cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
389
Views
0
Helpful
8
Replies

ASA Site to Site VPN not establishing

Hi All...

 

I have two ASA 5505 firewalls, one at head office and one at a remote warehouse. I want to create an IPsec tunnel so that our remote warehouse can use some apps that have a database component hosted at head office.

 

I've think I've created the links properly (mirrored the settings on both ASAs and reversed the IP addresses were required, quadruple checked the IKE key, etc.) but my tunnel is not establishing.

At this point, I think what I'm missing is probably obvious and glaring right at me. Would anyone be able to assist? I can provide show run on both devices and other log files as requested.

 

Regards

Rob

1 Accepted Solution

Accepted Solutions

Hi,

Try to change your HQ crypto map peer IP. It's different on what's configured on the remote ASA outside IP.

View solution in original post

8 Replies 8

johnlloyd_13
Level 9
Level 9

hi,

are the two ASAs able to ping each other's WAN IP?

could you post a sanitized ipsec S2S VPN config?

Both outside interfaces see eachother.

 

I've attached the sanitized running-configs

Rob

How are you trying to bring the tunnel up ie.

src IP and dst IP would be helpful together with which protocol/apps ie. are you pinging or trying to connect to an application etc.

Also could you run some debugging. So if you are trying to bring up the tunnel from the remote site on the HQ ASA can you run -

debug crypto isakmp

and

debug crypto ipsec

and capture the output.

Note debugging can put a strain on the ASA so if you can do this at a quiet time.

Jon

Hi,

Try to change your HQ crypto map peer IP. It's different on what's configured on the remote ASA outside IP.

After I did this, I rebooted my remote ASA and the tunnel came up!

 

Now I just need to figure out why I'm getting intermittent connections (Can connect to one server but not another) on both ends.

 

 

rizwanr74
Level 7
Level 7

Hi Rob,

 

Please add a route on head-office ASA to push the traffic to default gateway address.


Please don't create name alias for network or subnet as "name 10.0.0.0 Miss-inside-network"


route outside-BELL 11.0.0.0 255.255.255.0 216.x.x.49

 

Please remove these lines: 

access-list Inside_nat0_outbound extended permit ip Inside_Network 255.255.255.0 11.0.0.0 255.255.255.0 
access-list outside-BELL_1_cryptomap extended permit ip Inside_Network 255.255.255.0 11.0.0.0 255.255.255.0 

 

 

 

Create object group instead,


object-group network HeadOffic-network
 network-object 10.0.0.0 255.255.255.0

 

object-group network Miss-network
 network-object 11.0.0.0 255.255.255.0

 

access-list Inside_nat0_outbound extended permit ip object-group HeadOffic-network object-group Miss-network

 

access-list outside-BELL_1_cryptomap extended permit ip object-group HeadOffic-network object-group Miss-network


Now do the same for Mississauga Office.

 

thanks
Rizwan Rafeek.

Your Mississauga neighbor.

 

 

 

Hi Rizwanr...

I made the changes and it didn't help.

 

Thanks for the info thougn.

 

Rob

Can you please post your current config for both ASA.

 

thanks

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: