IPSec Tunnel up but local networks not accessable

Answered Question
Mar 16th, 2010


i have a ASA5520 and a Snapgear. The IPSec tunnel is up and running fine. But i`m not able to access the local LANs on both sides. Here are some Configurations:

sh crypt isakmp sa

Active SA: 1<br/>Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)<br/>Total IKE SA: 1<br/><br/>1   IKE Peer:<br/>Type    : L2L             Role    : responder<br/>Rekey   : no              State   : AM_ACTIVE


crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac<br/>crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac<br/>crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac<br/>crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac<br/>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac<br/>crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac<br/>crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac<br/>crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac<br/>crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac<br/>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac<br/>crypto ipsec security-association lifetime seconds 28800<br/>crypto ipsec security-association lifetime kilobytes 4608000<br/>crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1<br/>crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5<br/>crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP<br/>crypto map outside_map interface outside<br/>crypto map IPSECTEST_map0 1 match address IPSECTEST_cryptomap<br/>crypto map IPSECTEST_map0 1 set peer<br/>crypto map IPSECTEST_map0 1 set transform-set ESP-3DES-SHA<br/>crypto map IPSECTEST_map0 1 set nat-t-disable<br/>crypto map IPSECTEST_map0 1 set phase1-mode aggressive<br/>crypto map IPSECTEST_map0 interface IPSECTEST<br/>crypto isakmp enable outside<br/>crypto isakmp enable IPSECTEST<br/>crypto isakmp policy 10<br/> authentication pre-share<br/> encryption 3des<br/> hash sha<br/> group 2<br/> lifetime 3600

sh route:

C is directly connected, VLAN10<br/>C is directly connected, IPSECTEST<br/>C is directly connected, inside


access-list IPSECTEST_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 object

and here the scenario:


if i perform a ping from the asa to the remote local network i got this:

ciscoasa(config)# ping
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
No route to host

Success rate is 0 percent (0/1)

Any idea what i have missing?

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 7 months ago

Here is how to configure NAT exemption in ASA 8.3:

object network obj-

object network obj-

nat (inside,outside) source static obj- obj- destination static obj- obj-

The following is how it looks like in ASA 8.2 and below:

access-list Inside_nat0_outbound extended permit ip
nat (inside) 0 access-list Inside_nat0_outbound

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
StanDamen Tue, 03/16/2010 - 03:46

as you can see in the "sh route" output there is no route to, you could add a static route to tell the packets where to go.

This might be needed on both sides, i dont know how snapgear works.

thorstenn Tue, 03/16/2010 - 03:59

I`ve already tried this with this entry:

C is directly connected, VLAN10
C is directly connected, IPSECTEST
S [128/0] via, VLAN10
C is directly connected, inside

but with no success...

ozzyosbu1 Tue, 03/16/2010 - 03:57


There is no route towards the destination nework, so add a static route for the destination network network on the ASA

and a route to on the FW

ozzyosbu1 Tue, 03/16/2010 - 04:10


You have added ( /32 mask) pointing to you VLAN10 interface, you should add a route pointing to with the correct mask pointing to the tunnel interface/nexthop of

thorstenn Tue, 03/16/2010 - 04:24

That was a mistake with the /32 mask.... my fault....

With this i`m able to ping the host on the ohther side. But not the gateway

S [1/0] via, IPSECTEST

The other way the same. Not able to ping the gateway. Any idea?

ozzyosbu1 Tue, 03/16/2010 - 04:43

Is there any policy blocking ICMP on the FW, are u able to ping from the host on the same LAN

thorstenn Tue, 03/16/2010 - 05:20

Ok, from a host in the 172.20.20.X range i`m able to ping the gateway on the same subnet but i`m not able to ping any other host on the ASA site.

From the ASA site i`m able to ping the host on the snapgear site, but not the default gateway

The Host on the ASA site is able to ping the default gateway

I`m confused.... :-(

thorstenn Wed, 03/17/2010 - 02:03

Here is the running-config maybe someone see an issue. I figured out that i`m only able to ping the remote site host directly from the ASA and not from a host on the ASA network or a host on the snapgear site.

How could i configure NAT 0 (exemption) in ASA version 8.3.

This doesn`t work anymore:

ciscoasa(config)# nat (inside) 0 access-list Inside_nat0_outbound
ERROR: This syntax of nat command has been deprecated.
Please refer to "help nat" command for more details.

Correct Answer
Jennifer Halim Wed, 03/17/2010 - 03:54

Here is how to configure NAT exemption in ASA 8.3:

object network obj-

object network obj-

nat (inside,outside) source static obj- obj- destination static obj- obj-

The following is how it looks like in ASA 8.2 and below:

access-list Inside_nat0_outbound extended permit ip
nat (inside) 0 access-list Inside_nat0_outbound

thorstenn Wed, 03/17/2010 - 05:24

Ok, this worked for me. Thanks.

Now i have another problem with the same ip and connecting via VPN Client.

If i connected from a 10.10.10.XXX ip via vpn client to the client got the ip like i configured it for vpn that`s ok BUT i`m not able to ping the inside ip only the NAT address for that ip/host -> is reachable but thats i think is because i`m originaly connected via the same subnet?

If i connected via VPN Client i would be able to ping the inside IP. What is here the problem?

Jennifer Halim Wed, 03/17/2010 - 05:34

VPN Client pool should not be in the same subnet as your internal subnet.

Currently I believe you have your ip pool as which is in the same subnet as vlan10 interface

thorstenn Wed, 03/17/2010 - 05:42

Yes you`re right. If i configure another pool on a diffrent subnet than i have to configure routing for that vpn connection? Could you plz give me an example how to configure that?

Jennifer Halim Wed, 03/17/2010 - 05:55

For example, if you use ip pool of


ip local pool vpn-pool mask

tunnel-group VLAN10-VPN general-attributes

    no address-pool VLAN10-Pool

    address-pool vpn-pool

object network obj-vpn-pool


object network obj-


nat (vlan10,outside) source static obj- obj- destination static obj-vpn-pool obj-vpn-pool

nat (IPSECTEST,outside) source static obj- obj- destination static obj-vpn-pool obj-vpn-pool

same-security-traffic permit inter-interface

thorstenn Wed, 03/17/2010 - 06:13

thanks. i`ll test it.

But later the IPSECTEST interface doesn`t exist anymore. This will be the "outside" interface then. So this looks should be converted from:

nat (IPSECTEST,outside) source static obj- obj- destination static obj-vpn-pool obj-vpn-pool


nat (outside?,outside) source static obj- obj- destination static obj-vpn-pool obj-vpn-pool

At the end i have more than one VLAN which are accessable with VPN with different ip ranges....

Jennifer Halim Wed, 03/17/2010 - 06:23

Assuming you no longer require the IPSECTEST interface, I will just remove it. Currently your VPN is configured to be terminated on the outside interface anyway.

thorstenn Wed, 03/17/2010 - 06:48

hmmm seems not to work....

Here are my configuration

ip local pool Vlan10-Pool mask

tunnel-group Vlan10-VPN general-attributes
    address-pool Vlan10-Pool

object network obj-Vlan10-pool

nat (Vlan10,outside) source static obj- obj- destination static obj-Vlan10-pool obj-Vlan10-pool
same-security-traffic permit inter-interface

It is not possible to configure a pool from the same subnet? subnet (and the other which will be createtd) use only two or three IPs, thats why i`m assigned an ip range from behind.

The IPSECTEST was only for tunnel testing, from the outside interface i try at the moment the vpn connection. So we do not care about the IPSECTEST interface regarding vpn connection.

Do you have any other suggestions why the above solution from you not working for me or what i have missed to configure?

thorstenn Wed, 03/17/2010 - 07:08

Ok, sorry it worked now without the permit inter-interface but if i ping from the vpn client the internal host i see a reply from the external ip? How can i fix this?


Pinging with 32 bytes of data:

Reply from bytes=32 time=1ms TTL=128
Reply from bytes=32 time=<1ms TTL=128
Reply from bytes=32 time=<1ms TTL=128
Reply from bytes=32 time=<1ms TTL=128

Jennifer Halim Thu, 03/18/2010 - 01:45

Please change the NAT order in your configuration as follows:

no nat (VLAN10,outside) source static

object network obj-
nat (VLAN10,outside) static

Hope that works.
thorstenn Thu, 03/18/2010 - 03:36

Hmm ok this seems to work. But why i have to create the NAT rule on the network object and than it works? Btw. what is the diffrent from a static nat rule and a static nat rule on a network oject?

Jennifer Halim Thu, 03/18/2010 - 03:42

Format of NAT order of operation has changed from ASA version 8
.3 compared to previous version of ASA.

Prior to 8.3, it's NAT exemption --> Static NAT --> dynamic NAT.

From 8.3, it's Section 1 (Twice NAT) --> Section 2 (Network object NAT) --> Section 3 (Twice NAT).

It seems to be confusing as most people are used to the old format.

Here is some readings on NAT order of operation (version 8.3):


thorstenn Thu, 03/18/2010 - 06:19

Thanks for your support. I`ve started a new thread with a i think little problem with l2tp thread title "L2TP over IPsec with ms client doesn`t work" . Maybe you know the solution.

thorstenn Wed, 03/17/2010 - 03:53

I found the issue:

nat (any,any) source static

The client with the ip from which i ping the remote network tried to ping it over the NAT ip. I changed the client IP and traffic goues through the tunnel.

But how can i disable NAT over the ipsec tunnel in ASA version 8.3


This Discussion