This topic is to discuss the following lesson:
Rene,
Hello, that was very good! Is there any issue if there are two different versions of the ASA, one before 8.4 and one after with the keyword “ikev1” and “isakmp”, or is that just a local setting?
Thanks
Chris
Hi Chris,
That shouldn’t be an issue, these are just local commands.
Rene
Hi Rene,
Thank you for the explanation.
I’ve a question
As the traffic is coming from the OUTSIDE to INSIDE zones, do we need an inbound ACL in the Outside interface ( applicable for both ASAs) ?
Thank you
Â
Taslim
Hi Taslim,
There’s no need to do this, the ASA will permit the site-to-site traffic by default. One thing to remember when configuring site-to-site VPNs is to configure NAT excemption. By default the ASA will translate all packets from the INSIDE, even when the destination is on the other side of the tunnel.
Rene
Hi Rene, Does the OUTSIDE firewall interfaces has to be on the same subnet as shown in your example? Also, do i need an access-group for the access-list?
Thanks
Hi Wilson,
In my example the two ASAs are on the same subnet since they are directly connected but this is not a requirement. In a real world scenario, each of them will have a public IP address of a different subnet. As long as they can reach each other then you are fine.
You don’t need the access-group, in the crypto-map we refer directly to the access-list.
Rene
Thanks Rene. Makes sense.
Hello Rene,
Can we double check the last part. Do we still need to configure the routing on 192.168.1.0/192.168.2.0? As long as both peers are reachable, it should build up a tunnel. Tried to lab it, and it doesn’t require to configure routes for the lan networks.
Â
Cheers
Hi !
Â
I am having trouble to get the ping to the outside of both ASA ??
i did a nat on inside
nat (inside.outside) dynamic interface
i took the nat away …
but from ASA1 can i not ping R2 interface 192.168.2.2 ?? any one that knows ??
Hi again!
i meant vice versa i can not ping from router 1 inside to outside ASA 1. Perhaps it is the security-level i put by old habit on the interfaces on the ASA.
Hi Oskar,
You configured site-to-site IPsec VPN plus NAT or only NAT?
Rene
Hi !
I have configured IPsec VPN without NAT, but i tried with dynamic NAT also.
(inside,outside) dynamic interface
Should you Config seclevel on the interfaces ?
Oskar
Hi Rene!
I tried about half a dozen times to make this exact same config work on GNS3, and so far it has not worked for me. I always get the message “There are no ikev1 SAs”.
I’m looking for ideas on how to troubleshoot my configuration. Any suggestions?
Thanks, Amin
Hi Amin,
You can add your config files as attachments here, maybe I can quickly spot it.
Rene
Hi Rene !
nice to be here on the site…learn me real stuff. I will do the config tomorrow and then i will send it to you.
I didnt make any qemu-img in cmd for be able to save the config…
/Oskar
Hi Amin,
I’ll take a look but I don’t see your attachments
Rene
Hi !
i lab it up in virl
i did not do any object nat for inside to get outside, neither did i any nat exemption. i didnt do any access-group ehiter. I put sce-level on the interfaces. I can ping the gateways and outside addresses but not the gateway on the other side.
I’ve copied and pasted the router configs below, instead of sending them as attachments.
Regards, Amin
Â
amin_asa1.txt (2.8 KB)
amin_asa2.txt (2.8 KB)
amin_r1.txt (1.2 KB)
amin_r2.txt (1.5 KB)