ASA L2L: tunnel up, traffic doesn't pass

Unanswered Question
Oct 8th, 2008

I've set up a L2L between 2 sites.

Both the ASA nat the traffic to internet with one public IP while another one (the one assigned to the outside interface) is reserved for L2L peering.

The tunnel is up since some day, as the output show crypto ipsec stats shows:

Active tunnels: 1

Previous tunnels: 76

However the traffic won't pass.

When i try to telnet from site A ( to site B (

the outcome is this:

%ASA-7-609001: Built local-host outside:

%ASA-3-305005: No translation group found for tcp src test: dst outside:

%ASA-7-609002: Teardown local-host outside: duration 0:00:00

However my NAT rules are these:

access-list outside_20_cryptomap extended permit ip

access-list inside_nat0_outbound extended permit ip

nat (inside) 0 access-list inside_nat0_outbound


global (outside) 1

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 access-list nat

It appears clear that this traffic shouldn't be natted, but just tunneled to the other side.

I cant understand then why it is discarded.

Does anyone can give me some suggestion?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ajagadee Wed, 10/08/2008 - 10:09


Where is the network located. Is it on the inside or DMZ. Looks like the traffic comes from the interface "test". If this is a DMZ, can you configure NAT 0 for the DMZ (test) interface and do the testing.



** Please rate all helpful posts **

singhsaju Wed, 10/08/2008 - 11:48

Can you post configs of ASAs both sides? Also "show crypto ipsec sa" output?

nat (inside) 1 access-list nat => shows you are doing Policy NAT. Can you post access-list nat also ?



Pls rate helpful posts


This Discussion