Hi all I had a problem with my site to site tunnel between 2 asa's whereas I could not ping, I have resolved this, the issue was that the encrypted networks were different on one side, they were all there but 1 side had another network statement in, would this matter? do they have to match exactly the same? also with vpn tunnel, was I right in adding a nat exempt rule in for those networks through the tunnel ?
If you could post how you had the config when it wasn't working and the config now that it is working, it may be easier to help. Yes, you were correct in adding nat exemption for the interesting traffic on the tunnel. Also, the crypto acls should mirror each other exactly. Ex.
access-list crypto permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list nonat
access-list crypto permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...