03-09-2008 02:51 PM - edited 02-21-2020 03:36 PM
I have an ASA5505 that I need to connect to two remote networks. I worked though getting the first tunnel to my HQ working. I need to now add a remote office. My HQ and the remote office both use SonicWALL PRO2040 devices, same firmware and OS.
I used the working tunnel config to create the second tunnel. The first tunnel starts and works perfectly. When I try to send traffic to the remote office the second tunnel never even starts.
I look in the logs at both ends (I gain access to the remote location via a software client) and there are no exchanges between my ASA and the PRO2040.
What more might I need to do to get the ASA to start the tunnel?
I'm running 8.0 on my ASA. All the SW's are 4.0.0.2 Enhanced.
Solved! Go to Solution.
03-10-2008 09:06 AM
Hi,
ok, so connections to the remote networks need to have a nat 0 applied to them. In your config your nat 0 looks like this:
nat (inside) 0 access-list outside_cryptomap
in order to get your new VPN to work, you will need to apply this to the new traffic, however you will need to create a new acl for the NAT 0 statement. The commands you will need to complete this are as follows:
access-list nonat extended permit ip inside-network 255.255.255.0 my-hq 255.255.248.0
access-list nonat extended permit ip inside-network 255.255.255.0 office2 255.255.255.0
no nat (inside) 0 access-list outside_cryptomap
nat (inside) 0 access-list nonat
clear xlate
Everything else loks ok, so that should do it :)
03-10-2008 01:55 AM
Can you post a sanitized copy of the config?
03-10-2008 07:35 AM
03-10-2008 08:57 AM
I should mention that the VPN to XX.XX.XX.XX is the one that works.
03-10-2008 09:06 AM
Hi,
ok, so connections to the remote networks need to have a nat 0 applied to them. In your config your nat 0 looks like this:
nat (inside) 0 access-list outside_cryptomap
in order to get your new VPN to work, you will need to apply this to the new traffic, however you will need to create a new acl for the NAT 0 statement. The commands you will need to complete this are as follows:
access-list nonat extended permit ip inside-network 255.255.255.0 my-hq 255.255.248.0
access-list nonat extended permit ip inside-network 255.255.255.0 office2 255.255.255.0
no nat (inside) 0 access-list outside_cryptomap
nat (inside) 0 access-list nonat
clear xlate
Everything else loks ok, so that should do it :)
03-10-2008 10:46 AM
That took care of the problem. Thanks so much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide