10-04-2012 09:00 AM - edited 03-11-2019 05:04 PM
Hello All. I am not a ASA expert but I have configured them few times. I have a vision of a task I have to complete but not sure if it is practical or how to go about doing it.
We two locations, Location A and Location B. Both locations have a 100MB internet conection.
Location A has a ASA 5510. Location B has a 5505.
Users at both locations access the internet via their respective ASA.
Location A is the headquarters and Location B is a disaster recovery site.
We want to setup a tunnel between both ASAs. This tunnel will be used to replicate data between the two locations for DR purposes. We need the users to still use the same pipe to get to the internet but want to allocate 10MB for internet use and the remaining 90MB for the DR tunnel.
Can this be done? Any help would be appriciated. Thanks.
10-12-2012 12:02 PM
OK, I went through the tunnel setup and I think I must have missed something. The two ASAs cannot ping each other and when I do "show isakmp sa" or "show ipsec sa" it shows nothing. I already did "write mem" too.
10-12-2012 10:20 PM
Hello Asif,
Yes, the tunnels are not up
Regards,
10-13-2012 09:03 AM
So how do I get the tunnel up then? I even changed the pre shared key to something simple but that didnt help either. I think I may have messed up on the IP addresses in the access list. Can you help?
10-13-2012 10:00 AM
Hello Asif,
We are here to help but man you are looking for an entire configuration from scratch.....
I have provide you the tools to make this work already,
10-15-2012 10:37 AM
Sorry to be such a bother but I went through the steps again and I'm still getting same error. I looked through the Cisco link you provided and compared it with the other link. The Cisco link has the same steps except it also does a nonat on the access-list. Is that required?
I also noticed that my location A ASA does not have "global (outside) 1 interface" but my location B does. Can I add that to location A wihtout issue?
Thanks.
10-15-2012 10:57 AM
Hello Asif,
Yes, the Nonat configuration is required as remember that the whole purpose for a VPN is to look locally to your partner.
Regards,
Julio Carvajal
Security Team
Cisco TAC Engineer
Phone: 1-407 241-2965 Ext: 4630
Email: jcarvaja@cisco.com
Monday through Friday from 10:00am to 7:00pm MT
Cisco Worldwide Contact link is below for further reference.
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
10-15-2012 01:20 PM
OK I have the nonat access list and nat(inside) 0 access-list nonat in the 5505 but my 5510 has 8.3(2) IOS. I got the nonat accesslist in but not sure how to add the nat (inside) 0 access-list nonat.
10-15-2012 01:26 PM
Hello Asif,
On 8.3 there is no concept of nonat access list.
You will need to use a destination or twice nat rule.
So you need to create 2 object networks, one making reference to the local subnet and the other one to the destination.
Finally create the nat
nat (inside,outside) source static inside_subnet inside_subnet destination static remote_subnet remote_subnet.
Any other question..Sure..Just remember to rate all of my answers.
Julio
10-16-2012 07:49 AM
This is so frustrating. I created the two object networs and the nat and I still cant ping or get results by doing show ipsec sa or show isakmp sa. Can I post my configs for you to look at?
10-16-2012 08:16 AM
Hello Asif,
Sure.
Provide the following
Running config of both ASA's and the subnets that should talk to each other....
Regards,
Julio
10-16-2012 08:20 AM
Can I email them to you so my configs are not posted here for the world to see?
10-16-2012 08:21 AM
Yes,
10-16-2012 10:51 AM
I sent you an email. Thanks.
10-17-2012 07:29 AM
Did you get a chance to look through the configs?
10-17-2012 07:53 AM
On Site B
Can you enable isakmp on the outside interface
crypto isakmp enable outside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide