Unanswered Question
Jun 22nd, 2009


I have an ASA 5505 that I'm trying to get a tunnel up with a 2800 series router. The tunnels get established, but the ASA side is encapsulating and not decapsulating traffic and I'm not able to pass traffic.

I have the following:

WinXP host (>(insideASA:10.125.1231)(outsideASA:>(outside2800:>Cisco2500(no iprouting: gw

I'm using nat on the 2800 for the subnet. I can ping from the 2500 to the ASA, and I'm able to get a translation on the 2800 table. I can't ping the side from the side of the connection though. The tunnels don't come up if I ping from the side of the connection, but they come up if I ping from the side of the connection.

I still can't get replies though. From the 2500 (no ip routing), I get unreachables (U.U.U) when ping the subnet, which should be bringing the tunnels up.

My config is attached.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Mon, 06/22/2009 - 08:52


"ip nat inside source route-map NONAT interface FastEthernet0/1 overload"

can you post the relevant route-map config.

Also, are you not Natting the subnet when it goes via the tunnel ?


John Blakley Mon, 06/22/2009 - 08:58


I'm not natting that traffic. The route map looks like:

route-map NONAT permit 5

match ip address 103

access-list 103 deny ip

access-list 103 permit ip any

There aren't any hits on this acl when I ping from the 2500 ( to a address, but the router is natting correctly because I can ping from the 2500 to the public interface on the ASA, and I can see in the 2800 where it's being natted. I'm changing my topology around now to see if it has something to do with that, but theoretically, I *should* be able to do this with a couple of routers and loopbacks as the sources.



John Blakley Mon, 06/22/2009 - 12:14


I got it working. I missed my match statement on the asa after I had made so many changes. It shows the match statement in the config that I posted, but that was copied earlier from me trying other things before I finally posted it.




This Discussion