Site to Site VPN with Cisco 5520 and Cisco 2811

Hello
Im having a issue bring up a S2S vpn tunnel with a Cisco 5520 and Cisco 2811.  For the most part the configs look good but, I must be missing something. Can someone point me in the right direction.  Thanks

  vpn-for-2811.txt vpn-for-5520.txt
 vpn-for-5520.txt
cisco_pro30Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

shukalo83Commented:
I did not check your ASA config but from what I have seen in 2811, you have the wrong access list, so your crypto map is not good. Maybe some other stuff is wrong too but first things first.

Because you encrypt traffic in GRE tunnel interfaces, your output traffic of interest has these destination and source addresses.

source 216.213.101.34
destination 71.125.26.50

You need to setup access list accordingly and also to do exactly the same on the other side, on ASAs.

Just ask if you want details on all this.
0
cisco_pro30Author Commented:
Here is the whole config for the 2811.  I can set up a s2s for the ASA but, I've never done one with a 2800 before.
  router1-new.txt
0
shukalo83Commented:
OK. You need to explain me what kind of vpn are you building. I'll help you but first tell me does other side also uses GRE tunnels or is it just basic IPSec.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

cisco_pro30Author Commented:
Thats the thing...I wasnt trying to build a GRE Tunnel.  This was suppose to be a Site To Site VPN.
0
shukalo83Commented:
OK, but I don't see any GRE in ASA config. If you are confused by all this I'll try to make things clearer.

With GRE you have interface on router that you can check and doing routing through it. GRE is not common thing on ASAs and I fairly sure that it is not supported at all. You can check but I'm 99%  sure, at least on 5520.

So you need to change your tactics. :) Gre is not supported so forget about Tunnel interface on asa. Just make the crypto map, put it on the interface and you are good to go. Very similar to ASAs.

I'am going to post you an exact config during the day, at leat for the router. On asa use the wizard on asdm. It is cisco-recommended way.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cisco_pro30Author Commented:
Should I have the 2811 take out the GRE tunnel configs?
0
shukalo83Commented:
Yes. Just go for plain IPsec. Form access list exactly in reverse from those on ASAs. Try that and if that doesn't work, just post the configs here.
0
cisco_pro30Author Commented:
I had to set up a new isakmp policy on my ASA.  The 2800 dont not support 3des.  Also I had a routing issue on my ASA that needed to be corrected.  Then the tunnel came up.  But, your help still lead me in the right direction.  Thanks  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.