Solved

What's wrong here - setting up tunnel Cisco ASA5505 to ASA5510 via ASDM

Posted on 2010-08-27
7
612 Views
Last Modified: 2012-06-27
Hi,

Trying to set up a connection between two sites - one on an ASA5505 and the other ASA5510

We're both running through the ASDM. i'm attaching a screenshot of what i have on my end (my firewall is 172.17.2.253/24, and his is 10.47.2.254/24).  I'm not familiar with the command line, but this seems like it's configured correctly; obviously the other end is done teh same way but with IPs switched
how it's configured
0
Comment
Question by:Mystical_Ice
  • 3
  • 2
  • 2
7 Comments
 
LVL 9

Expert Comment

by:ffleisma
ID: 33546508
local network should be the network behind your ASA, same with remote network. the remote network should be the network behind your ASA on that side.

peer ip should be on the first variable asked right on the top labeled: Peer IP Address, hence on one side it should be 172.17.2.253 on the other ASA 10.47.2.254.

let me know if you were able to resolve this, glad to help you :-)
0
 

Author Comment

by:Mystical_Ice
ID: 33548133
yeah 172.17.2.0/24 is our local network, and 10.47.2.0/24 is their remote network, but PEER IP address - that doesn't make sense - how can that be the address of the firewalls (172.17.2.253 and 10.47.2.254)?? Wouldn't that need to be the PUBLIC address of the firewall? So they can communicate with each other over the internet?
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 33549080
Yes, the peer addresses need to be reachable over the internet, so they need to be the outside addresses.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Mystical_Ice
ID: 33555796
so what is wrong in my configuration then?
0
 
LVL 18

Accepted Solution

by:
jmeggers earned 250 total points
ID: 33557389
Assuming you're properly entered the public addresses of the peers on both ASAs, and the local and remote networks are reversed on the other side, I can't really see anything wrong.  Can you post the output from show crypto isakmp so we can identify what's happening in Phase 1?  If Phase 1 is completing, then we can look at Phase 2.

Posting the CLI output for both ASAs would make it easier to tell, though.  If it makes you feel safer, you can X out the first couple of octets of the addresses, as long as we can tell what's what.
0
 

Author Comment

by:Mystical_Ice
ID: 33559798
jmeggers - i'ma ttaching the result of "show crypto isakmp" on the first ASA.  i don't have access to the other one at the moment, but will post that output as soon as i can - i'm assured that it is configured the same way though.  If you could also let me know wh at you're looking for, and what the problem could be - i'm trying to learn :)
showcryptoisakmp.txt
0
 
LVL 9

Assisted Solution

by:ffleisma
ffleisma earned 250 total points
ID: 33561225
sorry about the confusion, now i get that you internal networks are 172.17.2.0/24 and 10.47.2.0/24. Peer address should be the peer public IP reachable thru internet.

try disabling nat-t, had encountered problems with that before when i was setting up mine.

also have you set up an ip route towards your peer internal network and towards peer public ip? have you included an exception for NAT translation. i''ve attached screenshots for your reference.

hope it helps :-)
1--nat-t.JPG
2---nat-exemption-rule.JPG
3---static-route-to-peer-interna.JPG
4---peer-ip-static-route.JPG
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now