cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
528
Views
0
Helpful
5
Replies

Two VPN tunnels but only one starts

7b.schappel
Level 1
Level 1

I have an ASA5505 that I need to connect to two remote networks. I worked though getting the first tunnel to my HQ working. I need to now add a remote office. My HQ and the remote office both use SonicWALL PRO2040 devices, same firmware and OS.

I used the working tunnel config to create the second tunnel. The first tunnel starts and works perfectly. When I try to send traffic to the remote office the second tunnel never even starts.

I look in the logs at both ends (I gain access to the remote location via a software client) and there are no exchanges between my ASA and the PRO2040.

What more might I need to do to get the ASA to start the tunnel?

I'm running 8.0 on my ASA. All the SW's are 4.0.0.2 Enhanced.

1 Accepted Solution

Accepted Solutions

Hi,

ok, so connections to the remote networks need to have a nat 0 applied to them. In your config your nat 0 looks like this:

nat (inside) 0 access-list outside_cryptomap

in order to get your new VPN to work, you will need to apply this to the new traffic, however you will need to create a new acl for the NAT 0 statement. The commands you will need to complete this are as follows:

access-list nonat extended permit ip inside-network 255.255.255.0 my-hq 255.255.248.0

access-list nonat extended permit ip inside-network 255.255.255.0 office2 255.255.255.0

no nat (inside) 0 access-list outside_cryptomap

nat (inside) 0 access-list nonat

clear xlate

Everything else loks ok, so that should do it :)

View solution in original post

5 Replies 5

brettmilborrow
Level 1
Level 1

Can you post a sanitized copy of the config?

Config is attached.

I should mention that the VPN to XX.XX.XX.XX is the one that works.

Hi,

ok, so connections to the remote networks need to have a nat 0 applied to them. In your config your nat 0 looks like this:

nat (inside) 0 access-list outside_cryptomap

in order to get your new VPN to work, you will need to apply this to the new traffic, however you will need to create a new acl for the NAT 0 statement. The commands you will need to complete this are as follows:

access-list nonat extended permit ip inside-network 255.255.255.0 my-hq 255.255.248.0

access-list nonat extended permit ip inside-network 255.255.255.0 office2 255.255.255.0

no nat (inside) 0 access-list outside_cryptomap

nat (inside) 0 access-list nonat

clear xlate

Everything else loks ok, so that should do it :)

That took care of the problem. Thanks so much.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: