03-09-2008 02:51 PM - edited 02-21-2020 03:36 PM
I have an ASA5505 that I need to connect to two remote networks. I worked though getting the first tunnel to my HQ working. I need to now add a remote office. My HQ and the remote office both use SonicWALL PRO2040 devices, same firmware and OS.
I used the working tunnel config to create the second tunnel. The first tunnel starts and works perfectly. When I try to send traffic to the remote office the second tunnel never even starts.
I look in the logs at both ends (I gain access to the remote location via a software client) and there are no exchanges between my ASA and the PRO2040.
What more might I need to do to get the ASA to start the tunnel?
I'm running 8.0 on my ASA. All the SW's are 4.0.0.2 Enhanced.
Solved! Go to Solution.
03-10-2008 09:06 AM
Hi,
ok, so connections to the remote networks need to have a nat 0 applied to them. In your config your nat 0 looks like this:
nat (inside) 0 access-list outside_cryptomap
in order to get your new VPN to work, you will need to apply this to the new traffic, however you will need to create a new acl for the NAT 0 statement. The commands you will need to complete this are as follows:
access-list nonat extended permit ip inside-network 255.255.255.0 my-hq 255.255.248.0
access-list nonat extended permit ip inside-network 255.255.255.0 office2 255.255.255.0
no nat (inside) 0 access-list outside_cryptomap
nat (inside) 0 access-list nonat
clear xlate
Everything else loks ok, so that should do it :)
03-10-2008 01:55 AM
Can you post a sanitized copy of the config?
03-10-2008 07:35 AM
03-10-2008 08:57 AM
I should mention that the VPN to XX.XX.XX.XX is the one that works.
03-10-2008 09:06 AM
Hi,
ok, so connections to the remote networks need to have a nat 0 applied to them. In your config your nat 0 looks like this:
nat (inside) 0 access-list outside_cryptomap
in order to get your new VPN to work, you will need to apply this to the new traffic, however you will need to create a new acl for the NAT 0 statement. The commands you will need to complete this are as follows:
access-list nonat extended permit ip inside-network 255.255.255.0 my-hq 255.255.248.0
access-list nonat extended permit ip inside-network 255.255.255.0 office2 255.255.255.0
no nat (inside) 0 access-list outside_cryptomap
nat (inside) 0 access-list nonat
clear xlate
Everything else loks ok, so that should do it :)
03-10-2008 10:46 AM
That took care of the problem. Thanks so much.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: