Hi Kevin,Your ACL statements

kevinshkong11 · ‎01-22-2015

Hi ALL,

I want to set up Site-to-Site VPN between 2 unit of Cisco ASA 5505. But the VPN tunnel cannot be established.

Please find the attached for config.

Thank you.

Regards

Kevin

Pablo · ‎01-22-2015

Hi Kevin,

Your ACL statements for NAT and interesting traffic need a little tweaking:

On site A you need to remove the ACLs matching the 10.68.61.0 and add it with 10.68.62.0 network as follows:

==Site A==

access-list inside_nat0_outbound extended permit ip 10.68.64.0 255.255.255.0 10.68.62.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 10.68.64.0 255.255.255.0 10.68.62.0 255.255.255.0

***Make sure you remove the statements for .61***

On site B just add the following entry:

==Site B==
access-list inside_nat0_outbound extended permit ip 10.68.62.0 255.255.255.0 10.68.64.0 255.255.255.0

HTH

__ __

Pablo

kevinshkong11 · ‎01-22-2015

Hi Pablo,

Sorry to make you confused.

I have uploaded the wrong file.

The VPN tunnel is as below.

Internal Network (10.68.64.0) - 228.22.206.186 (Public) --> 228.222.22.98 (Public) - Remote Network (10.68.61.0)

I have added the ACL as mentioned but seems not working.

Thank you.

Poonam Garg · ‎01-22-2015

Hi Kevin,

Your configuration looks ok. Please check whether 'sysopt connection permit-vpn' command is there , using

'Show run all sysopt'

It will bypass interface ACL check for VPN traffic.

Also check the group policy applied on tunnel-group. In your case DfltGrpPolicy is applied. Check if vpn-tunnel-protocol include IPSec or not in that policy.

HTH

"Please rate helpful posts"

Site-to-Site VPN cannot UP