cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
202
Views
0
Helpful
3
Replies
kevinshkong11
Beginner

Site-to-Site VPN cannot UP

Hi ALL,

 

I want to set up Site-to-Site VPN between 2 unit of Cisco ASA 5505. But the VPN tunnel cannot be established.

 

Please find the attached for config.

 

Thank you.

 

Regards

Kevin

3 REPLIES 3
Pablo
Cisco Employee

Hi Kevin,

Your ACL statements for NAT and interesting traffic need a little tweaking:

On site A you need to remove the ACLs matching the 10.68.61.0 and add it with 10.68.62.0  network as follows:

==Site A==

access-list inside_nat0_outbound extended permit ip 10.68.64.0 255.255.255.0 10.68.62.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 10.68.64.0 255.255.255.0 10.68.62.0 255.255.255.0

***Make sure you remove the statements for .61***

On site B just add the following entry:

==Site B==
access-list inside_nat0_outbound extended permit ip 10.68.62.0 255.255.255.0  10.68.64.0 255.255.255.0

HTH

__ __

Pablo

Hi Pablo,

 

Sorry to make you confused.

I have uploaded the wrong file.

The VPN tunnel is as below.

 

Internal Network (10.68.64.0) - 228.22.206.186 (Public) --> 228.222.22.98 (Public) - Remote Network (10.68.61.0)

 

I have added the ACL as mentioned but seems not working.

Thank you.

Hi Kevin,

Your configuration looks ok. Please check whether 'sysopt connection permit-vpn' command is there , using

'Show run all sysopt'

 

It will bypass interface ACL check for VPN traffic. 

Also check the group policy applied on tunnel-group. In your case DfltGrpPolicy is applied. Check if vpn-tunnel-protocol include IPSec or not in that policy.

 

HTH

"Please rate helpful posts"

 

 

Content for Community-Ad