Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
300
Views
0
Helpful
3
Replies

ASA VPN to IOS

John Blakley
VIP Alumni
VIP Alumni

‎06-22-2009 07:26 AM - edited ‎03-11-2019 08:46 AM

All,

I have an ASA 5505 that I'm trying to get a tunnel up with a 2800 series router. The tunnels get established, but the ASA side is encapsulating and not decapsulating traffic and I'm not able to pass traffic.

I have the following:

WinXP host (10.125.123.15)->(insideASA:10.125.1231)(outsideASA:192.168.2.2)->(outside2800:192.168.2.1)(inside2800:192.168.5.1)->Cisco2500(no iprouting: 192.168.5.2(def. gw 192.168.5.1)

I'm using nat on the 2800 for the 192.168.5.0/24 subnet. I can ping from the 2500 to the ASA, and I'm able to get a translation on the 2800 table. I can't ping the 10.125.123.0/24 side from the 192.168.5.0/24 side of the connection though. The tunnels don't come up if I ping from the 192.168.5.0 side of the connection, but they come up if I ping from the 10.125.123.0/24 side of the connection.

I still can't get replies though. From the 2500 (no ip routing), I get unreachables (U.U.U) when ping the 10.125.123.0/24 subnet, which should be bringing the tunnels up.

My config is attached.

Thanks!

John

HTH, John *** Please rate all useful posts ***
Labels:
Preview file
3 KB
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎06-22-2009 08:52 AM

John

"ip nat inside source route-map NONAT interface FastEthernet0/1 overload"

can you post the relevant route-map config.

Also, are you not Natting the 192.168.5.0/24 subnet when it goes via the tunnel ?

Jon

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to Jon Marshall

‎06-22-2009 08:58 AM

Jon,

I'm not natting that traffic. The route map looks like:

route-map NONAT permit 5

match ip address 103

access-list 103 deny ip 192.168.5.0 0.0.0.255 10.125.123.0 0.0.0.255

access-list 103 permit ip 192.168.5.0 0.0.0.255 any

There aren't any hits on this acl when I ping from the 2500 (192.168.5.2) to a 10.125.123.0 address, but the router is natting correctly because I can ping from the 2500 to the public interface on the ASA, and I can see in the 2800 where it's being natted. I'm changing my topology around now to see if it has something to do with that, but theoretically, I *should* be able to do this with a couple of routers and loopbacks as the sources.

Thanks!

John

HTH, John *** Please rate all useful posts ***
0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to John Blakley

‎06-22-2009 12:14 PM

Jon,

I got it working. I missed my match statement on the asa after I had made so many changes. It shows the match statement in the config that I posted, but that was copied earlier from me trying other things before I finally posted it.

Thanks!

John

HTH, John *** Please rate all useful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card