Solved: Thats a quite basic setup ...

Umairnajib · ‎01-16-2017

Dear All,

I have a new ASA 5506x, I need to configure site-to-site VPN, do I need to configure the Firepower services first(is it necessary?) in order to config VPN?

Regards

Karsten Iwen · ‎01-16-2017

By default all traffic inside the VPN is allowed. But optionally you can filter the traffic inside the VPN.

View solution in original post

Karsten Iwen · ‎01-16-2017

No, FirePOWER is completely unrelated to VPN. All VPN-stuff is configured directly on the ASA itself.

Umairnajib · ‎01-16-2017

Thanks, one more query: I am going to establish a site to site VPN between two remote sites through ASDM, all I need is to access a FTP server on the other site, do I need to allow FTP service? or once I have successfully created VPN connectivity I can access the FTP etc?

Regards

Karsten Iwen · ‎01-16-2017

By default all traffic inside the VPN is allowed. But optionally you can filter the traffic inside the VPN.

Umairnajib · ‎01-17-2017

Dear Karsten

Kindly see the attached pic..i have this enviroment..iam trying to make site to.site vpn thru Asdm. I have tried both the simple and advanced config option, but iam.unable.to.ping the other side. VPN tunnel is not going up

Karsten Iwen · ‎01-18-2017

Thats a quite basic setup ...

1) How do you ping? That sould be done from an internal device on the left to an internal device on the right and not from the ASA.

2) After pinging go in ASDM to Monitoring -> VPN an look if there is a site to site VPN visible. (on the cli the command is "show vpn-sessiondb detail l2l").

Umairnajib · ‎01-18-2017

I will appreciate if you can help me out..the last time i configured ASA was 4 years ago..so Iam kinda lost at the moment.. If you see the diag. from the Firewalls I can ping the outside interface of the other FW, but i cannot reach the PC behind the FW

FW B can ping 10.10.10.1( outside of FW A) but no ping to 192.168.1.10( PC )

FW A can ping 10.10.10.2 ( outside of FW B)but no ping to 172.16.1.10 ( PC)

No VPN isnt visible i cant see any sessions also no result on CLI :((

Karsten Iwen · ‎01-18-2017

Don't ping from the ASA, ping from the PC (make sure the Windows-firewall is disabled).

And in this particular setup, both ASAs need a route to the remote network pointing to the other FW.

Umairnajib · ‎01-18-2017

Yes thats my other question do I need a static route? because I am establishing a VPN do I still need a route?

Karsten Iwen · ‎01-18-2017

The VPN can only kick in when the traffic is routed to the outside interface. For that you need the route.

Umairnajib · ‎01-18-2017

I need a route because I am testing the VPN with private IPs ??

Once I connect through the internet I dont need a route right ? I mean if I have 2 public IPs and i am going to use it as Peers for the FWs then I wont need to define any routes?

Karsten Iwen · ‎01-18-2017

You always need a route, but then connected to the internet, the default route also covers the traffic to the remote VPN-destination.

Umairnajib · ‎01-18-2017

but if I use a static route to remote network then I will be able to ping the other side thru the route not by the VPN?

Karsten Iwen · ‎01-18-2017

It depends, only when the remote device allows the traffic in without a VPN which wouldn't be the default.

For a realistic scenario you would place a router between the ASA and this router only knows the external networks.

Umairnajib · ‎01-18-2017

so in my scenario I will define a static route on FW like

ip route 172.16.1.0(PC IP) 255.255.255.0 10.10.10.2 ( Next hop IP)

Cisco ASA 5506x