12-27-2018 01:39 AM - edited 02-21-2020 08:36 AM
hi
I work on gns3 we have centralize ASA 5520 that is siteA
and we want to create vpn with siteB
Ia created site to site vpn configuration in both ASA (as attachment )
so i have 2 problem:
1- after I create vpn configuration i cannot ping from siteA to siteB although i was can
2- second problem the tunnel fail
siteA(config)# show isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
12-27-2018 01:46 AM - edited 12-27-2018 01:56 AM
in your configuration both firewalls does not have inside ip address any reason?
use this link it will help you to setup up the site to site vpn between two ASA.
12-27-2018 03:58 AM - edited 12-27-2018 03:59 AM
Hi,
As per your configuration there is no inside network. you need to configure Inside interface and specify the local and remote subnet need to be communicated. Below is the sample site to site configuration.
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address AA.AA.AA.AA BB.BB.BB.BB
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address CC.CC.CC.CC DD.DD.DD.DD
!
object network Local-Subnet
subnet XX.XX.XX.XX
!
object network Remote-Subnet
subnet ZZ.ZZ.ZZ.ZZ
!
access-list VPN-to-Remote extended permit ip object Local-Subnet Remote-Subnet
!
nat (inside,outside) source static Local-Subnet Local-Subnet destination static Remote-Subnet Remote-Subnet
!
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto ipsec ikev1 transform-set transfrom esp-3des esp-sha-hmac
!
crypto map out_map 10 match address VPN-to-Remote
crypto map out_map 10 set pfs
crypto map out_map 10 set peer YY.YY.YY.YY
crypto map out_map 10 set ikev1 transform-set transfrom
crypto map out_map 10 set security-association lifetime seconds 28800
crypto map out_map 10 set security-association lifetime kilobytes 4608000
!
crypto map out_map interface outside
!
tunnel-group YY.YY.YY.YY type ipsec-l2l
tunnel-group YY.YY.YY.YY ipsec-attributes
ikev1 pre-shared-key presharedkey
!
Thanks,
Abheesh
PS: Please don't forget to rate and select as validated answer if this answered your question
12-29-2018 11:28 PM
12-30-2018 01:25 AM
12-28-2018 03:23 PM
The VPN will not be established if the LAN interface is not configured and in an "UP" state.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide