• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 530
  • Last Modified:

Cisco Firewall Site to Site Tunnel Issue


I am trying to create a site to site tunnel using the ASDM wizard on a Cisco ASA 5505.I cannot get the tunnel to connect.

Inside Network A -
Inside A -
Outside A - (Has Real Public Internet Address)

Inside Network B -
Inside B -
Outside B - (Has Real Public Internet Address)

Network B is allowing address through their firewall to create a site to site tunnel. The tunnel and traffic needs to be seen as coming from this address. Network B only allows traffic from and not from

When I go to this location Monitoring > VPN > Easy VPN Client > VPN Connection Status

I see "not tunnel established." When I attempt connect I get the following error.

"The VPN tunnel can be established from the most secure interface of this firewall which is inside Please load the page with the URL from a machine connected to that interface.

This link does not work. It prompts me about security I get a page not found error.

I cannot get the tunnel to connect no matter what changes I try or rerun the Wizard. The tunnel insists on using the inside address. I tried this and it did not work either.

ASA Config on ASA-A using fake ip addresses.

interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address

object-group network REMOTE-SERVERS
description Accessible Servers on Site to Site VPN
network-object host
 network-object host
 network-object host

access-list outside_1_cryptomap extended permit ip object-group REMOTE-SERVERS
access-list inside_nat_outbound extended permit ip host

nat (inside) 1 access-list inside_nat_outbound
nat (inside) 1

access-group outside_access_in in interface outside

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 96800

Thanks for your assistance.
  • 3
1 Solution
Whats you routing like

can you for instance ping ASA a outside interface from ASA b outside interface?
VizroyAuthor Commented:
From the Cisco ASA-A ( I can successfully ping Cisco ASA-B (

I have a server Network A ( and it can reach the internet.

I have 1 route.

route outside 1        

This is a fake ip, but I am using the internet ip for the gateway of my provider.
VizroyAuthor Commented:
No one on Experts Exchange  assisted. I purchased a Cisco support contract and they helped fix the problem.
VizroyAuthor Commented:
No one on Experts Exchange  assisted. I purchased a Cisco support contract and they helped fix the problem.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now