Site to site VPN not working ASA 5505 8.42

Hello all,

I have 2 Cisco ASA 5505's running 8.42. Both have a public IP on the outside port, and a /24 lan on the inside port.

I want a site to site VPN between them, but i cant get it to work. I used the guide at  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080bb8500.shtml, but still it does not work. I found this question: http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_27261113.html

I have a rule for nat exemption (make by the site to site wizard), but still the tunnel won't come up.

What am I doing wrong?

ASA# show run object
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network locallan
 subnet 192.0.2.0 255.255.255.0
object network remotelan
 subnet 10.11.79.0 255.255.255.0




ASA# show run nat
nat (inside,outside) source static Locallan locallan destination static remotelan remotelan no-proxy-arp route-lookup
!
object network obj_any
 nat (inside,outside) dynamic interface
eensolutionAsked:
Who is Participating?
 
Ernie BeekExpertCommented:
So something like:

object network obj-192.0.2.123
host 192.0.2.123
nat (inside,outside) static 123.123.123.2 service tcp www www
0
 
Ernie BeekExpertCommented:
Anything showing in the logs when you're trying to establish the tunnel?
0
 
fgasimzadeCommented:
Can you show your full sanitized config?
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
Pete LongTechnical ConsultantCommented:
what's the result of a

show cry isa command and a show cry ipsec sa command?


Pete
0
 
eensolutionAuthor Commented:
Apologies, it already works. Problem is that I was pinging the other ASA to initiate the VPN, but the ASA blocked ICMP. When pinging a host on the other side, the tunnel came up fine.

I have another question though. The situation is that one ASA is at the customers office, and the other one is in a datacenter. The VPN tunnel is between them. That works now.

Also, I forwarded ports (static nat) 25/80/443/3389 on the outside IP address to one of the servers. But, how do I forward ports from another public IP to another server in the network. How do I make the ASA listen on another public IP address?
0
 
Ernie BeekExpertCommented:
The same way as you did with the address on the interface, only now you use another public IP for that. I assume you have multiple publics?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.