01-07-2008 01:08 PM - edited 03-11-2019 04:44 AM
Trying to setup a L2L lab for 2xASA 5510. The ASA's outside interface are connected w/ crossover cable. I can ping on both sides. Would it be possible to work L2L VPN using this setup w/out routers?
ASA1 outside - 1.1.1.1/30
inside - 172.16.1.1/24
ASA2 outside - 1.1.1.2/30
inside - 192.168.1.0/24
thanks in advance...
01-07-2008 01:16 PM
Hi
Yes you can do this. You don't need routers to be able to configure a L2L VPN as any routers in between only route the IPSEC packets as normal IP traffic and do nothing special to it.
Jon
01-07-2008 02:01 PM
thanks for your reply ...
Not sure why I can establish tunnel, I verified everything on both sides and seems they're all correct. running in ver8.0(3)
enable debug crypto isakmp 255 and debug crypto ipsec 255, terminal mon is on ... no debug output so far.
01-07-2008 02:03 PM
Can you post configs
01-07-2008 02:12 PM
01-07-2008 02:19 PM
Hi
Config looks okay - what is the source IP address and destination IP address you are using
Jon
01-07-2008 02:21 PM
Host A - 10.10.1.15/24
Host B - 192.168.2.15/24
Host A can ping/SSH to ASA A.
Host B can ping/SSH to ASA B.
I did clear xlate on both sides...
01-07-2008 04:02 PM
i see no routing enabled on your devices, and no nat either.
You have a nat0 acl, but it's not applied to anything.
01-08-2008 07:32 AM
ASA1-ASA2 is directly connected with crossover cable.
C 127.0.0.0 255.255.0.0 is directly connected, cplane
C 10.10.1.0 255.255.255.0 is directly connected, inside
C 65.1.1.0 255.255.255.192 is directly connected, outside
++++++++++++++++++++++++++++++++++++++++++
I added these lines on both ASA's except the access-list inside_nat0_outbound list will be in reverse order...
access-list outside extended permit icmp any any
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside in interface outside
access-list inside_nat0_outbound extended permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
Still not working ... pls advise.
thanks ...
01-09-2008 01:05 PM
This is resolved, I fixed it.
01-09-2008 02:16 PM
Congarts, but how? what was the problem?
01-09-2008 02:36 PM
my first question was "to test ASA to ASA w/out a L3 router".
Well, I tried to figured out if that will work using crossover cable outside to outside interface. Same subnet on both sides. I can ping bidirectional just fine.
But, my tunnel can't establish using this setup.
So, I put L3 router on both sides via Async interface and PPP on it. This is a LAB environment for this time.
And, from there it works my TUNNEL.
Actually, I haven't tried before without L3 router testing PIX or ASA.
So, I went to its normal setup to make it works on my LAB.
However, I really appreciate if someone has this experience on testing PIXes or ASA's w/out a L3 router.
Thanks ...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide