cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
828
Views
0
Helpful
11
Replies

pix-to-pix or asa-to-asa Test Lab

Gerard Gacusan
Level 1
Level 1

Trying to setup a L2L lab for 2xASA 5510. The ASA's outside interface are connected w/ crossover cable. I can ping on both sides. Would it be possible to work L2L VPN using this setup w/out routers?

ASA1 outside - 1.1.1.1/30

inside - 172.16.1.1/24

ASA2 outside - 1.1.1.2/30

inside - 192.168.1.0/24

thanks in advance...

11 Replies 11

Jon Marshall
Hall of Fame
Hall of Fame

Hi

Yes you can do this. You don't need routers to be able to configure a L2L VPN as any routers in between only route the IPSEC packets as normal IP traffic and do nothing special to it.

Jon

thanks for your reply ...

Not sure why I can establish tunnel, I verified everything on both sides and seems they're all correct. running in ver8.0(3)

enable debug crypto isakmp 255 and debug crypto ipsec 255, terminal mon is on ... no debug output so far.

Can you post configs

here's the config on both ASA's. thanks for asking ...

Hi

Config looks okay - what is the source IP address and destination IP address you are using

Jon

Host A - 10.10.1.15/24

Host B - 192.168.2.15/24

Host A can ping/SSH to ASA A.

Host B can ping/SSH to ASA B.

I did clear xlate on both sides...

i see no routing enabled on your devices, and no nat either.

You have a nat0 acl, but it's not applied to anything.

ASA1-ASA2 is directly connected with crossover cable.

C 127.0.0.0 255.255.0.0 is directly connected, cplane

C 10.10.1.0 255.255.255.0 is directly connected, inside

C 65.1.1.0 255.255.255.192 is directly connected, outside

++++++++++++++++++++++++++++++++++++++++++

I added these lines on both ASA's except the access-list inside_nat0_outbound list will be in reverse order...

access-list outside extended permit icmp any any

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside in interface outside

access-list inside_nat0_outbound extended permit ip 10.10.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

Still not working ... pls advise.

thanks ...

This is resolved, I fixed it.

Congarts, but how? what was the problem?

my first question was "to test ASA to ASA w/out a L3 router".

Well, I tried to figured out if that will work using crossover cable outside to outside interface. Same subnet on both sides. I can ping bidirectional just fine.

But, my tunnel can't establish using this setup.

So, I put L3 router on both sides via Async interface and PPP on it. This is a LAB environment for this time.

And, from there it works my TUNNEL.

Actually, I haven't tried before without L3 router testing PIX or ASA.

So, I went to its normal setup to make it works on my LAB.

However, I really appreciate if someone has this experience on testing PIXes or ASA's w/out a L3 router.

Thanks ...

Review Cisco Networking for a $25 gift card