Categories
Welcome Center
Education & Development
Discussions
Certification Preparation
Recent Posts
Groups
Free Resources
Ebooks
Free Workshops
Trending Certifications Infographic
Infosec Training
IT & Security Training
Live Boot Camps
Security Awareness Training
About Infosec Institute
Home
Certification Preparation
Cisco
CCNP (Professional)
L2L Dynamic VPN between 5510 and 5505
pert
Could you guys help me out with whats broken in here? I don't have much education on the VPN side. Config looks right to me, but it doesnt work and also breaks existing VPN connections.
ASA 5510 - HQ Firewall, Public IP 1.1.1.1 on Outside Interface
10.0.0.0 /13 private
192.168.0.0 /24 private
ASA 5505 - Remote Office Firewall, dynamic private IP on Outside Interface
10.100.100.0 /24 private
5510 HQ ASA Config
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp enable Outside
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key Cisco
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map TestCase-DYNMAP 1000 set transform-set ESP-AES-128-SHA
crypto map Outside_map 100 IPSec-isakmp dynamic TestCase-DYNMAP
crypto map Outside_map interface outside
no access-list TestCase-NONAT extended permit ip 10.0.0.0 255.248.0.0 10.110.110.0 255.255.255.0
no access-list TestCase-NONAT extended permit ip 192.168.0.0 255.255.255.0 10.110.110.0 255.255.255.0
nat (inside) 0 access-list TestCase-NONAT
route Outside 0.0.0.0 0.0.0.0 1.1.1.2 1
route Inside 10.4.0.0 255.248.0.0 10.3.3.3 1 !!! 10.3.3.1 is Interface on router behind ASA
route Inside 192.168.0.0 255.255.255.0 10.3.3.3 1 !!! 10.3.3.1 is Interface on router behind ASA
ASA 5505 Config
interface Vlan1
nameif inside
security-level 100
ip address 10.110.110.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
crypto isakmp policy 15
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp enable outside
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key Cisco
access-list TestCase_VPN permit ip 10.110.110.0 255.255.255.0 10.0.0.0 255.248.0.0
access-list TestCase_VPN permit ip 10.110.110.0 255.255.255.0 192.168.0.0 255.255.255.0
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto map outside 100 match address TestCase_VPN
crypto map outside 100 set peer 1.1.1.1
crypto map outside 100 set transform-set ESP-AES128-SHA
crypto map outside interface outside
access-list TestCase_VPN-NONAT extended permit ip 10.110.110.0 255.255.255.0 10.0.0.0 255.248.0.0
access-list TestCase_VPN-NONAT extended permit ip 10.110.110.0 255.255.255.0 192.168.0.0 255.255.0
nat (inside) 0 access-list TestCase_VPN-NONAT
dhcpd address 10.110.110.2-10.110.110.20 inside
dhcpd enable inside
route outside 10.0.0.0 255.248.0.0 1.1.1.1 1
route outside 192.168.0.0 255.255.255.0 1.1.1.1 1
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
eten
Kind of a late reply, but I've labbed this up on 8.4 and it seems to run perfectly with your setup. There are a few differences in terms of NAT exempt but the tunnels came up without any issues. One issue I've encountered on 5520/GNS3 was when using the "ip address dhcp setroute", it obtained a DHCP address but did not set a default route.
Does your router behind your HQ ASA have routes for the remote site? Are you enable to run show commands to see if it is failing at phase1 / 2 or any debugs to see whats happening?
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
