ASA5510 VPN L2L Can't reach Hosts to the other side

Answered Question
Oct 10th, 2008
User Badges:

Hello experts,

I've got a ASA5510 with 3 VPN L2L and one VPN Remote Access. For the two VPN L2L,Marielle and Aeromique no problem, but for VPN ASPCANADA, from a host 192.168.100.xx behind the ASA I cannot reach 57.5.64.250 or 251, and conversely.But the tunnel is up. Can you help me please, Thank you by advance.





Correct Answer by singhsaju about 8 years 7 months ago

Split tunnel is not configured properly .


Can you remove this line from your config :


no crypto dynamic-map NOMADES_DYN_MAP 10 match address NOMADES_DYN_MAP_10


Also modify following access list


no access-list NOMADES_DYN_MAP_10

access-list NOMADES_DYN_MAP_10 extended permit ip any ASP-NETWORK 255.255.255.0


The vpn pool in your config overlaps with inside network .This sometimes causes issues. Try to configure different network subnet for VPN pool .

HTH

Saju

Pls rate helpful posts


Correct Answer by singhsaju about 8 years 7 months ago

Add these two line to the NAT 0 access list:


access-list inside_outbound_nat0_acl extended permit ip ASP-NETWORK 255.255.255.0 host 57.5.64.251

access-list inside_outbound_nat0_acl extended permit ip ASP-NETWORK 255.255.255.0 host 57.5.64.250


Also make sure mirror image of these statements are also in the remote ASA's NAT 0 access-list.


Test and post results


HTH

Saju

Pls rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
singhsaju Fri, 10/10/2008 - 13:02
User Badges:
  • Silver, 250 points or more

Add these two line to the NAT 0 access list:


access-list inside_outbound_nat0_acl extended permit ip ASP-NETWORK 255.255.255.0 host 57.5.64.251

access-list inside_outbound_nat0_acl extended permit ip ASP-NETWORK 255.255.255.0 host 57.5.64.250


Also make sure mirror image of these statements are also in the remote ASA's NAT 0 access-list.


Test and post results


HTH

Saju

Pls rate helpful posts

pibuskowa Mon, 10/13/2008 - 03:29
User Badges:

Hi,


Thank you for your reply Singhsaju, i'm expecting the reply from the guy who take care of the router on the over side :). I'll send you the result ...


Best regards

pibuskowa Tue, 10/14/2008 - 04:01
User Badges:

Hi,


Ok, Every hosts from LAN ASP-NETWORK can ping the two hosts 57.5.64.250 & 251. Thank you very much. I've got an another question for this configuration. For the VPN Remote Access NOMADES, i can reach the hosts in the LAN ASP-NETWORK, but in the same time i can't go on Internet, or every thing public. I added the line "same-security-traffic permit intra-interface" but it's the same thing.


Thank you by advance...

Correct Answer
singhsaju Tue, 10/14/2008 - 10:01
User Badges:
  • Silver, 250 points or more

Split tunnel is not configured properly .


Can you remove this line from your config :


no crypto dynamic-map NOMADES_DYN_MAP 10 match address NOMADES_DYN_MAP_10


Also modify following access list


no access-list NOMADES_DYN_MAP_10

access-list NOMADES_DYN_MAP_10 extended permit ip any ASP-NETWORK 255.255.255.0


The vpn pool in your config overlaps with inside network .This sometimes causes issues. Try to configure different network subnet for VPN pool .

HTH

Saju

Pls rate helpful posts


pibuskowa Wed, 10/15/2008 - 04:31
User Badges:

Hi Saju


Yop yop yop ça roule ma poule ...


Thank you for your help, every things running now.


Best regards...

Actions

This Discussion