Solved

What's wrong here - setting up tunnel Cisco ASA5505 to ASA5510 via ASDM

Posted on 2010-08-27
7
617 Views
Last Modified: 2012-06-27
Hi,

Trying to set up a connection between two sites - one on an ASA5505 and the other ASA5510

We're both running through the ASDM. i'm attaching a screenshot of what i have on my end (my firewall is 172.17.2.253/24, and his is 10.47.2.254/24).  I'm not familiar with the command line, but this seems like it's configured correctly; obviously the other end is done teh same way but with IPs switched
how it's configured
0
Comment
Question by:Mystical_Ice
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 9

Expert Comment

by:ffleisma
ID: 33546508
local network should be the network behind your ASA, same with remote network. the remote network should be the network behind your ASA on that side.

peer ip should be on the first variable asked right on the top labeled: Peer IP Address, hence on one side it should be 172.17.2.253 on the other ASA 10.47.2.254.

let me know if you were able to resolve this, glad to help you :-)
0
 

Author Comment

by:Mystical_Ice
ID: 33548133
yeah 172.17.2.0/24 is our local network, and 10.47.2.0/24 is their remote network, but PEER IP address - that doesn't make sense - how can that be the address of the firewalls (172.17.2.253 and 10.47.2.254)?? Wouldn't that need to be the PUBLIC address of the firewall? So they can communicate with each other over the internet?
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 33549080
Yes, the peer addresses need to be reachable over the internet, so they need to be the outside addresses.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Mystical_Ice
ID: 33555796
so what is wrong in my configuration then?
0
 
LVL 18

Accepted Solution

by:
jmeggers earned 250 total points
ID: 33557389
Assuming you're properly entered the public addresses of the peers on both ASAs, and the local and remote networks are reversed on the other side, I can't really see anything wrong.  Can you post the output from show crypto isakmp so we can identify what's happening in Phase 1?  If Phase 1 is completing, then we can look at Phase 2.

Posting the CLI output for both ASAs would make it easier to tell, though.  If it makes you feel safer, you can X out the first couple of octets of the addresses, as long as we can tell what's what.
0
 

Author Comment

by:Mystical_Ice
ID: 33559798
jmeggers - i'ma ttaching the result of "show crypto isakmp" on the first ASA.  i don't have access to the other one at the moment, but will post that output as soon as i can - i'm assured that it is configured the same way though.  If you could also let me know wh at you're looking for, and what the problem could be - i'm trying to learn :)
showcryptoisakmp.txt
0
 
LVL 9

Assisted Solution

by:ffleisma
ffleisma earned 250 total points
ID: 33561225
sorry about the confusion, now i get that you internal networks are 172.17.2.0/24 and 10.47.2.0/24. Peer address should be the peer public IP reachable thru internet.

try disabling nat-t, had encountered problems with that before when i was setting up mine.

also have you set up an ip route towards your peer internal network and towards peer public ip? have you included an exception for NAT translation. i''ve attached screenshots for your reference.

hope it helps :-)
1--nat-t.JPG
2---nat-exemption-rule.JPG
3---static-route-to-peer-interna.JPG
4---peer-ip-static-route.JPG
0

Featured Post

Enroll in June's Course of the Month

June’s Course of the Month is now available! Experts Exchange’s Premium Members, Team Accounts, and Qualified Experts have access to a complimentary course each month as part of their membership—an extra way to sharpen your skills and increase training.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question