Cisco Firewall Site to Site Tunnel Issue

Hello,

I am trying to create a site to site tunnel using the ASDM wizard on a Cisco ASA 5505.I cannot get the tunnel to connect.

ASA-A
Inside Network A - 10.1.1.0/24
Inside A -10.1.1.1
Outside A - 192.168.1.1 (Has Real Public Internet Address)

ASA-B
Inside Network B - 10.2.2.0
Inside B - 10.2.2.1
Outside B - 172.16.1.1 (Has Real Public Internet Address)

Network B is allowing address 192.168.1.1 through their firewall to create a site to site tunnel. The tunnel and traffic needs to be seen as coming from this address. Network B only allows traffic from 192.168.1.1 and not from 10.1.1.0/24.



When I go to this location Monitoring > VPN > Easy VPN Client > VPN Connection Status

I see "not tunnel established." When I attempt connect I get the following error.

"The VPN tunnel can be established from the most secure interface of this firewall which is inside 10.1.1.1. Please load the page with the URL https://10.1.1.1/vpnclient/connstatus.html from a machine connected to that interface.


This link does not work. It prompts me about security I get a page not found error.

I cannot get the tunnel to connect no matter what changes I try or rerun the Wizard. The tunnel insists on using the inside address. I tried this and it did not work either.


ASA Config on ASA-A using fake ip addresses.


interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.1.1 255.255.255.0

object-group network REMOTE-SERVERS
description Accessible Servers on Site to Site VPN
network-object host 10.2.2.10
 network-object host 10.2.2.11
 network-object host 10.2.2.12

access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 object-group REMOTE-SERVERS
access-list inside_nat_outbound extended permit ip 10.1.1.0 255.255.255.0 host 172.16.1.1

nat (inside) 1 access-list inside_nat_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 172.16.1.1
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 96800

Thanks for your assistance.
VizroyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mredfelixCommented:
Whats you routing like

can you for instance ping ASA a outside interface from ASA b outside interface?
0
VizroyAuthor Commented:
From the Cisco ASA-A ( 192.168.1.1) I can successfully ping Cisco ASA-B (172.16.1.1)

I have a server Network A (10.1.1.2) and it can reach the internet.



I have 1 route.

route outside 0.0.0.0 0.0.0.0 192.168.1.254 1        

This is a fake ip, but I am using the internet ip for the gateway of my provider.
0
VizroyAuthor Commented:
No one on Experts Exchange  assisted. I purchased a Cisco support contract and they helped fix the problem.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
VizroyAuthor Commented:
No one on Experts Exchange  assisted. I purchased a Cisco support contract and they helped fix the problem.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.