Two VPN tunnels but only one starts

Answered Question
Mar 9th, 2008

I have an ASA5505 that I need to connect to two remote networks. I worked though getting the first tunnel to my HQ working. I need to now add a remote office. My HQ and the remote office both use SonicWALL PRO2040 devices, same firmware and OS.


I used the working tunnel config to create the second tunnel. The first tunnel starts and works perfectly. When I try to send traffic to the remote office the second tunnel never even starts.


I look in the logs at both ends (I gain access to the remote location via a software client) and there are no exchanges between my ASA and the PRO2040.


What more might I need to do to get the ASA to start the tunnel?


I'm running 8.0 on my ASA. All the SW's are 4.0.0.2 Enhanced.

Correct Answer by brettmilborrow about 8 years 11 months ago

Hi,


ok, so connections to the remote networks need to have a nat 0 applied to them. In your config your nat 0 looks like this:


nat (inside) 0 access-list outside_cryptomap


in order to get your new VPN to work, you will need to apply this to the new traffic, however you will need to create a new acl for the NAT 0 statement. The commands you will need to complete this are as follows:


access-list nonat extended permit ip inside-network 255.255.255.0 my-hq 255.255.248.0

access-list nonat extended permit ip inside-network 255.255.255.0 office2 255.255.255.0


no nat (inside) 0 access-list outside_cryptomap

nat (inside) 0 access-list nonat


clear xlate


Everything else loks ok, so that should do it :)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
7b.schappel Mon, 03/10/2008 - 08:57

I should mention that the VPN to XX.XX.XX.XX is the one that works.

Correct Answer
brettmilborrow Mon, 03/10/2008 - 09:06

Hi,


ok, so connections to the remote networks need to have a nat 0 applied to them. In your config your nat 0 looks like this:


nat (inside) 0 access-list outside_cryptomap


in order to get your new VPN to work, you will need to apply this to the new traffic, however you will need to create a new acl for the NAT 0 statement. The commands you will need to complete this are as follows:


access-list nonat extended permit ip inside-network 255.255.255.0 my-hq 255.255.248.0

access-list nonat extended permit ip inside-network 255.255.255.0 office2 255.255.255.0


no nat (inside) 0 access-list outside_cryptomap

nat (inside) 0 access-list nonat


clear xlate


Everything else loks ok, so that should do it :)

Actions

This Discussion