Site 2 Site - Cisco ASA 5505 & ASA 5550

Hi

I am having some trouble setting up a site to site vpn conection between a cisco asa 5505 and cisco asa 5550.

I have run the wizard on both ends to setup the connection. I have entered the local address list and the remote address list on both sides.

The problem is I am not able to brng the tunnel up and I dont see any logs on both the ends trying to get the tunnel connected.

Can you advice as to what should be done inorder for the tunnel to come up. There is a default tunnel gateway configured on both ends.

Thank you in advance
enterprise-itAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

3nerdsCommented:
From a PC, not the ASA, ping a server/pc on the remove network, this will bring the tunnel up. From the ASA that the PC  that is connected to and use the ASDM to watch the logs for any errors. You should be able to see the tunnel is up on the home screen or from monitoring.

If you get errors and need further help please post the erros and the scrubbed configs of the ASA devices.

Regards,

3nerds
0
enterprise-itAuthor Commented:
Thanks for your reply.

I have my pc connected to the asa and i have a ping -t to one host machine on the remote network. I dont see any error messages nor logs regarding any traffic that it is tryint to attempt connection.

I am not sure what is wrong. From the asa on both ends , I can ping to each of the, but beyond that, there is no connection.

0
3nerdsCommented:
On the "HOME" screen of the ASDM there is a box that has the heading of "VPN Tunnels" What do the numbers under each area of the box say?

Or

Click Monitoring --> VPN

Expand VPN statics and select Sessions.

In the "Filtered By" drop down select Select "IPSEC Site to Site"

Click Refresh and see if the tunnel is up.

Regards,

3nerds
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

enterprise-itAuthor Commented:
On the home page,

VPN Tunnels:
IKE - 0
IPSec - 0
WebVPN - 0
SVC - 0

Everything is "0"
On the Cisco ASA 5505, I have a cable modem that is connected to the internet. Is there any traffic that is being blovked viaa cable modem by default?
0
3nerdsCommented:
Is there any traffic that is being blocked via cable modem by default? --> not normally

So the tunnels are not coming up. Next step is confis if you want further help.

Regards,

3nerds
0
enterprise-itAuthor Commented:
Alright,, just a moment plz. ill send it in 5 minutes


Thanks
0
enterprise-itAuthor Commented:
Hi

Ive attached the config file fir asa 5505.

thanks
asa.txt
0
oalvaCommented:
I dont see the following in your asa.txt
tunnel-group x.x.x.x ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key
0
3nerdsCommented:
You config doesn't have any tunnel-groups and the crypto map seem off.

Is it possible that you didn't complete the wizard when you did the initial setup?

Regards,

3nerds
0
enterprise-itAuthor Commented:
one sec,, let me verify this again
0
enterprise-itAuthor Commented:
Sorry,, guess i missed it


tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
 pre-shared-key *
!


0
3nerdsCommented:
Here are the pieces that you will normally see.

crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer x.x.x.x
crypcrypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400to map Outside_map 1 set transform-set ESP-3DES-MD5
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *

Other pieces that will be needed are the NO NAT and the Crypto ACL's

Regards,

3nerds
0
enterprise-itAuthor Commented:
I have the following on the config file


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer y.y.y.y
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400



Can you advise te right setup?

Thanks
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
3nerdsCommented:
What you have there is correct.

Do you also have this?
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *

?

3nerds
0
enterprise-itAuthor Commented:
yes i have them also.

tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
 pre-shared-key *

I honestly dont know y it isnt coming up.
0
3nerdsCommented:
ok the other part is your crypto map it is off a bit.

access-list outside_1_cryptomap extended permit ip 10.110.137.192 255.255.255.192 10.0.0.0 255.0.0.0

You can't have both 10.110 as a class C and tell it to send traffic to a 10.0 Classs A as it will never come back.

What is the subnet of the remote site?

3nerds
0
3nerdsCommented:
if your no nat is correct:

access-list inside_nat0_outbound extended permit ip 10.110.137.192 255.255.255.192 10.0.0.0 255.255.255.0

then your crypto probably nneds to look like this:

access-list outside_1_cryptomap extended permit ip 10.110.137.192 255.255.255.192 10.0.0.0 255.255255.0

Keep in mind this needs to be correct on both ASA devices.


3nerds
0
enterprise-itAuthor Commented:
Tha class on thich the ASA 5505 has is 10.110.137.192/26

and

The ASA 5550 has a class of 10.0.0.0/8

0
3nerdsCommented:
That is your problem then.

the asa5550 thinks that every address under 10.x.x.x is local and will never go to the remote site. You have to have different subnets at each site you are overlapping, one site will have to change to make this function.

Regards,

3nerds
0
enterprise-itAuthor Commented:
is it possible for me to have 10.0.0.0/24 instead of 10.0.0.0/8 on the site where ASA 5550 is?

ASA 5550 is the main office
ASA 5505 is the branch office

The main idea behind this setup is so that the branch office gets connected to the main office using site to site vpn and all traffic passes out theu the tunnel.

The network on the main office is 10.0.0.0/8. Now on the branch office (new office) Im not sure if they will be putting another class of address range other than class 10.

Can you suggest a way to work this thing out?

Thanks
0
enterprise-itAuthor Commented:
I guess Ill wirk this out when I go to office tomorrow.

Thanks, will update you tomorrow

0
3nerdsCommented:
I would find out from you main office what true range they are using. They may be using a /8 mask for ease of use and may really be able to switch to a /16 which then as long as your branch site does not use an overlapping range as the main site would be fine.

Good Luck,

3nerds

0
enterprise-itAuthor Commented:
Thanks. The class that is being used in the main office is 10.0.0.0/24 and in the brach office is 10.110.137.192/26. Will this work out to be fine?
0
enterprise-itAuthor Commented:
Actually,, it is of diffrent 10 range networks having a sunet of /24. It would be 10.100.10.0/24... 10.100.50.0/24 and so on. The the branch office having the network of /26 will be needing tho access all the 10 class networks of the main office.

Based on this,,, I was told to enter the local address of 10.0.0.0/8 and remote address as /26 on the main office and vice versa on the branch office.
0
3nerdsCommented:
it should work as long as they don't over lap the branch

Possibly something like this:


access-list outside_1_cryptomap extended permit ip 10.110.137.192 255.255.255.192 10.100.0.0 255.255.0.0

Regards,

3nerds
0
enterprise-itAuthor Commented:
Thanks 3nerds.

The issue has been solved. Looks like there was no route on the main office asa for 10.x.x.x/26 to point out thru the tunnel. I have to go to the main office and have a look at it. For now, the issue is silved. will respond wen I get there

Thanks again for your support
0
3nerdsCommented:
Cool glad to hear you found it.

Regards,

3nerds
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.