07-18-2013 12:13 PM - edited 03-18-2019 08:47 AM
My squadron has purchased two ASA 5505s which they would like to use to create a very basic standalone network for training purposes. I have configured two laptops to act as domain controllers for two seperate domains behind each ASA. Thus far I have configured the inside vlans without much issue and am able to ping host to server. The issue I'm running into now is connecting the two ASAs to allow the two domains to talk. I have tried using the wizard to create a site to site VPN but am still unable to ping hiost to host from the seperate domains. In addition I realized I was unable to ping from my inside vlan to my outside vlan on either ASA. I am not very knowledeable when it comes to routing protocols and VPNs so any ideas or information would be very helpful, thanks!
07-19-2013 01:31 AM
Hi,
can you please post simple diagram of network described and configuration both of ASA?
From your description I understand this:
inside network1------ASA1<------WAN(internet)------>ASA2-------inside network2
What do you mean outside vlan?
Basically you can do this two ways.
1] configure simple routing between your ASA --> unencrypted traffic will flow through WAN
2] configure s2s VPN between your ASA --> traffic will be encrypted
Best Regards,
Jan
07-19-2013 06:54 AM
The diagram you drew is accurate except the network never hits the internet. The ASAs are directly connected to each other. When I ran the startup wizard in ASDM I had already configured my inside. During the startup it gave me the option to create an "outside" and a "dmz" vlan on the open interfaces, I assumed this would be the Vlan my traffic would leave the ASA through.
07-21-2013 06:53 PM
Can you give us the VPN configuration?
Sent from Cisco Technical Support iPhone App
07-22-2013 10:48 AM
Sorry if any of this has already been done, but without seeing the config it's tough to tell what's already been completed. Here are some ideas you can work through (assuming you are on 8.3 or higher code):
Since they aren't connected to the Internet, try something like this (on both ASAs):
conf t
access-list outside_acl permit ip any any
access-group outside_acl in interface outside
nat (inside,outside) dynamic interface
If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
07-26-2013 01:27 AM
Hello
Just like to add to Christophers post -
The Direct connection between the two asa's willl be seen as WAN ( public ip addesses.)
So in theroy you will have something like this
(172.16.1.1 _ LAN1_ 172.16.1.2) ASA1 (-20.20.20.1 __-WAN __ 20.20.20.2) ASA2 (10.1.1.2 __LAN2__ 10.1.1.1)
ASA1
PAT config
object network LAN1
subnet 172.16.1.0 255.255.255.0
nat (inside,outside) dynamic interface
Allow ICMP replies:
access-list 10 extended permit icmp any object LAN1 echo-reply
access-group 10 in interface outside
Default route:
route outside 0 0 20.20.20.2
ASA2
PAT config
object network LAN2
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface
Allow ICMP replies:
access-list 10 extended permit icmp any object LAN2 echo-reply
access-group 10 in interface outside
Default route:
route outside 0 0 20.20.20.1
Please don't forget to rate any posts that have been helpful.
Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: