Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
724
Views
0
Helpful
4
Replies

Help with VPN ASA5510 to ASA5505

songhoi01
Level 1
Level 1

‎01-22-2013 09:16 AM

Hello All

I would like to request help from the community. Let me say that I'm not really a VPN guy.

I just joined this company and they already ad a VPN to one of their partners that provides them access to some resources. We have now added a 2nd location but the partner wouldnt allow a 2nd VPN tunnel so the decision was made to give the new location a ASA5505 to tunnel thru the main office to access the resources at the partners site.

Using ASDM i believe i was able to setup the tunnel to the main office but there is no resource there to use. Now i'm stuck and i do not know what to do to get to the partner site

I would really appreciate your help

See documents attached

Thank you in Advance

Labels:
141806-Y_Config.txt.zip
141817-Network.vsd.zip
141816-X_Config.TXT.zip
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎01-22-2013 11:11 PM

A few changes:

On X:

You would need to add:

access-list W extended permit ip 172.16.8.0 255.255.255.0 object-group W_dest

access-list outside_2_cryptomap extended permit ip object-group W_dest 172.16.8.0 255.255.255.0

same-security-traffic permit intra-interface

On Y:

access-list inside_nat0_outbound extended permit ip 172.16.8.0 255.255.255.0 object-group W_dest

access-list outside_1_cryptomap extended permit ip 172.16.8.0 255.255.255.0 object-group W_dest

On the partner VPN server, they would need to add the corresponding crypto ACL as follows:

access-list extended permit ip object-group W_dest 172.16.8.0 255.255.255.0

Hope that helps.

0 Helpful

songhoi01
Level 1
Level 1
In response to Jennifer Halim

‎01-23-2013 10:45 AM

Thank you Very much for your help. I think i may have forgotten to mention that the partner is asking to NAT all traffic behind X public IP.

0 Helpful

songhoi01
Level 1
Level 1
In response to Jennifer Halim

‎01-24-2013 10:39 AM

Jennifer Halim

I really thank you for your help when i needed it. On top of your config provided, and with a friend's help we had to add the follwing to make it work:

Access-list outside_nat extended permit ip 172.16.8.0 255.255.255.0 object-group W_dest

Nat (outside) 1 access-list outside_nat

Now we are still testing access to all the tools but it seems to be working fine.

Thank you,

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to songhoi01

‎01-24-2013 05:16 PM

Great, excellent to hear it's all good now.

Pls kindly mark your post answered so others can learn from the solution. Thanks.

0 Helpful
Customers Also Viewed These Support Documents