cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

889
Views
16
Helpful
30
Replies
ashah
Beginner

ASA 5510 Tunnel

Hello All. I am not a ASA expert but I have configured them few times. I have a vision of a task I have to complete but not sure if it is practical or how to go about doing it.

We two locations, Location A and Location B. Both locations have a 100MB internet conection.

Location A has a ASA 5510. Location B has a 5505.

Users at both locations access the internet via their respective ASA.

Location A is the headquarters and Location B is a disaster recovery site.

We want to setup a tunnel between both ASAs. This tunnel will be used to replicate data between the two locations for DR purposes. We need the users to still use the same pipe to get to the internet but want to allocate 10MB for internet use and the remaining 90MB for the DR tunnel.

Can this be done? Any help would be appriciated. Thanks.

30 REPLIES 30

OK, I went through the tunnel setup and I think I must have missed something. The two ASAs cannot ping each other and when I do "show isakmp sa" or "show ipsec sa" it shows nothing. I already did "write mem" too.

Hello Asif,

Yes, the tunnels are not up

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

So how do I get the tunnel up then? I even changed the pre shared key to something simple but that didnt help either. I think I may have messed up on the IP addresses in the access list. Can you help?

Hello Asif,

We are here to help but man you are looking for an entire configuration from scratch.....

I have provide you the tools to make this work already,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Sorry to be such a bother but I went through the steps again and I'm still getting same error. I looked through the Cisco link you provided and compared it with the other link. The Cisco link has the same steps except it also does a nonat on the access-list. Is that required?

I also noticed that my location A ASA does not have "global (outside) 1 interface" but my location B does. Can I add that to location A wihtout issue?

Thanks.

Hello Asif,

Yes, the Nonat configuration is required as remember that the whole purpose for  a VPN is to look locally to your partner.

Regards,

Julio Carvajal

Security Team

Cisco TAC Engineer

Phone: 1-407 241-2965 Ext:  4630

Email:  jcarvaja@cisco.com

Monday through Friday from 10:00am to 7:00pm MT

Cisco Worldwide Contact link is below for further reference.

http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

OK I have the nonat access list and nat(inside) 0 access-list nonat in the 5505 but my 5510 has 8.3(2) IOS. I got the nonat accesslist in but not sure how to add the nat (inside) 0 access-list nonat.

Hello Asif,

On 8.3 there is no concept of nonat access list.

You will need to use a destination or twice nat rule.

So you need to create 2 object networks, one making reference to the local subnet and the other one to the destination.

Finally create the nat

nat (inside,outside) source static inside_subnet inside_subnet destination static remote_subnet remote_subnet.

Any other question..Sure..Just remember to rate all of my answers.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

This is so frustrating. I created the two object networs and the nat and I still cant ping or get results by doing show ipsec sa or show isakmp sa. Can I post my configs for you to look at?

Hello Asif,

Sure.

Provide the following

Running config of both ASA's and the subnets that should talk to each other....

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Can I email them to you so my configs are not posted here for the world to see?

Yes,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I sent you an email. Thanks.

Did you get a chance to look through the configs?

On Site B

Can you enable isakmp on the outside interface

crypto isakmp enable outside

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Content for Community-Ad