The organization I work for recently bought a Cisco ASA 5510 and 3 ASA 5505s to replace some SonicWalls we have in a few group homes. They are going to be doing a site-to-site VPN tunnel so that the group homes can access our VoIP phones and also remote desktop into our terminal server. I have tried to test the ASAs from home; I have tried a few things but all were unsuccessful. Any thoughts?
-- Dale L. Bradford

Since you are moving from a different brand of firewall, you will want to work through this in stages. Keep good notes as you work through things, it will serve you well as you become more familiar with getting the firewalls to work.

The first thing I would do is look at the licenses on your respective firewalls. While Cisco refers to the different license levels, I have found the terminology a little different from what you would expect: Assuming the 5510 is a 10 user license and the 5505 have a 5 user license, if you come across VPN link from the 5505 side to the 5510 and call up a complex Web site, you will eat up all the licenses on the 5510 and the VPN connection will appear to fail because of the way licensing is handled on the Cisco ASA devices. So check the licenses between the ASAs that you have: If you have the 3 ASA 550s with a 10-user license installed on each one, you will want to add that license count to the number of users at the main office for the total license for the 5510. Assuming you have 20 users at the main office, you would want to have a license installed of at least 50 users on the ASA 5510. You may find that a higher license count is necessary on the 5510; you'll need to do some testing to know for sure. You won't really see this explained in the documentation, unfortunately.

Once you've dealt with the license issue, connect the two WAN ports together between the ASA 5510 and one of the 5505s. You may need to use a crossover cable to get link between the two firewalls. You can also try putting a switch between the two ASAs - a Layer 3 switch would be ideal, or try a router with 2 Ethernet interfaces. This will let you assign different IP addresses from different subnets to the respective ASAs you are testing. Set up a site-to=site VPN connection. Make sure that you can route properly between the two ASAs and can see all of the systems on each side of the connection. This will help you get a feel for setting up a VPN connection.