Hello All. I am not a ASA expert but I have configured them few times. I have a vision of a task I have to complete but not sure if it is practical or how to go about doing it.
We two locations, Location A and Location B. Both locations have a 100MB internet conection.
Location A has a ASA 5510. Location B has a 5505.
Users at both locations access the internet via their respective ASA.
Location A is the headquarters and Location B is a disaster recovery site.
We want to setup a tunnel between both ASAs. This tunnel will be used to replicate data between the two locations for DR purposes. We need the users to still use the same pipe to get to the internet but want to allocate 10MB for internet use and the remaining 90MB for the DR tunnel.
Can this be done? Any help would be appriciated. Thanks.
OK, I went through the tunnel setup and I think I must have missed something. The two ASAs cannot ping each other and when I do "show isakmp sa" or "show ipsec sa" it shows nothing. I already did "write mem" too.
So how do I get the tunnel up then? I even changed the pre shared key to something simple but that didnt help either. I think I may have messed up on the IP addresses in the access list. Can you help?
We are here to help but man you are looking for an entire configuration from scratch.....
I have provide you the tools to make this work already,
Sorry to be such a bother but I went through the steps again and I'm still getting same error. I looked through the Cisco link you provided and compared it with the other link. The Cisco link has the same steps except it also does a nonat on the access-list. Is that required?
I also noticed that my location A ASA does not have "global (outside) 1 interface" but my location B does. Can I add that to location A wihtout issue?
Yes, the Nonat configuration is required as remember that the whole purpose for a VPN is to look locally to your partner.
Cisco TAC Engineer
Phone: 1-407 241-2965 Ext: 4630
Monday through Friday from 10:00am to 7:00pm MT
Cisco Worldwide Contact link is below for further reference.
OK I have the nonat access list and nat(inside) 0 access-list nonat in the 5505 but my 5510 has 8.3(2) IOS. I got the nonat accesslist in but not sure how to add the nat (inside) 0 access-list nonat.
On 8.3 there is no concept of nonat access list.
You will need to use a destination or twice nat rule.
So you need to create 2 object networks, one making reference to the local subnet and the other one to the destination.
Finally create the nat
nat (inside,outside) source static inside_subnet inside_subnet destination static remote_subnet remote_subnet.
Any other question..Sure..Just remember to rate all of my answers.
This is so frustrating. I created the two object networs and the nat and I still cant ping or get results by doing show ipsec sa or show isakmp sa. Can I post my configs for you to look at?
Provide the following
Running config of both ASA's and the subnets that should talk to each other....
On Site B
Can you enable isakmp on the outside interface
crypto isakmp enable outside