Site to Site VPN assistance.

Aaron Denny · ‎02-24-2014

Having an issue with a site to site VPN between ASA 5510 (8.2) and ASA 5505 (9.0). Config below. Attempting to debug 5505 and nothing is even showing up. I must be missing something in 5505 running 9.0. Thanks in advance.

ASA1

access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.11.1.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 10.10.0.0 255.255.0.0 10.11.1.0 255.255.255.0

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer Remote2-IP

crypto map outside_map 2 set transform-set ESP-3DES-SHA

group-policy TestGroupPolicy internal

group-policy TestGroupPolicy attributes

vpn-idle-timeout none

vpn-filter value outside_2_cryptomap

vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group Remote type ipsec-l2l

tunnel-group Remote general-attributes

default-group-policy TestGroupPolicy

tunnel-group Remote2-IP ipsec-attributes

pre-shared-key *****

ASA2

nat (inside,outside) source static LOCAL LOCAL destination static NETWORK_OBJ_10.10.0.0_16 NETWORK_OBJ_10.10.0.0_16 no-proxy-arp route-lookup

access-list outside_cryptomap extended permit ip 10.11.1.0 255.255.255.0 10.10.0.0 255.255.0.0

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer RemoteIP

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

group-policy GroupPolicyTest internal

group-policy GroupPolicyTest attributes

vpn-filter value outside_cryptomap

vpn-tunnel-protocol ikev1 l2tp-ipsec

tunnel-group Remote1 type ipsec-l2l

tunnel-group Remote1 general-attributes

default-group-policy GroupPolicyTest

tunnel-group Remote1 ipsec-attributes

ikev1 pre-shared-key *****

Marvin Rhoads · ‎02-25-2014

You don't show it in the snippet you pasted, but you do need to have "crypto map outside_map interface outside".