Solved

Site 2 Site - Cisco ASA 5505 & ASA 5550

Posted on 2009-07-06
27
442 Views
Last Modified: 2012-06-27
Hi

I am having some trouble setting up a site to site vpn conection between a cisco asa 5505 and cisco asa 5550.

I have run the wizard on both ends to setup the connection. I have entered the local address list and the remote address list on both sides.

The problem is I am not able to brng the tunnel up and I dont see any logs on both the ends trying to get the tunnel connected.

Can you advice as to what should be done inorder for the tunnel to come up. There is a default tunnel gateway configured on both ends.

Thank you in advance
0
Comment
Question by:enterprise-it
  • 14
  • 12
27 Comments
 
LVL 13

Expert Comment

by:3nerds
ID: 24788121
From a PC, not the ASA, ping a server/pc on the remove network, this will bring the tunnel up. From the ASA that the PC  that is connected to and use the ASDM to watch the logs for any errors. You should be able to see the tunnel is up on the home screen or from monitoring.

If you get errors and need further help please post the erros and the scrubbed configs of the ASA devices.

Regards,

3nerds
0
 

Author Comment

by:enterprise-it
ID: 24788251
Thanks for your reply.

I have my pc connected to the asa and i have a ping -t to one host machine on the remote network. I dont see any error messages nor logs regarding any traffic that it is tryint to attempt connection.

I am not sure what is wrong. From the asa on both ends , I can ping to each of the, but beyond that, there is no connection.

0
 
LVL 13

Expert Comment

by:3nerds
ID: 24788313
On the "HOME" screen of the ASDM there is a box that has the heading of "VPN Tunnels" What do the numbers under each area of the box say?

Or

Click Monitoring --> VPN

Expand VPN statics and select Sessions.

In the "Filtered By" drop down select Select "IPSEC Site to Site"

Click Refresh and see if the tunnel is up.

Regards,

3nerds
0
 

Author Comment

by:enterprise-it
ID: 24788364
On the home page,

VPN Tunnels:
IKE - 0
IPSec - 0
WebVPN - 0
SVC - 0

Everything is "0"
On the Cisco ASA 5505, I have a cable modem that is connected to the internet. Is there any traffic that is being blovked viaa cable modem by default?
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24788422
Is there any traffic that is being blocked via cable modem by default? --> not normally

So the tunnels are not coming up. Next step is confis if you want further help.

Regards,

3nerds
0
 

Author Comment

by:enterprise-it
ID: 24788460
Alright,, just a moment plz. ill send it in 5 minutes


Thanks
0
 

Author Comment

by:enterprise-it
ID: 24788554
Hi

Ive attached the config file fir asa 5505.

thanks
asa.txt
0
 
LVL 5

Expert Comment

by:oalva
ID: 24788677
I dont see the following in your asa.txt
tunnel-group x.x.x.x ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24788728
You config doesn't have any tunnel-groups and the crypto map seem off.

Is it possible that you didn't complete the wizard when you did the initial setup?

Regards,

3nerds
0
 

Author Comment

by:enterprise-it
ID: 24788759
one sec,, let me verify this again
0
 

Author Comment

by:enterprise-it
ID: 24788779
Sorry,, guess i missed it


tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
 pre-shared-key *
!


0
 
LVL 13

Assisted Solution

by:3nerds
3nerds earned 500 total points
ID: 24788793
Here are the pieces that you will normally see.

crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer x.x.x.x
crypcrypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400to map Outside_map 1 set transform-set ESP-3DES-MD5
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *

Other pieces that will be needed are the NO NAT and the Crypto ACL's

Regards,

3nerds
0
 

Accepted Solution

by:
enterprise-it earned 0 total points
ID: 24788839
I have the following on the config file


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer y.y.y.y
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400



Can you advise te right setup?

Thanks
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 13

Expert Comment

by:3nerds
ID: 24788923
What you have there is correct.

Do you also have this?
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *

?

3nerds
0
 

Author Comment

by:enterprise-it
ID: 24789119
yes i have them also.

tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
 pre-shared-key *

I honestly dont know y it isnt coming up.
0
 
LVL 13

Assisted Solution

by:3nerds
3nerds earned 500 total points
ID: 24789174
ok the other part is your crypto map it is off a bit.

access-list outside_1_cryptomap extended permit ip 10.110.137.192 255.255.255.192 10.0.0.0 255.0.0.0

You can't have both 10.110 as a class C and tell it to send traffic to a 10.0 Classs A as it will never come back.

What is the subnet of the remote site?

3nerds
0
 
LVL 13

Assisted Solution

by:3nerds
3nerds earned 500 total points
ID: 24789196
if your no nat is correct:

access-list inside_nat0_outbound extended permit ip 10.110.137.192 255.255.255.192 10.0.0.0 255.255.255.0

then your crypto probably nneds to look like this:

access-list outside_1_cryptomap extended permit ip 10.110.137.192 255.255.255.192 10.0.0.0 255.255255.0

Keep in mind this needs to be correct on both ASA devices.


3nerds
0
 

Author Comment

by:enterprise-it
ID: 24789222
Tha class on thich the ASA 5505 has is 10.110.137.192/26

and

The ASA 5550 has a class of 10.0.0.0/8

0
 
LVL 13

Assisted Solution

by:3nerds
3nerds earned 500 total points
ID: 24789242
That is your problem then.

the asa5550 thinks that every address under 10.x.x.x is local and will never go to the remote site. You have to have different subnets at each site you are overlapping, one site will have to change to make this function.

Regards,

3nerds
0
 

Author Comment

by:enterprise-it
ID: 24789307
is it possible for me to have 10.0.0.0/24 instead of 10.0.0.0/8 on the site where ASA 5550 is?

ASA 5550 is the main office
ASA 5505 is the branch office

The main idea behind this setup is so that the branch office gets connected to the main office using site to site vpn and all traffic passes out theu the tunnel.

The network on the main office is 10.0.0.0/8. Now on the branch office (new office) Im not sure if they will be putting another class of address range other than class 10.

Can you suggest a way to work this thing out?

Thanks
0
 

Author Comment

by:enterprise-it
ID: 24789478
I guess Ill wirk this out when I go to office tomorrow.

Thanks, will update you tomorrow

0
 
LVL 13

Expert Comment

by:3nerds
ID: 24794135
I would find out from you main office what true range they are using. They may be using a /8 mask for ease of use and may really be able to switch to a /16 which then as long as your branch site does not use an overlapping range as the main site would be fine.

Good Luck,

3nerds

0
 

Author Comment

by:enterprise-it
ID: 24794189
Thanks. The class that is being used in the main office is 10.0.0.0/24 and in the brach office is 10.110.137.192/26. Will this work out to be fine?
0
 

Author Comment

by:enterprise-it
ID: 24794225
Actually,, it is of diffrent 10 range networks having a sunet of /24. It would be 10.100.10.0/24... 10.100.50.0/24 and so on. The the branch office having the network of /26 will be needing tho access all the 10 class networks of the main office.

Based on this,,, I was told to enter the local address of 10.0.0.0/8 and remote address as /26 on the main office and vice versa on the branch office.
0
 
LVL 13

Assisted Solution

by:3nerds
3nerds earned 500 total points
ID: 24794572
it should work as long as they don't over lap the branch

Possibly something like this:


access-list outside_1_cryptomap extended permit ip 10.110.137.192 255.255.255.192 10.100.0.0 255.255.0.0

Regards,

3nerds
0
 

Author Comment

by:enterprise-it
ID: 24794944
Thanks 3nerds.

The issue has been solved. Looks like there was no route on the main office asa for 10.x.x.x/26 to point out thru the tunnel. I have to go to the main office and have a look at it. For now, the issue is silved. will respond wen I get there

Thanks again for your support
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24795036
Cool glad to hear you found it.

Regards,

3nerds
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now