VPN Site to Site with 5510 & 5520

jshortt315 · ‎07-06-2012

Main office has a ASA 5520, new office has a ASA 5510. Problem is no traffic goes out when the 5510 is installed, no internet no network connection to servers. I had a guy assist me but he can not figure it out either. I have both config files attached. Any help/input would be great as I am not sure what is the next step.

Shone_Aleksey · ‎07-06-2012

Hi Joe!

In ASA5520 traffic destined for 192.168.200.0 network, will be routed to 192.168.2.23, therefore don't go through the vpn tunnel, and tunnel will not established at all.

Type
"no route Inside 192.168.200.0 255.255.255.0 192.168.2.23 1". It must helps.

Rate helpfull answer

nkarthikeyan · ‎07-07-2012

Also i do see the access-group for pointing the ACL is missing..... in ASA 5510... also remove that static route as well..

Shone_Aleksey · ‎07-08-2012

Natarajan, show me where that access group, please. In 5510 config static route for Inside dos not exist, and nothing to remove, i think.

nkarthikeyan · ‎07-08-2012

sorry... nope... i asked you to remove the static route in the 5520...

nkarthikeyan · ‎07-08-2012

i do see the policies also having the problem..... let me share my own config for these sites.... hope that helps you....

nkarthikeyan · ‎07-08-2012

Please have the below configurations in the firewalls and have only the default route...... This should work.....

ASA 5510

=========

access-list outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list outbound extended permit if any

access-list outbound extended deny ip any any

!

access-group outbound in interface inside

!

access-list Outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.255.0

!

global (outside) 1 interface

nat (inside) 1 access-list Outside_1_cryptomap

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map 10 match address Outside_1_cryptomap

crypto map Outside_map 10 set peer 24.105.190.106

crypto map Outside_map 10 set transform-set ESP-3DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

tunnel-group 24.105.190.106 type ipsec-l2l

tunnel-group 24.105.190.106 ipsec-attributes

pre-shared-key cisco

!

ASA 5520

=========

access-list outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list outbound extended permit if any

access-list outbound extended deny ip any any

!

access-group outbound in interface inside

!

access-list Outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.255.0

!

global (outside) 1 interface

nat (inside) 1 access-list Outside_1_cryptomap

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map 10 match address Outside_1_cryptomap

crypto map Outside_map 10 set peer 24.97.189.34

crypto map Outside_map 10 set transform-set ESP-3DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

tunnel-group 24.97.189.34 type ipsec-l2l

tunnel-group 24.97.189.34 ipsec-attributes

pre-shared-key cisco

!

jshortt315 · ‎07-16-2012

Ok..the remote office can get to the internet now, but no access to any network drives or server. I must be overlooking something or it is another issue? Thanks for the help so far...

nkarthikeyan · ‎07-16-2012

Hi joe,

great internt works now for you. Site to Site is not working for those sites????? Please let me know if you seek any help.

Thanks

Please rate if the given info helps

By

Karthik

jshortt315 · ‎07-16-2012

Sure I will take any help offered. You are correct; site to site the remote office can not see or connect to anything on the network. With that no personal drives are mapped,no public folders,no email thru Exchange. I have the server and work stations at the remote office set to use the 5510 as the gateway. But with no network access I had to set the office back the way it was so co-workers could access needed files.