Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1187
Views
5
Helpful
5
Replies

vpn site to site help

hamedha
Level 1
Level 1

‎12-27-2018 01:39 AM - edited ‎02-21-2020 08:36 AM

hi

I work on gns3 we have centralize ASA 5520 that is siteA

and we want to create vpn  with siteB 

Ia created site to site vpn configuration in both ASA (as attachment )

so i have 2 problem:

1- after I create vpn configuration i cannot ping from siteA to siteB although i was can

2- second problem the tunnel fail

siteA(config)# show isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

 
Preview file
4 KB
Preview file
4 KB
0 Helpful
5 Replies 5

Sheraz.Salim
VIP
VIP

‎12-27-2018 01:46 AM - edited ‎12-27-2018 01:56 AM

 in your configuration both firewalls does not have inside ip address any reason?

 

 

use this link it will help you to setup up the site to site vpn between two ASA.

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html

please do not forget to rate.
0 Helpful

Abheesh Kumar
VIP Alumni
VIP Alumni

‎12-27-2018 03:58 AM - edited ‎12-27-2018 03:59 AM

Hi,

As per your configuration there is no inside network.  you need to configure Inside interface and specify the local and remote subnet need to be communicated. Below is the sample site to site configuration.

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address AA.AA.AA.AA BB.BB.BB.BB 
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address CC.CC.CC.CC DD.DD.DD.DD
!
object network Local-Subnet
subnet XX.XX.XX.XX
!
object network Remote-Subnet
subnet ZZ.ZZ.ZZ.ZZ
!
access-list VPN-to-Remote extended permit ip object Local-Subnet Remote-Subnet
!
nat (inside,outside) source static Local-Subnet Local-Subnet destination static Remote-Subnet Remote-Subnet
!
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto ipsec ikev1 transform-set transfrom esp-3des esp-sha-hmac
!
crypto map out_map 10 match address VPN-to-Remote
crypto map out_map 10 set pfs
crypto map out_map 10 set peer YY.YY.YY.YY
crypto map out_map 10 set ikev1 transform-set transfrom
crypto map out_map 10 set security-association lifetime seconds 28800
crypto map out_map 10 set security-association lifetime kilobytes 4608000
!
crypto map out_map interface outside
!
tunnel-group YY.YY.YY.YY type ipsec-l2l
tunnel-group YY.YY.YY.YY ipsec-attributes
ikev1 pre-shared-key presharedkey
!

Thanks,
Abheesh
PS: Please don't forget to rate and select as validated answer if this answered your question

hamedha
Level 1
Level 1
In response to Abheesh Kumar

‎12-29-2018 11:28 PM

thank a lot for all replays I appreciate that  

I did configuration as your recommended

I can ping but still have problem in vpn site to site . all details in attachment

Preview file
5 KB
Preview file
5 KB
0 Helpful

Abheesh Kumar
VIP Alumni
VIP Alumni
In response to hamedha

‎12-30-2018 01:25 AM

Please generate traffic by pinging the remote site lan interface ip and then check show crypto isakmp sa

HTH
Abheesh
0 Helpful

Marius Gunnerud
VIP
VIP

‎12-28-2018 03:23 PM

The VPN will not be established if the LAN interface is not configured and in an "UP" state.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card