• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 707
  • Last Modified:

Site to site VPN not working ASA 5505 8.42

Hello all,

I have 2 Cisco ASA 5505's running 8.42. Both have a public IP on the outside port, and a /24 lan on the inside port.

I want a site to site VPN between them, but i cant get it to work. I used the guide at  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080bb8500.shtml, but still it does not work. I found this question: http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_27261113.html

I have a rule for nat exemption (make by the site to site wizard), but still the tunnel won't come up.

What am I doing wrong?

ASA# show run object
object network obj_any
object network locallan
object network remotelan

ASA# show run nat
nat (inside,outside) source static Locallan locallan destination static remotelan remotelan no-proxy-arp route-lookup
object network obj_any
 nat (inside,outside) dynamic interface
1 Solution
Ernie BeekExpertCommented:
Anything showing in the logs when you're trying to establish the tunnel?
Can you show your full sanitized config?
Pete LongTechnical ConsultantCommented:
what's the result of a

show cry isa command and a show cry ipsec sa command?

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

eensolutionAuthor Commented:
Apologies, it already works. Problem is that I was pinging the other ASA to initiate the VPN, but the ASA blocked ICMP. When pinging a host on the other side, the tunnel came up fine.

I have another question though. The situation is that one ASA is at the customers office, and the other one is in a datacenter. The VPN tunnel is between them. That works now.

Also, I forwarded ports (static nat) 25/80/443/3389 on the outside IP address to one of the servers. But, how do I forward ports from another public IP to another server in the network. How do I make the ASA listen on another public IP address?
Ernie BeekExpertCommented:
The same way as you did with the address on the interface, only now you use another public IP for that. I assume you have multiple publics?
Ernie BeekExpertCommented:
So something like:

object network obj-
nat (inside,outside) static service tcp www www

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now