We have 2 data center locations. We are attempting to connect them together using 2 ASAs.
Data Center 1 - ASA 5520 8.0(4)
Data Center 2 - ASA 5585-10 8.4(3)
DC 1 ASA 5520
INSIDE - Security 100
OUTSIDE - Security 0
MIGRATION - Security 50
DC 2 ASA 5585-10
Edge_Inside Security 100
Edge_Outside - Security 0
The OUTSIDE interface of the 5585-10 is using a private network (connection to our corporate Internet routers not advertised to the Internet) so we have to use the INSIDE interface to build VPN tunnels (our public network). (Note NAT is not an option on the Corp routers)
We are attempting to build a standard L2L IPSEC VPN tunnel from the DC1 5520 MIGRATION to DC2 5585-10 INSIDE interface.
You see IKE fire up on the 5520 and then goes into a MSG WAIT 2 waiting for reply from the 5585. However on the 5585 side we see no IKE engagement. "show cry isa" output shows no IKEv1 Packets arrive at all in or out. Packet captures show UDP 500 enter the firewall from the 5520 with correct source and destination but no reponse packets from the 5585.
Here are the syslogs from 5585-10 when I start interesting traffic from 5520 DC1 side(Public IP's changed to private in syslog FYI)
Mar 23, 2012 12:58:7|Built local-host Edge_Outside:192.168.1.110
Mar 23, 2012 12:58:7|Built inbound UDP connection 235278 for Edge_Outside:192.168.1.110/500 (192.168.1.110/500) to identity:10.10.193.252/500 (10.10.193.252/500)
Mar 23, 2012 12:58:7|Teardown UDP connection 235278 for Edge_Outside:192.168.1.110/500 to identity:10.10.193.252/500 duration 0:00:00 bytes 296
Mar 23, 2012 12:58:7|Teardown local-host Edge_Outside:192.168.1.110 duration 0:00:00
I know this is not conventional however I dont' see why this shouldn't work. The crypto map is applied to the Edge_Inside interface.
Bonjour,Je cherche à acceder l'interface de management de l'ASA, depuis l'Anyconnect.Malegré que j'ai ajouté les ACLs necessaires, mais l'acces management ASA en SSH depuis le vpn nomade ne passse.Je me demande si on peut manager l'ASA en ssh ou autres pr...
I am involved in rolling out about 40 wifi networks using cisco 3602/2802 aps and cisco 5508 ISE. Our network offers a 2 step authentication with user and machine certificates as well as users needing to be in correct AD groups. The problem we have i...
ASA Site-to-Site VPN using IKEV1 Configuration Example
Configure a Site-to-Site IPSec IKEv1 Tunnel Between an ASA and a Cisco IOS Router
Site-to-Site IKEv2 Tunnel between ASA and Router Configuration Examples
Site-to-Site VPN Tunnel wit...
Dear Community, So, according to the Cisco ISE Release 2.7 Administrator Guide, it should be possible to use a remote lock/wipe on MDM-devices that connect through ISE on the network( see the screenshot in the attachment).The problem is that th...
Hi, We currently have 2 Cisco 5525X ASA's in active/standby state. We have 750 concurrent Anyconnect licenses with the below licenses:AC-PLSM-5YR-500-S & AC-PLSM-5YR-250-S. (These are expiring soon) I have asked to get these renewed by our l...