Solved

What's wrong here - setting up tunnel Cisco ASA5505 to ASA5510 via ASDM

Posted on 2010-08-27
7
614 Views
Last Modified: 2012-06-27
Hi,

Trying to set up a connection between two sites - one on an ASA5505 and the other ASA5510

We're both running through the ASDM. i'm attaching a screenshot of what i have on my end (my firewall is 172.17.2.253/24, and his is 10.47.2.254/24).  I'm not familiar with the command line, but this seems like it's configured correctly; obviously the other end is done teh same way but with IPs switched
how it's configured
0
Comment
Question by:Mystical_Ice
  • 3
  • 2
  • 2
7 Comments
 
LVL 9

Expert Comment

by:ffleisma
ID: 33546508
local network should be the network behind your ASA, same with remote network. the remote network should be the network behind your ASA on that side.

peer ip should be on the first variable asked right on the top labeled: Peer IP Address, hence on one side it should be 172.17.2.253 on the other ASA 10.47.2.254.

let me know if you were able to resolve this, glad to help you :-)
0
 

Author Comment

by:Mystical_Ice
ID: 33548133
yeah 172.17.2.0/24 is our local network, and 10.47.2.0/24 is their remote network, but PEER IP address - that doesn't make sense - how can that be the address of the firewalls (172.17.2.253 and 10.47.2.254)?? Wouldn't that need to be the PUBLIC address of the firewall? So they can communicate with each other over the internet?
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 33549080
Yes, the peer addresses need to be reachable over the internet, so they need to be the outside addresses.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:Mystical_Ice
ID: 33555796
so what is wrong in my configuration then?
0
 
LVL 18

Accepted Solution

by:
jmeggers earned 250 total points
ID: 33557389
Assuming you're properly entered the public addresses of the peers on both ASAs, and the local and remote networks are reversed on the other side, I can't really see anything wrong.  Can you post the output from show crypto isakmp so we can identify what's happening in Phase 1?  If Phase 1 is completing, then we can look at Phase 2.

Posting the CLI output for both ASAs would make it easier to tell, though.  If it makes you feel safer, you can X out the first couple of octets of the addresses, as long as we can tell what's what.
0
 

Author Comment

by:Mystical_Ice
ID: 33559798
jmeggers - i'ma ttaching the result of "show crypto isakmp" on the first ASA.  i don't have access to the other one at the moment, but will post that output as soon as i can - i'm assured that it is configured the same way though.  If you could also let me know wh at you're looking for, and what the problem could be - i'm trying to learn :)
showcryptoisakmp.txt
0
 
LVL 9

Assisted Solution

by:ffleisma
ffleisma earned 250 total points
ID: 33561225
sorry about the confusion, now i get that you internal networks are 172.17.2.0/24 and 10.47.2.0/24. Peer address should be the peer public IP reachable thru internet.

try disabling nat-t, had encountered problems with that before when i was setting up mine.

also have you set up an ip route towards your peer internal network and towards peer public ip? have you included an exception for NAT translation. i''ve attached screenshots for your reference.

hope it helps :-)
1--nat-t.JPG
2---nat-exemption-rule.JPG
3---static-route-to-peer-interna.JPG
4---peer-ip-static-route.JPG
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Site-to-Site VPN Cisco ASA 5505 to Cisco RV320 4 144
Single PC won't comunicate across VPN 6 51
macos sierra "Destination Net Unreachable" 7 54
eigrp in site-to-site vpn 4 35
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question