06-22-2009 07:26 AM - edited 03-11-2019 08:46 AM
All,
I have an ASA 5505 that I'm trying to get a tunnel up with a 2800 series router. The tunnels get established, but the ASA side is encapsulating and not decapsulating traffic and I'm not able to pass traffic.
I have the following:
WinXP host (10.125.123.15)->(insideASA:10.125.1231)(outsideASA:192.168.2.2)->(outside2800:192.168.2.1)(inside2800:192.168.5.1)->Cisco2500(no iprouting: 192.168.5.2(def. gw 192.168.5.1)
I'm using nat on the 2800 for the 192.168.5.0/24 subnet. I can ping from the 2500 to the ASA, and I'm able to get a translation on the 2800 table. I can't ping the 10.125.123.0/24 side from the 192.168.5.0/24 side of the connection though. The tunnels don't come up if I ping from the 192.168.5.0 side of the connection, but they come up if I ping from the 10.125.123.0/24 side of the connection.
I still can't get replies though. From the 2500 (no ip routing), I get unreachables (U.U.U) when ping the 10.125.123.0/24 subnet, which should be bringing the tunnels up.
My config is attached.
Thanks!
John
06-22-2009 08:52 AM
John
"ip nat inside source route-map NONAT interface FastEthernet0/1 overload"
can you post the relevant route-map config.
Also, are you not Natting the 192.168.5.0/24 subnet when it goes via the tunnel ?
Jon
06-22-2009 08:58 AM
Jon,
I'm not natting that traffic. The route map looks like:
route-map NONAT permit 5
match ip address 103
access-list 103 deny ip 192.168.5.0 0.0.0.255 10.125.123.0 0.0.0.255
access-list 103 permit ip 192.168.5.0 0.0.0.255 any
There aren't any hits on this acl when I ping from the 2500 (192.168.5.2) to a 10.125.123.0 address, but the router is natting correctly because I can ping from the 2500 to the public interface on the ASA, and I can see in the 2800 where it's being natted. I'm changing my topology around now to see if it has something to do with that, but theoretically, I *should* be able to do this with a couple of routers and loopbacks as the sources.
Thanks!
John
06-22-2009 12:14 PM
Jon,
I got it working. I missed my match statement on the asa after I had made so many changes. It shows the match statement in the config that I posted, but that was copied earlier from me trying other things before I finally posted it.
Thanks!
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide