Trouble with connecting two asa 5505s

cn4president · ‎07-18-2013

My squadron has purchased two ASA 5505s which they would like to use to create a very basic standalone network for training purposes. I have configured two laptops to act as domain controllers for two seperate domains behind each ASA. Thus far I have configured the inside vlans without much issue and am able to ping host to server. The issue I'm running into now is connecting the two ASAs to allow the two domains to talk. I have tried using the wizard to create a site to site VPN but am still unable to ping hiost to host from the seperate domains. In addition I realized I was unable to ping from my inside vlan to my outside vlan on either ASA. I am not very knowledeable when it comes to routing protocols and VPNs so any ideas or information would be very helpful, thanks!

Jan Rolny · ‎07-19-2013

Hi,

can you please post simple diagram of network described and configuration both of ASA?

From your description I understand this:

inside network1------ASA1<------WAN(internet)------>ASA2-------inside network2

What do you mean outside vlan?

Basically you can do this two ways.

1] configure simple routing between your ASA --> unencrypted traffic will flow through WAN

2] configure s2s VPN between your ASA --> traffic will be encrypted

Best Regards,

Jan

cn4president · ‎07-19-2013

The diagram you drew is accurate except the network never hits the internet. The ASAs are directly connected to each other. When I ran the startup wizard in ASDM I had already configured my inside. During the startup it gave me the option to create an "outside" and a "dmz" vlan on the open interfaces, I assumed this would be the Vlan my traffic would leave the ASA through.

network_guy · ‎07-21-2013

Can you give us the VPN configuration?

Sent from Cisco Technical Support iPhone App

Christopher Bell · ‎07-22-2013

Sorry if any of this has already been done, but without seeing the config it's tough to tell what's already been completed. Here are some ideas you can work through (assuming you are on 8.3 or higher code):

Is there a switch between the two ASAs? If not, do you have one you can try? Also, If you haven't configured an ACL that allows both ASAs to pass all traffic between the two subnets, you probably need to try that.

Since they aren't connected to the Internet, try something like this (on both ASAs):

conf t

access-list outside_acl permit ip any any

access-group outside_acl in interface outside

You need to make sure you have NAT statements that tell the two firewalls whether to NAT traffic or not. Try something like this:

nat (inside,outside) dynamic interface

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

paul driver · ‎07-26-2013

Hello

Just like to add to Christophers post -

The Direct connection between the two asa's willl be seen as WAN ( public ip addesses.)

So in theroy you will have something like this

(172.16.1.1 _ LAN1_ 172.16.1.2) ASA1 (-20.20.20.1 __-WAN __ 20.20.20.2) ASA2 (10.1.1.2 __LAN2__ 10.1.1.1)

ASA1

PAT config

object network LAN1

subnet 172.16.1.0 255.255.255.0

nat (inside,outside) dynamic interface

Allow ICMP replies:

access-list 10 extended permit icmp any object LAN1 echo-reply

access-group 10 in interface outside

Default route:

route outside 0 0 20.20.20.2

ASA2

PAT config

object network LAN2

subnet 10.1.1.0 255.255.255.0

nat (inside,outside) dynamic interface

Allow ICMP replies:

access-list 10 extended permit icmp any object LAN2 echo-reply

access-group 10 in interface outside

Default route:

route outside 0 0 20.20.20.1

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul