Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
401
Views
0
Helpful
5
Replies

L2L tunnel established but no communication

gerald
Level 1
Level 1

‎05-17-2009 11:19 PM

Hi techs, am trying to pinpoint what could be the issue between my Cisco ASA 5510 and a remote Cisco rtr L2L vpn. The tunnel is successfully established but when i ping the remote lan from my lan no packets are going through. The reverse is also true. Ive tried packet tracer troubleshooting on the asdm and i have noted the nat-exemption rule is not being used yet i have configured it, instead its going straight to nat rule 1 which is a PAT. Some1 please give an insight into this probo. Funny enough i have 6 other tunnels which are working perfectly.

Labels:
0 Helpful
5 Replies 5

handsy
Level 1
Level 1

‎05-19-2009 06:08 AM

We're gonna need to see your config for this particular VPN, specifically the 'crypto map' and 'NAT exemption'.

0 Helpful

gerald
Level 1
Level 1
In response to handsy

‎05-19-2009 06:52 AM

access-list inside_nat0_outbound extended permit ip 192.168.60.0 255.255.255.0 192.168.102.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

access-list outside_cryptomap extended permit ip 192.168.60.0 255.255.255.0 192.168.102.0 255.255.255.0

crypto map outside_map0 3 match address outside_cryptomap

crypto map outside_map0 3 set pfs group2

crypto map outside_map0 3 set connection-type bi-directional

crypto map outside_map0 3 set peer X.X.X.X

crypto map outside_map0 3 set transform-set ESP-3DES-MD5

crypto map outside_map0 3 set security-association lifetime seconds 28800

crypto map outside_map0 3 set security-association lifetime kilobytes 4608000

crypto map outside_map0 3 set inheritance rule

crypto map outside_map0 3 set phase1-mode main

crypto map outside_map0 3 set reverse-route

tunnel-group X.X.X.X type ipsec-l2l

tunnel-group X.X.X.X general-attributes

no accounting-server-group

default-group-policy DfltGrpPolicy

tunnel-group X.X.X.X ipsec-attributes

pre-shared-key 1234

peer-id-validate req

no chain

no trust-point

isakmp keepalive threshold 10 retry 2

0 Helpful

gerald
Level 1
Level 1
In response to gerald

‎05-19-2009 06:59 AM

Another strange pointer is that when i do a ping from the firewall, sourcing it from the firewalls inside interface ip (192.168.60.1), the ping is successful and also when the guys from remote end ping that ip they get replies. Its only when we ping anything behind that interface tho in the same subnet. In the lan the dg points to the firewalls ip (192.168.60.1) so its nothing to do with routing.

0 Helpful

carlos.roque
Level 1
Level 1
In response to gerald

‎05-21-2009 03:28 PM

Do you have nat-control enable?.

Regards,

Carlos Roque

0 Helpful

gerald
Level 1
Level 1
In response to carlos.roque

‎05-23-2009 06:14 AM

yes nat-control is enabled.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents