I have two ASA 5505 firewalls, one at head office and one at a remote warehouse. I want to create an IPsec tunnel so that our remote warehouse can use some apps that have a database component hosted at head office.
I've think I've created the links properly (mirrored the settings on both ASAs and reversed the IP addresses were required, quadruple checked the IKE key, etc.) but my tunnel is not establishing.
At this point, I think what I'm missing is probably obvious and glaring right at me. Would anyone be able to assist? I can provide show run on both devices and other log files as requested.
Solved! Go to Solution.
How are you trying to bring the tunnel up ie.
src IP and dst IP would be helpful together with which protocol/apps ie. are you pinging or trying to connect to an application etc.
Also could you run some debugging. So if you are trying to bring up the tunnel from the remote site on the HQ ASA can you run -
debug crypto isakmp
debug crypto ipsec
and capture the output.
Note debugging can put a strain on the ASA so if you can do this at a quiet time.
After I did this, I rebooted my remote ASA and the tunnel came up!
Now I just need to figure out why I'm getting intermittent connections (Can connect to one server but not another) on both ends.
Please add a route on head-office ASA to push the traffic to default gateway address.
Please don't create name alias for network or subnet as "name 10.0.0.0 Miss-inside-network"
route outside-BELL 126.96.36.199 255.255.255.0 216.x.x.49
Please remove these lines:
access-list Inside_nat0_outbound extended permit ip Inside_Network 255.255.255.0 188.8.131.52 255.255.255.0
access-list outside-BELL_1_cryptomap extended permit ip Inside_Network 255.255.255.0 184.108.40.206 255.255.255.0
Create object group instead,
object-group network HeadOffic-network
network-object 10.0.0.0 255.255.255.0
object-group network Miss-network
network-object 220.127.116.11 255.255.255.0
access-list Inside_nat0_outbound extended permit ip object-group HeadOffic-network object-group Miss-network
access-list outside-BELL_1_cryptomap extended permit ip object-group HeadOffic-network object-group Miss-network
Now do the same for Mississauga Office.
Your Mississauga neighbor.