02-27-2009 08:35 AM - edited 03-11-2019 07:58 AM
I've two ASA devices: a 5505 and a 5520. I'm attempting to configure a simple, site-to-site vpn tunnel between the two and so far, haven't had any luck. I'm a bit of a novice with this, so was hoping the config files I've attached may provide some insight in to what I'm missing.
The 'philly' side has an internal ip range of 192.168.60.x and is using the 5505.
The 'dc" side has an internal ip range of 10.10.50.x and is using the 5520.
All I want to do is to be able to get from one side to the other and vice versa.
Thanks in advance!
Solved! Go to Solution.
02-27-2009 09:20 AM
02-27-2009 08:41 AM
This should help.
dc.
access-list nat0 extended permit ip 10.10.50.0 255.255.255.0 192.168.60.0 255.255.255.0
nat (inside) 0 access-list nat0
philly.
access-list nat0 extended permit ip 192.168.60.0 255.255.255.0 10.10.50.0 255.255.255.0
nat (inside) 0 access-list nat0
02-27-2009 09:08 AM
02-27-2009 09:20 AM
Add this to both..
crypto isakmp enable outside
02-27-2009 11:04 AM
Magic!
That did it. I have no idea what that command did, but obviously it works. Will look up the details immediately.
You the man.
Thanks.
03-02-2009 04:46 AM
dear cavemanbobby,
Can you post the ASA 5520 configuration file (vpn)?
Thanks
03-02-2009 05:05 AM
dear cavemanbobby,
Can you post the ASA 5520 configuration file (vpn)?
Thanks
03-02-2009 07:30 AM
03-02-2009 08:45 AM
thanks caveman,
I have another question, Do you know how to do a "backup route" on ASA 5520?
03-02-2009 09:01 AM
I've not done one myself. But here is a pretty good link on how to:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/b_72.html#wp1337316
03-02-2009 09:04 AM
but this example is for ASA 5505, I cant do VLAN's on 5520
Another suggestion?
03-02-2009 08:52 PM
You are missing the "ISAKMP enable outside" command on both devices. The crypto map is applied to the outside interface but ISAKMP isn't.
03-03-2009 02:19 AM
Enabling ISAKMP on the Outside Interface
You must enable ISAKMP on the interface that terminates the VPN tunnel. Typically this is the outside,
or public interface.
To enable ISAKMP, enter the following command:
crypto isakmp enable interface-name
For example:
hostname(config)# crypto isakmp enable outside
if have a nat ,enable NAT-T,and be sure the FireWALL can PASS port 500,and proto ID 50
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide