The inside interface of the ASA is 10.20.1.1. When I ping anything across the vpn tunnel sourced from the inside interface, it times out. If I ping from a server to a server across the vpn, it works fine.
So, I've found route-lookup, but for every example I've found, they're not natting. Also, I can't enable it anyway because it throws an error due to the natting config:
ERROR: Option route-lookup is only allowed for static identity case
How can I enable communications to the inside interface over a natted vpn tunnel. Oh, I have management-access inside enabled already, so that's not it - along with the policy map to perform inspects.
This generally doesn't work because the rule processing for putting traffic into the VPN happens in part due to the access-list on the inside interface that's associated with the cryptomap for the site-site VPN. If the traffic is initiatied by the interface itself, the access-list never gets considered and thus the traffic is not encapsulated in IPsec and sent via the tunnel.
Thanks for the reply. I'm not 100% certain that's what is going on though. I can change the acl to not nat over the tunnel, and it works fine. For example, my real subnet is 10.20.1.0/24, but while going over the vpn I nat to 10.40.1.0/24. If what you're saying was the issue, then technically it wouldn't work even when not natting, correct?
I resolved the issue by not natting, but this isn't a good solution. The problem is that we have a hosted solution for one of our applications. Our vpn sites use a 10.78.x.x/24 subnet whereas the hosted site also uses 10.78.x.x in some cases. We haven't had to yet, but there's the possibility of us standing up a site that they use in the same range, and we've been told that we're going to be the side that has to nat. One thought that I had was that I could nat when only going to that site, and that would very well fix the issue I believe, but if we were to nat everything, then that's going to cause us to not be able to ping the inside interface any longer. There was absolutely nothing that I could do to get this to work other than disabling nat across the tunnel completely.
The only thing that I didn't try was to create a host for my inside interface to do a 1-1 nat instead of relying on the subnet object to do the 1-1 nat for me. I don't know; I'm grasping at straws here...
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :