10-08-2007 05:38 AM - edited 03-09-2019 06:58 PM
Hi all I had a problem with my site to site tunnel between 2 asa's whereas I could not ping, I have resolved this, the issue was that the encrypted networks were different on one side, they were all there but 1 side had another network statement in, would this matter? do they have to match exactly the same? also with vpn tunnel, was I right in adding a nat exempt rule in for those networks through the tunnel ?
10-11-2007 04:09 AM
Can anyone please help with this ?
cheers
Carl
10-11-2007 05:08 AM
Carl,
If you could post how you had the config when it wasn't working and the config now that it is working, it may be easier to help. Yes, you were correct in adding nat exemption for the interesting traffic on the tunnel. Also, the crypto acls should mirror each other exactly. Ex.
Site A
access-list crypto permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list nonat
Site B
access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: