topic Re: vpn site to site help in Network Security

vpn site to site help

hamedha — Fri, 21 Feb 2020 16:36:49 GMT

I work on gns3 we have centralize ASA 5520 that is siteA

and we want to create vpn with siteB

Ia created site to site vpn configuration in both ASA (as attachment )

so i have 2 problem:

1- after I create vpn configuration i cannot ping from siteA to siteB although i was can

2- second problem the tunnel fail

siteA(config)# show isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

Re: vpn site to site help

Sheraz.Salim — Thu, 27 Dec 2018 09:56:29 GMT

in your configuration both firewalls does not have inside ip address any reason?

use this link it will help you to setup up the site to site vpn between two ASA.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html

Re: vpn site to site help

Abheesh Kumar — Thu, 27 Dec 2018 11:59:06 GMT

Hi,

As per your configuration there is no inside network. you need to configure Inside interface and specify the local and remote subnet need to be communicated. Below is the sample site to site configuration.

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address AA.AA.AA.AA BB.BB.BB.BB
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address CC.CC.CC.CC DD.DD.DD.DD
!
object network Local-Subnet
subnet XX.XX.XX.XX
!
object network Remote-Subnet
subnet ZZ.ZZ.ZZ.ZZ
!
access-list VPN-to-Remote extended permit ip object Local-Subnet Remote-Subnet
!
nat (inside,outside) source static Local-Subnet Local-Subnet destination static Remote-Subnet Remote-Subnet
!
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto ipsec ikev1 transform-set transfrom esp-3des esp-sha-hmac
!
crypto map out_map 10 match address VPN-to-Remote
crypto map out_map 10 set pfs
crypto map out_map 10 set peer YY.YY.YY.YY
crypto map out_map 10 set ikev1 transform-set transfrom
crypto map out_map 10 set security-association lifetime seconds 28800
crypto map out_map 10 set security-association lifetime kilobytes 4608000
!
crypto map out_map interface outside
!
tunnel-group YY.YY.YY.YY type ipsec-l2l
tunnel-group YY.YY.YY.YY ipsec-attributes
ikev1 pre-shared-key presharedkey
!

Thanks,
Abheesh
PS: Please don't forget to rate and select as validated answer if this answered your question

Re: vpn site to site help

Marius Gunnerud — Fri, 28 Dec 2018 23:23:45 GMT

The VPN will not be established if the LAN interface is not configured and in an "UP" state.

Re: vpn site to site help

hamedha — Sun, 30 Dec 2018 07:28:41 GMT

thank a lot for all replays I appreciate that

I did configuration as your recommended

I can ping but still have problem in vpn site to site . all details in attachment

Re: vpn site to site help

Abheesh Kumar — Sun, 30 Dec 2018 09:25:44 GMT

Please generate traffic by pinging the remote site lan interface ip and then check show crypto isakmp sa

HTH
Abheesh