Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

What's wrong here - setting up tunnel Cisco ASA5505 to ASA5510 via ASDM

Posted on 2010-08-27
7
Medium Priority
?
619 Views
Last Modified: 2012-06-27
Hi,

Trying to set up a connection between two sites - one on an ASA5505 and the other ASA5510

We're both running through the ASDM. i'm attaching a screenshot of what i have on my end (my firewall is 172.17.2.253/24, and his is 10.47.2.254/24).  I'm not familiar with the command line, but this seems like it's configured correctly; obviously the other end is done teh same way but with IPs switched
how it's configured
0
Comment
Question by:Mystical_Ice
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 9

Expert Comment

by:ffleisma
ID: 33546508
local network should be the network behind your ASA, same with remote network. the remote network should be the network behind your ASA on that side.

peer ip should be on the first variable asked right on the top labeled: Peer IP Address, hence on one side it should be 172.17.2.253 on the other ASA 10.47.2.254.

let me know if you were able to resolve this, glad to help you :-)
0
 

Author Comment

by:Mystical_Ice
ID: 33548133
yeah 172.17.2.0/24 is our local network, and 10.47.2.0/24 is their remote network, but PEER IP address - that doesn't make sense - how can that be the address of the firewalls (172.17.2.253 and 10.47.2.254)?? Wouldn't that need to be the PUBLIC address of the firewall? So they can communicate with each other over the internet?
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 33549080
Yes, the peer addresses need to be reachable over the internet, so they need to be the outside addresses.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 

Author Comment

by:Mystical_Ice
ID: 33555796
so what is wrong in my configuration then?
0
 
LVL 18

Accepted Solution

by:
jmeggers earned 1000 total points
ID: 33557389
Assuming you're properly entered the public addresses of the peers on both ASAs, and the local and remote networks are reversed on the other side, I can't really see anything wrong.  Can you post the output from show crypto isakmp so we can identify what's happening in Phase 1?  If Phase 1 is completing, then we can look at Phase 2.

Posting the CLI output for both ASAs would make it easier to tell, though.  If it makes you feel safer, you can X out the first couple of octets of the addresses, as long as we can tell what's what.
0
 

Author Comment

by:Mystical_Ice
ID: 33559798
jmeggers - i'ma ttaching the result of "show crypto isakmp" on the first ASA.  i don't have access to the other one at the moment, but will post that output as soon as i can - i'm assured that it is configured the same way though.  If you could also let me know wh at you're looking for, and what the problem could be - i'm trying to learn :)
showcryptoisakmp.txt
0
 
LVL 9

Assisted Solution

by:ffleisma
ffleisma earned 1000 total points
ID: 33561225
sorry about the confusion, now i get that you internal networks are 172.17.2.0/24 and 10.47.2.0/24. Peer address should be the peer public IP reachable thru internet.

try disabling nat-t, had encountered problems with that before when i was setting up mine.

also have you set up an ip route towards your peer internal network and towards peer public ip? have you included an exception for NAT translation. i''ve attached screenshots for your reference.

hope it helps :-)
1--nat-t.JPG
2---nat-exemption-rule.JPG
3---static-route-to-peer-interna.JPG
4---peer-ip-static-route.JPG
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question