Hi,

Thanks for you reply.

First of all, a few details I forgot to mention:

It's an ASA 5510 running ver. 8.0(2)

Then to the config (slightly shortened). As you'll notice, there are two tunnels. The first one works fine. It terminates in a PIX in sweden, which has private ip addresses on it's inside interface.

The other one (that doesn't work) has public ip addresses on it's inside interface (and that's what I think is the source of this problem. Because of this I have made not NAT exemption rule, 'cause the traffic will only go from us to "them".

The object-group ext_rki_servers are the mentioned public "inside" network. The tunnel that works is 194.x.x.x and the one that doesn't is the 193.x.x.x.

Config:

access-list inside_nat0_outbound extended permit ip object-group net_all_internal object-group net_sweden

access-list traffic_from_inside extended permit ip object-group net_all_internal object-group net_sweden

access-list traffic_from_inside extended permit tcp object-group int_scorex_servers object-group ext_rki_servers object-group DM_INLINE_TCP_2 log debugging

access-list outside_cryptomap_RKI extended permit ip object-group int_scorex_servers object-group ext_rki_servers

access-list fiber_sweden_cryptomap extended permit ip object-group net_all_internal object-group net_sweden

nat-control

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 102 access-list inside_nat_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

access-group traffic_from_outside in interface outside

access-group traffic_from_inside in interface inside

timeout xlate 3:00:00

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set access_dk_se esp-aes-192 esp-sha-hmac

crypto map outside_map_RKI 1 match address outside_cryptomap_RKI

crypto map outside_map_RKI 1 set peer 193.x.x.17

crypto map outside_map_RKI 1 set transform-set ESP-3DES-SHA

crypto map outside_map_RKI interface outside

crypto map access_dk_se_map 30 match address fiber_sweden_cryptomap

crypto map access_dk_se_map 30 set peer 194.x.x.42

crypto map access_dk_se_map 30 set transform-set access_dk_se

crypto map access_dk_se_map interface fiber

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp enable fiber

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-192

hash sha

group 5

lifetime 86400

no crypto isakmp nat-traversal

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

tunnel-group 194.x.x.42 type ipsec-l2l

tunnel-group 194.x.x.42 ipsec-attributes

pre-shared-key *

tunnel-group 193.x.x.17 type ipsec-l2l

tunnel-group 193.x.x.17 ipsec-attributes

pre-shared-key *

Shouldn't you also need...

access-list inside_nat0_outbound extended permit ip object-group int_scorex_servers object-group ext_rki_servers

I don't know :)

But the traffic from our internal servers needs to be NAT'ed, so I don't think so?`

BR,

Rasmus

Correct, that group contains the internal ip addresses.

They are NAT'ed to the external firewall interface upon exit. So I should change the ACL?

Never would have thought of this myself, but I'll give it a go, and get back to you.

Thanks,

Rasmus

You were right. I replaced with the public ip of the firewall and we're through :)

Thanks!

Good deal, glad it worked out. Thanks for the rating.