Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

Cisco ASA 5505 to 5505 VPN

Avatar of NotSoKlear
NotSoKlear asked on
VPNInternet Protocol SecurityCisco
12 Comments1 Solution575 ViewsLast Modified:
Hi all.
Having a hard time troubleshooting why I cant get my VPN to work between two sites. Both have Cisco 5505 ASA's and I used the VPN wizard on both sides. I went to the Cisco helpsite and followed their directions to the T (or so I think) and it still doesnt work.

This isnt the first time I've set up a VPN, just after looking at the code and ACL's everything looks right.

Would someone mind taking a look at the below config and tell me what I may be doing wrong?

Thanks in advance.


: Saved
ASA Version 7.2(4)
hostname fw
domain-name hostvpn.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group  DSL
 ip address pppoe setroute
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp setroute
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
 domain-name hostvpn.com
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 9833
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 10443
access-list outside_access_in extended permit udp any interface outside eq 10443
access-list outside_1_cryptomap extended permit ip host
access-list inside_nat0_outbound extended permit ip
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
static (inside,outside) tcp interface 3389  MAINSERVER 3389 netmask
static (inside,outside) tcp interface 10443 NETSORT 10443 netmask
static (inside,outside) udp interface 10443 NETSORT 10443 netmask
static (inside,outside) tcp interface 9833 9833 netmask
static (inside,outside) tcp interface smtp smtp netmask
static (inside,outside) tcp interface https NETSORT https netmask
static (inside,outside) tcp interface www  MAINSERVER www netmask
access-group outside_access_in in interface outside
route inside NETSORT 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group  DSL request dialout pppoe
vpdn group  DSL localname  ervices1001@qwest.net
vpdn group  DSL ppp authentication pap
vpdn username  ervices1001@qwest.net password *********
dhcpd auto_config outside
dhcpd address  MAINSERVER- inside

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *
prompt hostname context
: end
asdm image disk0:/asdm-524.bin
asdm location  MAINSERVER inside
asdm location NETSORT inside
no asdm history enable
Avatar of NotSoKlear

Our community of experts have been thoroughly vetted for their expertise and industry experience.

This problem has been solved!
Unlock 1 Answer and 12 Comments.
See Answers