Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
291
Views
0
Helpful
2
Replies

Remote-access help into a 5505

Go to solution
jjoseph01
Level 3
Level 3

‎10-02-2008 05:31 AM - edited ‎02-21-2020 03:58 PM

Hi all. Needing some help with a remote-access into a 5505. I can vpn in just fine, I just cant seem to pass any traffic. When I do a "sho cryp ipsec sa", I see traffic being decrypted, but I do not see any traffic being encrypted back to me. I attached my config, could I get some help from you guys to see where I have gone wrong? I appreciate as always.

Labels:
Preview file
31 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
singhsaju
Level 4
Level 4

‎10-02-2008 06:18 AM

The reason why it is happening is because the ASA also has one L2L tunnel and you are using same NAT 0 access-list for L2L tunnel as Crypto ACL also.

nat (inside) 0 access-list tocw

crypto map outside_map 10 match address tocw

so the traffic you are sending from vpn client is actually returning back to L2L tunnel .

Do the following:

Create separate access-list for L2L tunnel specifying traffic only specific to L2L tunnel.

you have to check remote side but i think your crypto acl for l2l tunnel would be

access-list VPNACL extended permit ip 192.168.201.0 255.255.255.0 192.168.73.0 255.255.255.0

no crypto map outside_map 10 match address tocw

crypto map outside_map 10 match address VPNACL

Your L2L tunnel will come down when you will make changes so make necessary arrangements.

Check and post results

HTH

Saju

Pls rate helpful posts

View solution in original post

0 Helpful
2 Replies 2

Go to solution
singhsaju
Level 4
Level 4

‎10-02-2008 06:18 AM

The reason why it is happening is because the ASA also has one L2L tunnel and you are using same NAT 0 access-list for L2L tunnel as Crypto ACL also.

nat (inside) 0 access-list tocw

crypto map outside_map 10 match address tocw

so the traffic you are sending from vpn client is actually returning back to L2L tunnel .

Do the following:

Create separate access-list for L2L tunnel specifying traffic only specific to L2L tunnel.

you have to check remote side but i think your crypto acl for l2l tunnel would be

access-list VPNACL extended permit ip 192.168.201.0 255.255.255.0 192.168.73.0 255.255.255.0

no crypto map outside_map 10 match address tocw

crypto map outside_map 10 match address VPNACL

Your L2L tunnel will come down when you will make changes so make necessary arrangements.

Check and post results

HTH

Saju

Pls rate helpful posts

0 Helpful

Go to solution
jjoseph01
Level 3
Level 3
In response to singhsaju

‎10-02-2008 06:32 AM

I cant believe I didnt think of that. Thanks Saju. I appreciate it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents