01-16-2015 05:39 AM - edited 03-05-2019 12:34 AM
Hi All...
I have two ASA 5505 firewalls, one at head office and one at a remote warehouse. I want to create an IPsec tunnel so that our remote warehouse can use some apps that have a database component hosted at head office.
I've think I've created the links properly (mirrored the settings on both ASAs and reversed the IP addresses were required, quadruple checked the IKE key, etc.) but my tunnel is not establishing.
At this point, I think what I'm missing is probably obvious and glaring right at me. Would anyone be able to assist? I can provide show run on both devices and other log files as requested.
Regards
Rob
Solved! Go to Solution.
01-16-2015 08:44 AM
Hi,
Try to change your HQ crypto map peer IP. It's different on what's configured on the remote ASA outside IP.
01-16-2015 06:02 AM
hi,
are the two ASAs able to ping each other's WAN IP?
could you post a sanitized ipsec S2S VPN config?
01-16-2015 06:48 AM
01-16-2015 08:17 AM
Rob
How are you trying to bring the tunnel up ie.
src IP and dst IP would be helpful together with which protocol/apps ie. are you pinging or trying to connect to an application etc.
Also could you run some debugging. So if you are trying to bring up the tunnel from the remote site on the HQ ASA can you run -
debug crypto isakmp
and
debug crypto ipsec
and capture the output.
Note debugging can put a strain on the ASA so if you can do this at a quiet time.
Jon
01-16-2015 08:44 AM
Hi,
Try to change your HQ crypto map peer IP. It's different on what's configured on the remote ASA outside IP.
01-16-2015 11:39 AM
After I did this, I rebooted my remote ASA and the tunnel came up!
Now I just need to figure out why I'm getting intermittent connections (Can connect to one server but not another) on both ends.
01-16-2015 08:55 AM
Hi Rob,
Please add a route on head-office ASA to push the traffic to default gateway address.
Please don't create name alias for network or subnet as "name 10.0.0.0 Miss-inside-network"
route outside-BELL 11.0.0.0 255.255.255.0 216.x.x.49
Please remove these lines:
access-list Inside_nat0_outbound extended permit ip Inside_Network 255.255.255.0 11.0.0.0 255.255.255.0
access-list outside-BELL_1_cryptomap extended permit ip Inside_Network 255.255.255.0 11.0.0.0 255.255.255.0
Create object group instead,
object-group network HeadOffic-network
network-object 10.0.0.0 255.255.255.0
object-group network Miss-network
network-object 11.0.0.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip object-group HeadOffic-network object-group Miss-network
access-list outside-BELL_1_cryptomap extended permit ip object-group HeadOffic-network object-group Miss-network
Now do the same for Mississauga Office.
thanks
Rizwan Rafeek.
Your Mississauga neighbor.
01-16-2015 10:28 AM
Hi Rizwanr...
I made the changes and it didn't help.
Thanks for the info thougn.
Rob
01-16-2015 10:37 AM
Can you please post your current config for both ASA.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide