Site to Site VPN with Cisco 5520 and Cisco 2811

Hello
Im having a issue bring up a S2S vpn tunnel with a Cisco 5520 and Cisco 2811.  For the most part the configs look good but, I must be missing something. Can someone point me in the right direction.  Thanks

  vpn-for-2811.txt vpn-for-5520.txt
 vpn-for-5520.txt
cisco_pro30Asked:
Who is Participating?
 
shukalo83Commented:
OK, but I don't see any GRE in ASA config. If you are confused by all this I'll try to make things clearer.

With GRE you have interface on router that you can check and doing routing through it. GRE is not common thing on ASAs and I fairly sure that it is not supported at all. You can check but I'm 99%  sure, at least on 5520.

So you need to change your tactics. :) Gre is not supported so forget about Tunnel interface on asa. Just make the crypto map, put it on the interface and you are good to go. Very similar to ASAs.

I'am going to post you an exact config during the day, at leat for the router. On asa use the wizard on asdm. It is cisco-recommended way.
0
 
shukalo83Commented:
I did not check your ASA config but from what I have seen in 2811, you have the wrong access list, so your crypto map is not good. Maybe some other stuff is wrong too but first things first.

Because you encrypt traffic in GRE tunnel interfaces, your output traffic of interest has these destination and source addresses.

source 216.213.101.34
destination 71.125.26.50

You need to setup access list accordingly and also to do exactly the same on the other side, on ASAs.

Just ask if you want details on all this.
0
 
cisco_pro30Author Commented:
Here is the whole config for the 2811.  I can set up a s2s for the ASA but, I've never done one with a 2800 before.
  router1-new.txt
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

 
shukalo83Commented:
OK. You need to explain me what kind of vpn are you building. I'll help you but first tell me does other side also uses GRE tunnels or is it just basic IPSec.
0
 
cisco_pro30Author Commented:
Thats the thing...I wasnt trying to build a GRE Tunnel.  This was suppose to be a Site To Site VPN.
0
 
cisco_pro30Author Commented:
Should I have the 2811 take out the GRE tunnel configs?
0
 
shukalo83Commented:
Yes. Just go for plain IPsec. Form access list exactly in reverse from those on ASAs. Try that and if that doesn't work, just post the configs here.
0
 
cisco_pro30Author Commented:
I had to set up a new isakmp policy on my ASA.  The 2800 dont not support 3des.  Also I had a routing issue on my ASA that needed to be corrected.  Then the tunnel came up.  But, your help still lead me in the right direction.  Thanks  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.