box that has the heading of "VPN Tunnels" What do the numbers under each area of the box say?

Or

Click Monitoring --> VPN

Expand VPN statics and select Sessions.

In the "Filtered By" drop down select Select "IPSEC Site to Site"

Click Refresh and see if the tunnel is up.

Regards,

3nerds

Author

Commented:
On the home page,

VPN Tunnels:
IKE - 0
IPSec - 0
WebVPN - 0
SVC - 0

Everything is "0"
On the Cisco ASA 5505, I have a cable modem that is connected to the internet. Is there any traffic that is being blovked viaa cable modem by default?
CERTIFIED EXPERT

Commented:
Is there any traffic that is being blocked via cable modem by default? --> not normally

So the tunnels are not coming up. Next step is confis if you want further help.

Regards,

3nerds

Author

Commented:
Alright,, just a moment plz. ill send it in 5 minutes


Thanks

Author

Commented:
Hi

Ive attached the config file fir asa 5505.

thanks
asa.txt

Commented:
I dont see the following in your asa.txt
tunnel-group x.x.x.x ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key
CERTIFIED EXPERT

Commented:
You config doesn't have any tunnel-groups and the crypto map seem off.

Is it possible that you didn't complete the wizard when you did the initial setup?

Regards,

3nerds

Author

Commented:
one sec,, let me verify this again

Author

Commented:
Sorry,, guess i missed it


tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
 pre-shared-key *
!


CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT

Commented:
What you have there is correct.

Do you also have this?
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *

?

3nerds

Author

Commented:
yes i have them also.

tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
 pre-shared-key *

I honestly dont know y it isnt coming up.
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Tha class on thich the ASA 5505 has is 10.110.137.192/26

and

The ASA 5550 has a class of 10.0.0.0/8

CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
is it possible for me to have 10.0.0.0/24 instead of 10.0.0.0/8 on the site where ASA 5550 is?

ASA 5550 is the main office
ASA 5505 is the branch office

The main idea behind this setup is so that the branch office gets connected to the main office using site to site vpn and all traffic passes out theu the tunnel.

The network on the main office is 10.0.0.0/8. Now on the branch office (new office) Im not sure if they will be putting another class of address range other than class 10.

Can you suggest a way to work this thing out?

Thanks

Author

Commented:
I guess Ill wirk this out when I go to office tomorrow.

Thanks, will update you tomorrow

CERTIFIED EXPERT

Commented:
I would find out from you main office what true range they are using. They may be using a /8 mask for ease of use and may really be able to switch to a /16 which then as long as your branch site does not use an overlapping range as the main site would be fine.

Good Luck,

3nerds

Author

Commented:
Thanks. The class that is being used in the main office is 10.0.0.0/24 and in the brach office is 10.110.137.192/26. Will this work out to be fine?

Author

Commented:
Actually,, it is of diffrent 10 range networks having a sunet of /24. It would be 10.100.10.0/24... 10.100.50.0/24 and so on. The the branch office having the network of /26 will be needing tho access all the 10 class networks of the main office.

Based on this,,, I was told to enter the local address of 10.0.0.0/8 and remote address as /26 on the main office and vice versa on the branch office.
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks 3nerds.

The issue has been solved. Looks like there was no route on the main office asa for 10.x.x.x/26 to point out thru the tunnel. I have to go to the main office and have a look at it. For now, the issue is silved. will respond wen I get there

Thanks again for your support
CERTIFIED EXPERT

Commented:
Cool glad to hear you found it.

Regards,

3nerds
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.